Slashdot Mirror

← Back to Stories (view on slashdot.org)

An eBay For Hackers

Posted by kdawson on from the can-you-spell-zero-bay dept.

cyberdelicat writes to let us know about a Swiss security firm called WabiSabiLabi that is causing waves with its open auction for zero-day security vulnerabilities. While WSLabi claims they will thoroughly vet both buyers and sellers of vulnerabilities, many researchers are skeptical about how effectively they can do this. The Washington Post article mentions the guy who almost opened a similar auction site several years back, to be called Zero-Bay, but pulled the plug at the last minute. SearchSecutiry notes that some security researchers are now referring to WSLabi as "zerobay" as they undermine the auction site by reproducing and publishing vulnerabilities as soon as they appear for sale.

60 comments

  1. How about an Ebay for Dupes? by Anonymous Coward · · Score: 3, Funny

    http://it.slashdot.org/article.pl?sid=07/07/06/014 4234

    1. Re:How about an Ebay for Dupes? by x_MeRLiN_x · · Score: 1, Informative

      The last time this was posted the site actually worked. Now when you click on an auction you get a 404.

    2. Re:How about an Ebay for Dupes? by billcopc · · Score: 1

      Hey there sonny, when you're as old as I am (27), and you find that your brain forgets stuff because it's so full of techno bullshit, you too will appreciate the weekly re-runs :)

      --
      -Billco, Fnarg.com
    3. Re:How about an Ebay for Dupes? by Meski · · Score: 1

      Should have read "Site withdrawn by ZeroBay"

  2. dupe by Anonymous Coward · · Score: 0

    same crappy three exploits that were up a week ago

  3. SearchSecutiry? by Anonymous Coward · · Score: 0

    OK now I know I'm reading Slashdot ;)

    1. Re:SearchSecutiry? by larry+bagina · · Score: 1

      as if the fact that it's a dupe wasn't proof enough.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    2. Re:SearchSecutiry? by Anonymous Coward · · Score: 0

      It's not a dupe, it's a deja vu.

      It happens when they change things in the Matrix.

    3. Re:SearchSecutiry? by tutwabee · · Score: 1

      No, that just means it's either Slashdot or Digg.

  4. All kinds of new auction sites by Anonymous Coward · · Score: 1, Informative

    What do you guys think of this one http://www.swarmbuy.com/

    1. Re:All kinds of new auction sites by Anonymous Coward · · Score: 0

      What do you guys think of this one http://www.swarmbuy.com/ Looks liek it could be a good idea. It's interesting that the guy has gone with an advertising model instead of the usual cash grab that eBay and other auction type sites usually use. Too bad there's nothing really there at the moment, the forum says it only got launched a few days ago. Maybe once it gets hopping it'll be fun to explore. I think I'll go get a good username now hah!
    2. Re:All kinds of new auction sites by Anonymous Coward · · Score: 0

      Too bad there's nothing really there at the moment, the forum says it only got launched a few days ago. Yeah, and he posted as an AC ... hmmm, might there be some connection? Hmmmmm.....
  5. Sounds Familiar by chrishajer · · Score: 0, Redundant

    http://it.slashdot.org/article.pl?sid=07/07/06/014 4234

    1. Re:Sounds Familiar by Deathanatos · · Score: 1

      And I thought that "WabiSabiLabi" was a fairly memorable name. Oh well.

  6. YAD by m0nkyman · · Score: 0, Redundant

    Yet Another Dupe.

    --
    ~ a low user id is no indication I have a clue what I'm talking about.
    1. Re:YAD by Frosty+Piss · · Score: 1

      It's a Slashdot vulnerability. Wonder what it's worth?

      --
      If you want news from today, you have to come back tomorrow.
    2. Re:YAD by Anonymous Coward · · Score: 0

      What I want to know is how do you know bidders aren't people with nefarious purposes? It's really easy to create a shell company that looks good on paper that is set up to be nothing but a front for bad guys.

      Not only that, what's really scandalous is the idea that the company can be sure that it is not selling instructions for breaking into computers and networks directly to the criminals most likely to use them.

  7. A site for redundant /. stories by Anonymous Coward · · Score: 0

    i guess we could just stay here....

  8. So what happens when... by Mr+EdgEy · · Score: 4, Funny

    A sold vulnerability ends up being used against the site?

    1. Re:So what happens when... by Anonymous Coward · · Score: 0

      "The capitalists will sell us the rope,to hang them with" Lenin

  9. Hmm by UncleWilly · · Score: 2, Insightful

    Only 4 Items for sale...and 550 euro for the Linux Kernel memory leak sounds fishy with only 1 bid

  10. What's next? by Citius · · Score: 1

    If they're auctioning off vulnerabilities... and someone that we'd prefer to not know about them knows... who's at fault?

    --
    Site slashdotted out? Use SharePapyrus under Site Directory
    1. Re:What's next? by Antique+Geekmeister · · Score: 1

      While that's a concern, there is a fairly serious underground already in selling such vulnerabilities. Both script kiddies exchanging cheap tools, and serious crackers using, selling, and giving away tools to "trusted friends" have been in play for decades. And far, far too many vulnerabilities are unpublished by security groups, "because the vendor hasn't given permission an not yet provided a fix".

      CERT is sitting on at least a few vulnerabilities, and has been doing so for at least 5 years on some of them, particularly vulnerabilities involving Windows. So who is safer now that the vulnerability has been available for 5 years, but legitimate people like you and me can't look it up? And Microsoft is not alone in this, although they're usually the worst offender.

    2. Re:What's next? by Citius · · Score: 1

      Point taken. However, correct me if I'm wrong - script kiddies and their cheap tools tend to be more obsolete than the serious crackers...

      Isn't part of computer security security through obscurity?

      --
      Site slashdotted out? Use SharePapyrus under Site Directory
    3. Re:What's next? by Antique+Geekmeister · · Score: 1

      Well, yes. "Tend to be more obsolete" is reassuring, until you realize that these crackers don't much recognize verbal agreements not to publish to other crackers, and both share with each other and steal from each other on a regular basis. So the rawest script kiddies receive infusions of the latest tools on a surprisingly frequent basis. The result is that the security through obscurity of keeping things unpublished becomes insecurity for most casual users.

    4. Re:What's next? by Lars+T. · · Score: 1
      http://www.networkworld.com/news/2007/070907-avera ge-zero-day-bug-has-348-day.html

      Immunity, which buys but does not disclose zero-day bugs, keeps tabs on how long the bugs it buys last before they are made public or patched. While the average bug has a lifespan of 348 days, the shortest-lived bugs are made public in 99 days. Those with the longest lifespan remain undetected for 1,080 days, or nearly three years, Aitel said.
      --

      Lars T.

      To the guy who modded me down from perfect to terrible Karma - Apple haters still suck

  11. Reminds me of Tom Jones.... by Anonymous Coward · · Score: 0

    It's not Unusual to have secks in tha butt...
    (DaNaNaNaNaaaa...)

    FREAKIN ' LOAL DUDES!!!
    ME AM BRAZIL!!!!

  12. Wow. by spazmonkey · · Score: 1

    This whole idea is wrapped in so many layers of stupid I can't wrap my brain around it.

      Problem is, like many functional solutions in this world, it may be just stupid enough actually work.

    1. Re:Wow. by null.account · · Score: 1

      This whole idea is wrapped in so many layers of stupid I can't wrap my brain around it. I guess that makes you pretty stupid, then, eh ?
  13. Everything on Slashdot sounds familiar. by Anonymous Coward · · Score: 0

    Either because it's a dupe or we read about it somewhere else a week earlier.

    But hey, keep up the good work, kdawson!

    *Yes, I'm duping my own post on Slashdot about dupes on Slashdot. Seriously, are kdawson and Zonk actually paid for the time they waste here?

  14. Sounds dumb by cdrguru · · Score: 1

    How does someone selling something illegal get paid? If I open an auction site for heroin it would be greeted with great fanfare, even by the law enforcement community. Because they could just arrest the "winners" (actually losers). Sounds like a real money-maker for about 30 seconds.

    OK, so there is an open auction for a remote exploit for Yahoo Messenger. So if I wanted to steal bank account information from lots of Yahoo Messenger users, this would be a good start. The minimum bid is 2000 Euro, which sounds pretty fair for something that could be used to grab millions of dollars from unsuspecting users worldwide. I would assume that similar exploits could be used in a similar fashion - to steal from people. Isn't that the new way to make money on the Internet from Eastern Europe?

    1. Re:Sounds dumb by Nazlfrag · · Score: 3, Insightful
      There is nothing I can think of that is illegal about not immediately disclosing any security vulnerability a professional researcher or basement dwelling hacker stumbles across. There is also nothing illegal about providing exploit riddled software according to licenses I've read. What is illegal is robbing peoples bank accounts. I'm fairly sure that these guys aren't planning to keep the best hacks undisclosed while they rob banks (though it would be an interesting twist). I'm fairly sure they will be able to track the dissemination of these exploits far better than the existing markets.

      Researching security holes should be a legitimate and profitable R&D investment, and should be done in an up front manner such as this rather than via the black market where your dire vision already thrives.

  15. I for one... by Tatisimo · · Score: 0, Redundant

    Welcome our new dupe overlords. Soon we'll have enough to make a beowulf cluster of them.

    --
    Give Kashyyyk back to the Wookies
  16. Don't let stupidity fool you by packetmon · · Score: 2, Interesting

    I saw via a security mailing list ridicule at "Who the hell would buy a Yahoo messenger exploit. har har". So let's think about this for a minute... Done, how many people do you know that use Yahoo messenger at their corporate office? As obscure as some may think the site will be, all you need is some hardcore "pwning" going on, and some government will treat the site as they did Pirate Bay and shut it down quickly

    --
    Infiltrated dot Net
    1. Re:Don't let stupidity fool you by Loucks · · Score: 1

      That's a good point, given that The Pirate Bay is no longer online and all.

    2. Re:Don't let stupidity fool you by karnal · · Score: 1

      I missed the sarcasm in your post. I checked the site and thought "Damn, he got me."

      Good show!

      --
      Karnal
  17. Dude, this sucks by TheModelEskimo · · Score: 3, Interesting

    I posted this awesome cultural comment the last time this story was posted and nobody even replied. Now the dupe is just plowing up all those bad memories again. http://it.slashdot.org/comments.pl?sid=246095&cid= 19763499

    1. Re:Dude, this sucks by chawly · · Score: 0

      Yes, a dupe so soon after the first one ----- it sucks. I found your comment to be cultural, informational, interesting, and nothing whatsoever to do with the subject (as far as I can see, anyhow). I would have replied, but I didn't get a chance to read /. that day. The dupe gives us all a second chance - let's look on the good side.

      I just want to say thanks - without your awesomely irrelevant comment I would never have known about our fiercely contemplative Japanese companions.

      I agree with you : Know your neighbour is a good idea - even if the s.o.b. does live in Japan. So THANKS for the comment.

      --
      How many beans make five, anyhow ? ... Charles Walmsley
  18. Good idea, actually... by stevejsmith · · Score: 1

    Of course it sounds ridiculous, but if you think about it, it's actually not a bad idea. For one, if there are these critical bugs being published all the time and big companies are taking the heat for these vulnerabilities, you can bet the companies would either a) pay top dollar to buy the exploit themselves and hopefully patch the hole, or b) encourage them to be more proactive. Rewards for finding holes would mean a reliable stream of money for those who find them, ensuring that there would be plenty of people willing to essentially clean up what the original programmers missed. You'd have to live under a rock to think that vulnerabilities were not already traded in a black market (and this isn't a normal black market -- it's a market of people who, buy their very presence in this market, are very technologically adept and know exactly where to seek out these sorts of things). If they're going to be bought and sold anyway, why not legalize it and have it do some genuine good?

  19. whoa! by dexomn · · Score: 1

    Oh man, I wonder if I could get five bucks for a rickroll! I mean.. that shit has to be worth five bucks. =)

  20. How about... by Anonymous Coward · · Score: 0

    A Slashdot for Dupes?

  21. Vulnerability Info Exchange is Good by this+great+guy · · Score: 2, Interesting

    Selling information about security vulnerabilities may be considered unethical by some, but it is perfectly legal in almost all countries (notable exception: France). Don't forget that a vuln is just a bug, they are selling information about how to trigger a bug. Why would that be illegal ? If a buyer exploit the bug for nefarious purposes, then the buyer is doing something illegal, not the seller. There are plenty of legitimate cases where a market for selling vulnerabilities is a good thing:

    • The developer of a vulnerable application may want to buy vulnerabilities found in his application. Financial reward is an incentive for security researchers to find more vulnerabilities in an application when they know they would get paid for it. Additionally, over time, the security of the application increases.
    • Penetration testing companies can increase their chance of a successful pentest with access to new and original vulnerabilities. This prompts the client (pentest target) to secure his IT infrastructure, by rearchitecting it, or implementing new security mechanisms.
    • Vulnerability assessment tools developers can gain an edge over their competitors by buying info about vulns. A legitimate security vuln market moves the VA market forward, and in the end increases the rate of discovery, and therefore the rate at which security vulns are fixed.
    • The biggest argument is perhaps this one: a vulnerability sold to a legitimate buyer is often one less sold to a criminal.
  22. WAD by Zedrick · · Score: 1

    Working As Designed. This is Slashdot.

  23. Well it depends by Sycraft-fu · · Score: 3, Insightful

    Quite often, it is illegal to sell someone something if you should reasonably know they are planning on using it for an illegal purpose. As a simple example, a gun dealer in in a world of shit if someone comes in and says "I need a gun so I can go kill my wife, what do you have for me?" Basically, you are an accessory to a crime if you have or should reasonably have knowledge that a crime is going to be committed and you provide support, material or otherwise, for the commission of the crime. So while not disclosing a venerability is legal, selling it to someone that you have a good idea is going to use it for criminal means is illegal. The ignorance defense only goes so far, while being an accessory requires knowledge of the crime (you can't be charges for letting someone in a house if you legitimately believed they should be there, for example) it doesn't require that it was spelled out for you. If there was enough evidence that you should have known what was happening and were just being willfully ignorant, that doesn't cut it, especially if there was profit involved.

    There are additional problem when you start dealing with certain classes of items. If something has substantial legal uses you are on much more solid ground. To use the gun example again, guns are widely used for hunting, target shooting, personal and home defense, all perfectly legal uses. Thus it isn't a stretch to assume someone has a legal use for it, unless there's specific reason to believe otherwise. However if the item in question has little to no legal use, then there can be problems. I see exploits as being mostly in this category. Other than the companies, who really has a legit use for the details behind an exploit? Now this isn't a challenge to try and come up with obscure reasons someone might want it, it is something to think about in general. What would people by and large want to buy these for? If the majority of realistic answers are illegal ones, then you can have a real problem when you sell it if you aren't real careful.

    1. Re:Well it depends by lordkuri · · Score: 1

      Other than the companies, who really has a legit use for the details behind an exploit?

      Any user of that software that won't/can't/doesn't want to wait for the company to get off of their lazy asses and fix it, so they need a workaround.

    2. Re:Well it depends by Nazlfrag · · Score: 1

      Security affects users far more than it affects the company providing the tools. From this perspective, there are far more legitimate users trying to secure their systems from attack than there are than illegitimate ones trying to exploit them. If bank robbers want to get exploits from this site, they will need credentials far exceeding what the black market requires. Face it, the bank robbers laugh at these 'zero day' vulnerabilities, they are last weeks or last months vulnerabilities. An open and forthright exchange for these insecurities is needed not to legitimize fraudsters but to expose and destroy their monopoly on exploits. Computer security is still immature, and seems not to learn the lessons of physical security well. Security through obscurity was debunked for physical locks over a century ago, yet we continue to repeat the mistakes of the past.

  24. Zero-day by frednofr · · Score: 0

    Not exactly zero-day news

  25. No reserve l@@k! by Anonymous Coward · · Score: 0

    This zero day exploit uses a buffer overflow in IE to delete all the files on the PC. Ending in 7 days.

  26. Sounds even dumber by Anonymous Coward · · Score: 0

    I usually try to not feed the troll, but eh.

    If you think malware comes only from Eastern Europe, you're mistaken.

  27. Auctioning known defects by TheCybernator · · Score: 1

    Thats a good idea. From now on, I'll sell the defective products and then later auction the known defects :)
    ???
    Profit!!

    --
    Eclipse PDE and Me
  28. Amen! by Weezul · · Score: 1

    Or the most basic: A sold vulnerability market also supports honest scurity researchers financially. Security will become a higher priority for venders if they must bid against black hats. etc.

    Big security problems currently come from people not installing patches. You can't fix this since you can't write perfect code. But you can help by writing better code. So we must make venders see the real costs.

    --
    The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
  29. the idea has merit by v1 · · Score: 1

    If something is a problem for you but the people that could fix it don't care, then naturally no one is in a hurry to fix it. MAKE it an immediate problem and you will get a faster fix. There will be more collateral damage of course, but the unfortunate part is not the collateral damage, it's that we have to HAVE it to motivate the people to fix their crap. This whole concept of blaming, attacking, and trying to silence the whistleblowers has got to stop. It's not their fault. Are they making the problem worse? You bet they are. But the problem should not have existed in the first place, and the ones that are in a position to fix the problem are in no hurry and so these things just get hidden, ignored, and drug out. By making the problem a magnitude worse, they mostivate people to fix things because they can no longer tolerate the reproducssions of their apathy. (or rather, their customers can't tolerate it, and rocks roll downhill)

    I'm all for this. The only ones that are really against this are the producers that are too cheap to invest sufficient funds in securing their product and do not want their cheapness to be exposed - they cry that their shortcoming is someone else's fault, merely because they pointed it out to the public. If I expose your failure, that doesn't make the results of your failure suddenly my fault.

    --
    I work for the Department of Redundancy Department.
  30. Stop referring to security people are researchers by Anonymous Coward · · Score: 0

    Most are just extortionists, especially ever single poster on Full-Disclosure who claims they should profit ``their work'' (which is used to extort companies) .

    The ``work'' they speak of is running tools they didn't make on code and finding bugs then trying to extort companies because they found this bug. Don't let the full-disclosure ethic confuse you, security researchers are black hat extortionists, the only ones who aren't are those who bother holding a faculty position, so they are already paid.

  31. What happens when this site gets cracked? by r_jensen11 · · Score: 1

    The whole thing just seems stupid. Sell information about a vulnerability, then wonder why your website is down 5 minutes later...

  32. I think you mean an eBay for crackers. by that+this+is+not+und · · Score: 1

    The eBay we already have is the 'for hackers' one.

    I use it regularly to buy PIC controllers, semi-exotic silicon, and weird computer hardware (i.e. anything 'the natives' can't Install Windoze on here in tardo flyoverlandia). I also sell a lot of cool stuff, like PDP-11 hardware, etc. Without eBay or at the least the Web and mail order, a person such as myself couldn't live in this godforsaken (actually, god-addled) part of the country.