Slashdot Mirror

← Back to Stories (view on slashdot.org)

Auction Site To Sell Security Vulnerabilities

Posted by CowboyNeal on from the safety-to-the-highest-bidder dept.

talkinsecurity writes "A Swiss research lab has built an eBay-like marketplace where hackers and researchers can sell the security vulnerabilities they discover to the highest bidder. WabiSabiLabi could replace the back-room, secret sites where researchers and hackers used to sell their exploits and replace them with a neat, clean way to make money by finding security flaws. Those who have seen the site say they are concerned about how the buyers will be vetted, and how the marketplace will ensure the flaws aren't found through illegal methods."

5 of 121 comments (clear)

  1. Re:Interesting vulnerabilites on the site by stonecypher · · Score: 4, Informative

    Tons of ways. One of the most common and easily explained is a denial of service attack. People tend to think that DoS just means hammering the line into submission; it's a broader topic than that. If that kernel memory leak can be triggered by any outside signal, then anyone who wants to bring that box down just needs to trigger it over and over until the box has run out of RAM and swap. On a high speed network, that can often be done shockingly quickly - on the order of tens of minutes, occasionally faster.

    If you're interested in these things, in my opinion, the best thing you can do is read a good operating system book - in my opinion you're best off with either Tanenbaum or Silberschatz - those books describe these problems in detail in terms of debugging your work, but in many cases, compromising a system is about leveraging unfixed bugs (enbugging, if you'll pardon the coining;) as such, a book meant to teach one to fix these is a great way to learn what needs to be protected against, as well as why.

    --
    StoneCypher is Full of BS
  2. Wabisabi is a cool concept by TheModelEskimo · · Score: 3, Informative

    Might as well post an explanatory link - it's a Japanese term, if anyone was wondering about the origin of the name: http://nobleharbor.com/tea/chado/WhatIsWabi-Sabi.h tm

  3. Re:perceived problem by Anonymous Coward · · Score: 1, Informative

    ...well in the case of WabiSabiLabi marketplace, WabiSabiLabi will verify the bug/vulnerability is real and as described by the seller and the buyer will have to trust WabiSabiLabi as the intermediary party who are orchestrating the sale.

    I wonder though if they do have a process for unhappy buyers who arn't satisfied with what they buy. How do you return Intellectual Property??

  4. Re:"illegal methods" ? by Torvaun · · Score: 3, Informative

    Sure. Reverse Engineering - Legal. Stealing source code - Illegal. Just because you're discovering potentially exploitable flaws doesn't mean that you're actually breaking the law yourself.

    --
    I see your informative link, and raise you a pithy comment.
  5. Re:"illegal methods" ? by UncleFluffy · · Score: 2, Informative

    Actually most EULA's prohibit this, thus making it illegal,

    At best, breach of contract. Even if the EULA is valid, which many aren't. Plus you have to prove that the information was obtained through "illegal" means.

    --

    What would Lemmy do?