Zero-Day Vulnerabilities On the Market

← Back to Stories (view on slashdot.org)

Zero-Day Vulnerabilities On the Market

Posted by CmdrTaco on Monday February 8, 2010 @03:48AM from the not-as-good-as-my-negative-four-day dept.

An anonymous reader writes "Zero-day vulnerabilities have become prized possessions to attackers and defenders alike. As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days. There is an underground market growing around these vulnerabilities, but there are also 'white markets' — set up by VeriSign, TippingPoint, Google — where they buy zero-day flaws and alert the companies so that they can patch their products before the vulnerabilities can be taken advantage of."

94 comments

Min score:

Reason:

Sort:

Sure is... by Anonymous Coward · 2010-02-08 03:50 · Score: 0

...1998 in here.
1. Re:Sure is... by insufflate10mg · 2010-02-08 04:49 · Score: 2, Interesting
  
  Damn straight it is.
  
  The 0day black market has been thriving for over a decade; I remember being 13-14 years old, spent every day and night reading and learning about computer security. It was a different world in hacking back then; the reason was because the lines between a secure system and an insecure system were more blurred. Most machines/network one would target had a vulnerability that was exploitable, it was just a matter of spending enough days reading to discover it. It was an incredible time in the Internet's young life, but it is long gone. By the time I was 16 years old, I had joined my mentors in writing white papers relating to security, pen-testing, and trying to maintain integrity within the game. Technology moved faster than any of us had imagined, and we all moved on to our own specializations in computer science. Hacking was so open, so possible: it just took the right amount of knowledge to do it, and everyone who would do anything to not be a skiddie was busting their ass every day.
  
  We have moved on to different times. The line in the sand is so broad and sharp; you're either an advanced black hat, an advanced white hat, script kiddie, or nothing. Although I miss the old days, it is nice to see how far computer security has come. I'm proud to say that I am an "newer old school" hacker because with that area-of-specialization comes a unique set of skills that new-age "hackers" don't have. There are still the real old school hackers though, and I could only imagine the nostalgia they feel everyday and have been feeling for decades.
  
  Hacking is just not what it used to be, but this article (and the post I'm replying to) echo the faint sounds of the old days when we used to discover 0days, share them with our friends, protect them honorably, use them when necessary, and end up selling them out to their victim's companies to make the internet just a little bit safer.
2. Re:Sure is... by insufflate10mg · 2010-02-08 04:52 · Score: 1
  
  I just realized the parent was trying to make a joke about how 0days have been on the black market since the 90's. When I read it the first time I thought it was a nostalgic reference, not a reference to the fact that the news contained in this story is far from news. Maybe olds, but not news.
3. Re:Sure is... by AG+the+other · 2010-02-09 02:30 · Score: 1
  
  The word news didn't have anything to do with new. It stood, at least originally, for North East West and South.
  
  --
  Non bene pro toto libertas venditur auro
4. Re:Sure is... by insufflate10mg · 2010-02-09 03:41 · Score: 1
  
  No shit? The fact that the point of news is to spread new information had nothing to do with it?
This is why we need... by Anonymous Coward · 2010-02-08 03:52 · Score: 4, Funny

someone to invent time travel. Then someone could go into the future, get all the patches and fixes to various popular software, come back in time, and give it to us. Problem solved.
1. Re:This is why we need... by Anonymous Coward · 2010-02-08 04:01 · Score: 4, Funny
  
  But the evil hackers with time travel will then go to the future to find out exploits before they've been found in the past.
2. Re:This is why we need... by BartholomewBernsteyn · 2010-02-08 04:05 · Score: 5, Funny
  
  But the evil hackers with time travel will then go to the future to find out exploits before they've been found in the past.
  ...and that's exactly why need regulation with regards to time travel and access to time travel machinery, now. You there, drop that screwdriver!
3. Re:This is why we need... by Anonymous Coward · 2010-02-08 04:21 · Score: 0
  
  someone to invent time travel. Then someone could go into the future, get all the patches and fixes to various popular software, come back in time, and sell it to us. Problem solved.
  Meh, I see what you did there. Fixed that for you, mmmkay?
4. Re:This is why we need... by Anonymous Coward · 2010-02-08 05:06 · Score: 0
  
  Accidentally the subject!
5. Re:This is why we need... by _Sprocket_ · 2010-02-08 05:34 · Score: 1
  
  "Dude. As soon as Bill stops screwing around with card games, we're going to be set!"
  "Why?"
  "I just got a whole bunch of neg 7300 day exploits for Win95, dude. We're gonna be set."
  "Cool. Hey.... have you even been born yet?"
  "Awww crap..." (poof)
6. Re:This is why we need... by Anonymous Coward · 2010-02-08 06:10 · Score: 0
  
  Or even perhaps posters who regret posting anonymously, could go back in time and tell themselves that they're going to get a high funny moderation. Oh well, sigh.
7. Re:This is why we need... by guruevi · 2010-02-08 07:24 · Score: 2, Funny
  
  Don't worry, almost all classic DeLorean's have rotted away and we're still waiting on non-Newtonian Physicists to invent a Flux Capacitor.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
Good to know by Anonymous Coward · 2010-02-08 03:55 · Score: 1, Insightful

I always appreciate the clarification that a growing market is growing.
I'm surprised white markets aren't more common by swb · 2010-02-08 03:59 · Score: 4, Interesting

...especially when the market is fairly inelastic.
The best "white market" tale I've ever heard is the militias that ran the "Golden Triangle" in the Southeast Asian highlands offering to sell the US the entire opium crop.
I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market. They could even use the opium for the production of painkillers for the legitimate market, which I understand is actually constrained sometimes by strict production limitations.
You would think that white marketing the supply of illicit drugs would make a lot of sense -- by buying up supplies at the volume end of the market and denying it to the market, you would drive street prices through the roof and have far more impact on the consumers, pricing many out of the market. Cocaine supply diversity may make this difficult, but if pursued quietly it might actually be effective there too.
Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals. It'd be great to see a cost analysis to see if it would actually be cheaper to just buy up the drugs at the point of production versus the drug war, which doesn't work.
1. Re:I'm surprised white markets aren't more common by adonoman · 2010-02-08 04:05 · Score: 2, Insightful
  
  It'd work great until a few farmers, who sold to the government instead of the local underground, wind up dead.
2. Re:I'm surprised white markets aren't more common by bluesatin · 2010-02-08 04:06 · Score: 3, Informative
  
  I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market.
  
  This would probably cause a knock-on effect of increasing production in the area, due to the fact that you will be increasing the profits for the poppy growers, and perhaps also encouraging people to start poppy farming; selling to US troops is probably a hell of a lot less scary than selling to the Taliban.
3. Re:I'm surprised white markets aren't more common by L4t3r4lu5 · 2010-02-08 04:07 · Score: 4, Insightful
  
  Buying products other than opium, i.e. incentives to plant other crops would be better.
  
  On another point, don't you think the Taliban might be a little irritated by this and, ooooh I don't know, cut off some farmers heads? I hear they've been known to do that to make a point.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
4. Re:I'm surprised white markets aren't more common by Anonymous Coward · 2010-02-08 04:10 · Score: 0
  
  You do realize that the Taliban is the reason that there was no opium in Afghanistan up until we showed up, right? They used to destroy the fields the first time they caught you growing opium, and shoot your ass if they had to come back. Karzai's brother is the big opium dealer in the country, and he isn't on the Taliban's side he is on the corrupt politicians side.
5. Re:I'm surprised white markets aren't more common by Ltap · 2010-02-08 04:14 · Score: 4, Informative
  
  You're right. The drug-growing problem in Afghanistan is two-fold: very little will grow there other than desert plants. Opium grows there and is extremely profitable to grow, so if they were to try and grow other crops, they would probably not be sustainable without more infrastructure (such as an irrigation network to grow crops that need more ground water). There have been attempts to cultivate some local plants to extract oils for use in beauty products, but it's a niche market and only a small amount of farmers can do it without over-saturating the market. A crop that would grow in Afghanistan, is in demand, and is rare enough to warrant transportation costs to the rest of the world is the ideal crop, and right now that is opium. Until there is a viable alternative, that is what farmers will grow.
  
  --
  Yet Another Tech Blog
  (but so much more, including game and movie reviews)
  http://yanteb.peasantoid.org
6. Re:I'm surprised white markets aren't more common by microbox · 2010-02-08 04:16 · Score: 1
  
  Selling to US troops is probably a hell of a lot less scary than selling to the Taliban.
  
  That is unlikely from the farmer's perspective -- who may fear violent reprisals from the Taliban, and don't trust the christian infidels (US troops) anyway.
  
  --
  
  Like all pain, suffering is a signal that something isn't right
7. Re:I'm surprised white markets aren't more common by Anonymous Coward · 2010-02-08 04:17 · Score: 0
  
  I had that idea for a long, long time.
  Even go one step further: Buy not from the cartels but directly from the farmers.
  The drug cartels in Mexico (and their wars with 20.000 dead per year!) would be ended tomorrow.
  But I guess we cannot do that. Giving our money to poor countries it not what we want to do with it. We rather spend it on... the War on Terror or other useless shit.
8. Re:I'm surprised white markets aren't more common by swb · 2010-02-08 04:19 · Score: 3, Insightful
  
  We can incentivize the growing of other crops, too, but we should also be prepared to buy up the opium crop.
  The alternative is destroying the opium crop; this impoverishes the farmer further, destroys his livelihood and causes him to not just grow opium, but join the Taliban.
9. Re:I'm surprised white markets aren't more common by Anonymous Coward · 2010-02-08 04:28 · Score: 1, Insightful
  
  I know you are being flippant but your average Afgani (or any muslim) doesn't think in terms of "christian infidels", that is the kind of talk you get from radical mullahs, talk show hosts, or rednecks. Depending on their education they are more likely to think "here are non-muslems who are going to try to take over and get us to convert like they did during the crusades, or the British...". Most people are just like you and me, they just want to be left alone, be relatively comfortable, not be afraid all the time, and be with family and friends.
10. Re:I'm surprised white markets aren't more common by Yvanhoe · 2010-02-08 04:34 · Score: 4, Insightful
  
  The taliban are actually opposed to drugs production. While they were in power, the area of opium cultures fell down incredibely quick. It came back thanks to the war. The drugs lords are a faction different from the talibans.
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
11. Re:I'm surprised white markets aren't more common by SeePage87 · 2010-02-08 04:37 · Score: 1
  
  Another problem with the strategy is that more drugs will be produces. If you buy up all the drugs at high prices, you'll have artificially injected a huge amount of demand into the market, as well as effectively condoned drug production. The existing producers will produce much more, since they can move it, and other's will flock to the drug trade, knowing that the U.S. government will buy it. If we don't, they'll just sell it to the Taliban again and, since we never put it on the streets, they'll still receive good prices and have no problems moving it. Always remember to apply the game theoretical implications of any can of economic policy (which I've found very few in Congress do.
12. Re:I'm surprised white markets aren't more common by Jenming · 2010-02-08 04:43 · Score: 2, Insightful
  
  I bet the Opium would still reach the consumer at comparable prices.
  The Opiate trade does not exist because of Afghanistan farmers or the Taliban, it exists because consumers really want Opiates.
  
  --
  Morpheus, God of Dreams.
13. Re:I'm surprised white markets aren't more common by Hasai · 2010-02-08 04:45 · Score: 4, Interesting
  
  Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals.
  And where, in regions that routinely grow opium, would this be an 'option?' The criminals will show up at the farmer's doorstep, take the money, then butcher both the farmer and his family to make an example.
  I saw the same sort of thing happen in S.A., where this one campesino decided he wasn't going to grow coca anymore: the local enforcers promptly showed-up, dragged him and his family out and forced them to kneel in front of their house, then went right down the row, from youngest to oldest. Pop, pop, pop, pop, pop.
  The term 'naive' doesn't even begin to describe your idea.
  
  --
  Regards;
  
  Hasai
14. Re:I'm surprised white markets aren't more common by ratboy666 · 2010-02-08 05:03 · Score: 2, Insightful
  
  The Taliban sells heroin?
  Um... no. In July 2000, Mullah Omar ordered a ban on poppy cultivation. As far as I know, this hasn't been lifted. Other members of the Northern Alliance are responsible.
  I presume you are a US citizen; please know your enemy. The Taliban may be at war with the US, but they are even harder on drugs. It is about as conceivable as Pat Robertson selling heroin to fund Christian Outreach.
  
  --
  Just another "Cubible(sic) Joe" 2 17 3061
15. Re:I'm surprised white markets aren't more common by dave562 · 2010-02-08 05:09 · Score: 1
  
  Two things your logic misses. First you've completely ignored the fact that the profits from drugs are used to finance the war. It isn't just the Taliban who are trading dope for military hardware. The drug trade is a perfect way for the government and companies to launder money. Here is a link to a PBS article that details a small, ACKNOWLEDGED portion of the process.
  http://www.pbs.org/wgbh/pages/frontline/shows/drugs/special/us.html
  The PBS article talks about legit goods like appliances and automobiles. The arms market is a whole other beast. The CIA and other agencies use drugs to fund operations that they can't go to Congress for.
  Here's an article about how the CIA was involved in running drugs through Arkansas.
  http://www.serendipity.li/cia/hayes2.html
  The other thing that I think you should consider is that the farmers need an alternate crop. As others have stated, there isn't much that will grown in Afghanistan. They could grow hemp though. In my mind, and I've said it before, it would be great to switch them from opium to hemp. Opium has one use. It is a pain killer. Hemp has multiple uses. The way I conceived of it working, the UN or US or whoever would buy the opium for a few years while the transition takes place. Once the farmers start growing hemp, they could sell to local markets in the provincial capitols. The capitols could start to build infrastructure to use the hemp. Hemp can be turned into cloth for clothing. The oil can be used for cooking and heating. The farmers could be allowed to grow marijuana too. It's about time that people pull their heads of their asses regarding marijuana prohibition. It isn't the best substance in world for your body, but it isn't any worse than cigarettes or alcohol. The added benefit of hemp is that it encourages companion industries like textiles.
16. Re:I'm surprised white markets aren't more common by wintercolby · 2010-02-08 05:23 · Score: 1
  
  I remember the Karzai's government trying to do just what you're suggesting here, and the Bush Administration refuting it. Most of our current legal opium supply comes from Turkey, which houses several US Military bases. Ultimately, purchasing opium for use in purposely restricted legal markets would flood those markets, driving down prices and alienating our allies. That said, I would be willing to bet that purchasing opium from farmers and storing it would be cheaper than prosecuting the war against the Taliban as well as the expensive war on drugs.
  
  --
  Most ignorance is vincible ignorance. We don't know because we don't want to know. --Aldous Huxley
17. Re:I'm surprised white markets aren't more common by SnarfQuest · 2010-02-08 05:37 · Score: 1
  
  Since these "farmers" will know that the drugs they produce will never be used, what's to stop them from selling fake drugs which have fixed to make the tests turn out right to the US government, and selling the real ones to the Taliban? All you need is some cheap chemical that makes the test kit change color, and I'm sure that there are things other than opium that can fake out the tests. Maybe just some food coloring mixed in.
  
  --
  Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
18. Re:I'm surprised white markets aren't more common by SnarfQuest · 2010-02-08 05:49 · Score: 1
  
  Buying products other than opium, i.e. incentives to plant other crops would be better.
  Like industrial strength hemp?
  They grow drugs because it is more profitable than food crops. They probably get 10 times the earnings per acre for opium than they would get for any food crop. If the US bought up all the opium one year, the farmers would just convert more of their fields over to opium. After one year, there would me more than enough opium for the US and the Taliban, and anyone else who wants it.
  If you went to California, and put up an ad specifying that the government would pay $1000/pound for marajuana, with no legal problems, would you expect the quantity grown in that state to decrease?
  
  --
  Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
19. Re:I'm surprised white markets aren't more common by _Sprocket_ · 2010-02-08 05:59 · Score: 2, Insightful
  
  The taliban are actually opposed to drugs production. While they were in power, the area of opium cultures fell down incredibely quick. It came back thanks to the war. The drugs lords are a faction different from the talibans.
  Which is all nice and fine as long as the Taliban remains in control. But what happened after?
  There are reports that the Taliban are now involved in the drug trade again. Despite the use of this as obvious propaganda, it isn't that far fetched as the Taliban initially hadn't had a problem with opium since it was a drug for foreigners (hashish was another matter). Of course, it's also very likely that the Taliban is only one of many players in the increased trade. Narcotics is a major industry and quickly becomes prominent in any unstable environment. It becomes a vehicle for not only criminals and warlords but other traders in power to include intelligence agencies and legitimate businesses.
20. Re:I'm surprised white markets aren't more common by Anonymous Coward · 2010-02-08 06:09 · Score: 0
  
  ...especially when the market is fairly inelastic.
  The best "white market" tale I've ever heard is the militias that ran the "Golden Triangle" in the Southeast Asian highlands offering to sell the US the entire opium crop.
  I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market. They could even use the opium for the production of painkillers for the legitimate market, which I understand is actually constrained sometimes by strict production limitations.
  You would think that white marketing the supply of illicit drugs would make a lot of sense -- by buying up supplies at the volume end of the market and denying it to the market, you would drive street prices through the roof and have far more impact on the consumers, pricing many out of the market. Cocaine supply diversity may make this difficult, but if pursued quietly it might actually be effective there too.
  Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals. It'd be great to see a cost analysis to see if it would actually be cheaper to just buy up the drugs at the point of production versus the drug war, which doesn't work.
  As the black market prices go up.. the white market has to follow. So where would this price war end?
  Paying for doing illegal stuff can never work in the long run.
  What next? Pay all the hit men? thieves? ....
21. Re:I'm surprised white markets aren't more common by Zerth · 2010-02-08 06:33 · Score: 2, Informative
  
  Taliban suspected of stockpiling 12,000 tons of poppies?
22. Re:I'm surprised white markets aren't more common by Anonymous Coward · 2010-02-08 06:39 · Score: 0
  
  Wow ... "Let's pay them for their crops so they'll stop growing them!" The idea of a 'white market' is a scary thing. It is a 'cheat' to begin with (as much as domestic farm subsidies) and encourages cheating the system, and making 'the problem' worse.
  In the case of the 'War on Drugs' the answer is obvious: legalize them across the board. This may be a less comfortable argument for 'hard' drugs, but the effect is all the more important. The only reason there's enough profit to be made in illicit drugs to interest major criminal cartels and the like is because they are illegal. We (the US) fund both sides of the 'War', at great expense and for no good reason. You can't buy up all the poppies in the world, or all the coca, or all the liquor, or anything else. If we would just legalize drugs, there would be no profit in trafficking. Imagine the effect on all the parts of the world where 'drug money' funds violence, oppression, and instability.
  The problem is, this is where your analogy becomes less apt. I mean, we can't really 'legalize' hacks and security breaches, can we? Drugs are not illegal for any inherent reason, but computer security is a practical need. So, maybe 'white markets' are a good solution, but they still present significant risks.
23. Re:I'm surprised white markets aren't more common by swb · 2010-02-08 07:12 · Score: 1
  
  Except that we didn't have 50,000 troops in South America.
24. Re:I'm surprised white markets aren't more common by wintercolby · 2010-02-08 07:16 · Score: 1
  
  I'm sure that this is as much a possibility as reporting a bogus security flaw to a software company. It wouldn't take long for a proper chemist to determine that what they were testing wasn't the real thing. On the up side, it could mean more science jobs and thus more of a push for better geeky ed in public schools.
  
  --
  Most ignorance is vincible ignorance. We don't know because we don't want to know. --Aldous Huxley
25. Re:I'm surprised white markets aren't more common by Anonymous Coward · 2010-02-08 07:53 · Score: 0
  
  Except that the black market for recreational drugs only exists because of government. If recreational drugs were legal, the bad guys would be straight out of business, and the price of recreational drugs would drop like a rock. Exactly the same as alcohol prohibition in the 1920s.
  What you're suggesting is merely a band-aid, and rests on the assumption that prohibition is normal, moral, and just -- when in reality it is abnormal, immoral, and unjust.
  The real solution is to abolish prohibition.
26. Re:I'm surprised white markets aren't more common by Z34107 · 2010-02-08 08:45 · Score: 1
  
  It's a great idea in the term, but I think it might have problems long-term. Vastly increasing the demand for heroin (exactly what buying all production at the best price possible is!) would encourage more people to enter heroin production. Maybe convert farmland from food production to "cash crops."
  However, unlike the "war" on drugs, I'm convinced your idea has a least a snowball's chance of working. The DEA's budget should be transferred immediately to you, our new Drug Czar.
  
  --
  DATABASE WOW WOW
27. Re:I'm surprised white markets aren't more common by Anonymous Coward · 2010-02-08 08:47 · Score: 0
  
  Or instead of your retarded apporach we could just pay them a large subsidy to plant wheat or something useful.
28. Re:I'm surprised white markets aren't more common by aurumdib · 2010-02-08 08:58 · Score: 1
  
  You assume that the offer will be constant but is not. Each farmer would have the possibility to plant opium or coca with a sure mark, do you think that all the farmers will be happy to plant anything else... in the long term, the farmer will loss because of the mono plantation, but that will be not the only problem, in short term the government will be broke for buyout the special plantations.
  
  If you propose the enforcement of the control in the limits of the production (to assure the constant offer) you will generate what already are in Peru or Columbia or Bolivia (black mark), Here again with the same problem of the start.
29. Re:I'm surprised white markets aren't more common by ArsonSmith · 2010-02-08 10:13 · Score: 1
  
  I'd complain more that driving the street price up would also drive up the drug related street crime here close to home. Providing incentive for more local growers and strain the local enforcements.
  
  --
  Paying taxes to buy civilization is like paying a hooker to buy love.
30. Re:I'm surprised white markets aren't more common by Anonymous Coward · 2010-02-08 10:39 · Score: 0
  
  I hear the yanks have been known to do equally nasty things too.
  At this point, the Taliban is less of a threat to me than the USA.
"Zero-day" is just noise by Imagix · 2010-02-08 04:05 · Score: 1, Insightful

OK, this is a pet peeve of mine, but why the heck do these get called "Zero-day vulnerabilities". Yes, I understand that the definition is that the zero-day refers to the time between the vulnerability is made public and the time that an exploit is made available. However, I don't get why this needs an additional moniker on top of being a vulnerability in the first place. Don't most of the vulnerabilities have an exploit the same day that the vulerability is published (wouldn't you want to have a proof of concept that the vulnerability exists, I'd assume one was created.)? I haven't heard of many "7-day vulnerabilities". So why isn't the "zero-day" thing implied? If a vulnerability is exposed and there is no exploit available, the vendors already make statements such as "there are no known exploits for this". Where I would think that the "zero-day" moniker would actually add some information is if the vulnerability is exposed on the zeroith day of release of the product in question. _That_ would be something to give a special name to. That would mean that the developer has botched it so badly that it didn't even take 24 hours before someone found a hole. As it is now (IMHO) the "zero-day" moniker is simply being alarmist and only trying to add sparkle to the term, and carries no significant information.
1. Re:"Zero-day" is just noise by chill · 2010-02-08 04:22 · Score: 3, Informative
  
  0-day means there is no patch available, as opposed to vulns that come out after patches are issued and you could possibly upgrade your system to being secure.
  Anything that is patched, but you haven't bothered to update your system and are thus vulnerable to, isn't a 0-day.
  
  --
  Learning HOW to think is more important than learning WHAT to think.
2. Re:"Zero-day" is just noise by bsDaemon · 2010-02-08 04:28 · Score: 2, Insightful
  
  I always thought 0-day should refer to time between the software itself is releasedand an exploit is found. Frankly, that would make more sense and that's the type of vulnerability that would actually be somewhat impressive as well as potentially devastating. If a piece of software has been floating around for a few months and then an attack against it is announced, I assume that the vector has been exploited already without an announcement and am hardly surprised that a vulnerability has been found by that point in time.
3. Re:"Zero-day" is just noise by maxume · 2010-02-08 04:30 · Score: 1
  
  I agree with this definition (i.e., "A patch has been available for 0 days" being the basis of the phrase), but I predict people are going to argue with you. A lot.
  
  --
  Nerd rage is the funniest rage.
4. Re:"Zero-day" is just noise by zippthorne · 2010-02-08 05:34 · Score: 1
  
  So, every vulnerability is zero-day, then? Sounds redundant.
  
  --
  Can you be Even More Awesome?!
5. Re:"Zero-day" is just noise by maxume · 2010-02-08 05:39 · Score: 1
  
  Sure, because there are no systems out there that are not up to date with patches.
  I can also see the case for 0 day meaning vulnerabilities that the vendor has not been notified of yet.
  
  --
  Nerd rage is the funniest rage.
6. Re:"Zero-day" is just noise by Anonymous Coward · 2010-02-08 06:10 · Score: 0
  
  The way I see it is that zero-day once had a meaning, but it was a cool term and everyone wanted to use it and now everything is zero-day and it means nothing, literally.
7. Re:"Zero-day" is just noise by jofny · 2010-02-08 09:54 · Score: 1
  
  0day implies that there is a --non public-- vulnerability and/or exploit out in the wild that has not yet been disclosed outside of relatively small private circles (nothing to do with the time between vuln and exploit). Its meaning has been lately bastardized to include "things for which we dont have a patch yet" - and it's that bastardization which creates scenarios that don't make "sense".
8. Re:"Zero-day" is just noise by bughunter · 2010-02-08 12:14 · Score: 1
  
  Its meaning has been lately bastardized
  
  So zero-day has joined the rather exclusive League of Semiotic Hyperlatives, along with other misused terms such as Robot, Virtual Reality, 3D, and Artificial Intelligence.
  
  --
  I can see the fnords!
white market in zero-day vulnerabilities by Anonymous Coward · 2010-02-08 04:06 · Score: 0

Does anyone have a breakdown as to the number of zero-day vulnerabilities per platform and Operating System ?
1. Re:white market in zero-day vulnerabilities by spydabyte · 2010-02-08 05:02 · Score: 1
  
  my guess is Microsoft... purchased... that report.
... you are sadly mistaken by thijsh · 2010-02-08 04:06 · Score: 4, Insightful

You seem to be under the impression that the war (on drugs) has anything to do with logical reasoning...
It's a great idea though, and I bet it will in fact work *and* be cheaper.
1. Re:... you are sadly mistaken by Anonymous Coward · 2010-02-09 05:09 · Score: 0
  
  You know what work best? If YOU stop blowing anything that pass under your nostrils, dopeheads.
Exactly. by khasim · 2010-02-08 04:10 · Score: 2, Interesting

Remember, we're not talking about the farmers being the equal of the distributors.
If you start taking away a source of revenue, you had better be able to defend that with violence of your own.
And anyway, if the farmers are growing dope, they're not growing food. How about offer to buy the food that the farmers grow at a higher rate than the processors pay for the dope?
1. Re:Exactly. by hduff · 2010-02-08 05:34 · Score: 1
  
  And anyway, if the farmers are growing dope, they're not growing food. How about offer to buy the food that the farmers grow at a higher rate than the processors pay for the dope?
  Then farmers get killed for growing food instead of drugs. The best solution (for the farmers) is for there to be no demand for the drugs or no profit in providing them. Given that will never happen, the farmers are sooo screwed.
  
  --
  "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
2. Re:Exactly. by mcgrew · 2010-02-08 07:43 · Score: 1
  
  Have you compared the cost of a pound of corn (an ear or two) compared to the cost of a pond of opium? A pound of flour compared to the cost of a pound of heroin?
  Are you willing to pay $100 for a loaf of bread and seventy five follars for a beer?
  
  --
  Free Martian Whores!
Buy them by microbox · 2010-02-08 04:12 · Score: 1

Surely companies could just buy the zero-day exploits, study them, and patch their software. Turn the black market to your own end. Then the problem is solved without time travel.

--

Like all pain, suffering is a signal that something isn't right
1. Re:Buy them by SeePage87 · 2010-02-08 04:29 · Score: 2, Interesting
  
  Wow, I know /.ers rarely read TFA, but did you even read the summary? They explicitly mention "white markets" where companies can do just that. If the white markets are well known about, learning of an exploit is often likely to be more valuable to the company than a hacker. A company can suffer liability for damages, lose clients, suffer hits to their company's good will, and, depending on the nature of the software and what it's used for, and the exploit and how it works, any number of other things. Those buying the exploits can't know how long it will be effective, or how profitable it will be. My guess is, the more profitable it could be, the quicker it will get fixed, so how much can the black market pay? Besides companies potentially paying better, there's the added bonus of not having to do something illegal, harmful and immoral, though I know that doesn't matter to some. And there might be the appeal of being on the side of preventing malicious attacks. Think about it, all the CS nerds will be able to effectively become digital Jack Bauers, and that's bound to get chicks.
2. Re:Buy them by Anonymous Coward · 2010-02-08 05:33 · Score: 0
  
  Wow, I know /.ers rarely read TFA, but did you even read the summary?
  Come off it, we don't come to /. for facts! What on earth are you thinking?
poor grammar by FredThompson · 2010-02-08 04:17 · Score: 1

"...can be taken advantage of."
should be something like,
"can be exploited."
How does the purchaser of an exploit... by John+Hasler · 2010-02-08 04:23 · Score: 4, Interesting

...know that it has not also been sold to someone else? And who brokers these deals? I can't imagine the parties trusting each other.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Does it matter? by khasim · 2010-02-08 04:29 · Score: 2, Informative

If you are the company who wrote the software, you now know where the flaw is and can fix it.
If you release a patch, that could be reverse engineered and the bad guys would find the flaw anyway.
1. Re:Does it matter? by John+Hasler · 2010-02-08 04:45 · Score: 2, Informative
  
  > If you are the company who wrote the software, you now know where the flaw
  > is and can fix it.
  But if you are a black hat (or a government: same thing) you want exclusive ownership. Even if you are the company that wrote the software you don't want the exploit sold to black hats who will exploit it between now and the time you deploy your fix (or afterward against the many customers who won't upgrade).
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Be careful. by John+Hasler · 2010-02-08 04:54 · Score: 3, Interesting

> Besides companies potentially paying better, there's the added bonus of not
> having to do something illegal, harmful and immoral...
Be careful. If the company learns your identity during negotiations they might have you arrested for extortion.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
1. Re:Be careful. by SeePage87 · 2010-02-08 05:16 · Score: 3, Insightful
  
  Maybe. The interesting thing is that the exploit is both the attack also what is needed to fix it. There's a credible threat that others may use the same exploit, not just the one who found it. A company who did this openly, whose founding documents declare they only sell software vulnerability information with the software's creator, whose NDAs included clauses that they will never share this information with others in to perpetuity regardless of the potential client's decision on whether to buy the information... I think they could develop a defensible case and eventually a trusted brand image. Just because a company sells fire insurance doesn't mean they're really threatening to commit arson.
Bad guys don't trust bad guys. :) by khasim · 2010-02-08 05:01 · Score: 2, Interesting

But if you are a black hat (or a government: same thing) you want exclusive ownership.
:) And that is part of the problem when you choose to be one of the bad guys. You cannot trust the other bad guys to be honest in their deals.
And that doesn't bother me. If anything, it should drive down the prices as none of the bad guys are going to invest a lot of money on something that they cannot be sure they have an exclusive option on.
Link? by spydabyte · 2010-02-08 05:01 · Score: 1

I like the link to the black markets but not to the white markets. Hackers would probably benefit from these new "white-markets" you speak of.
How do you evaluate an open market item? by filesiteguy · 2010-02-08 05:14 · Score: 1

Though I'm not surprised that this exists, I wonder how one prices a zero-day exploit. Do you get a return on investment? Number of PC's infected? Number of bank accounts stolen?

--
The Kai's Semi-Updated Website Thingy
When will companies be held liable for bugs? by jollyreaper · 2010-02-08 05:25 · Score: 2, Interesting

Toyota's gonna catch holy hell for the whole "car randomly becomes kamikaze" bug with the accelerator. There are regulations and laws about this sort of thing. If I run a slaughterhouse and knowingly ship bad meat, I could go to jail. This isn't home hobbyist shit anymore, computers are serious business and Microsoft is wearing the big boy pants. Lives are at stake over this sort of thing. Dissidents can be targeted and killed. And even if it's not political but just plain' ol' computer crime, the losses can really add up.
I'm not a fan of bogging the industry down with so much regulation that nobody can get anything done but it's clear that businesses are, generally, not self-policing and concern for public welfare is not on the agenda. They will not consider it until compelled to by force of law. And to all the business apologists complaining about the stifling hand of government laying heavily upon the necks of business, just remember that there wouldn't be a call for regulation if there wasn't a need for regulation. If slaughterhouse owners applied the same standard to meat intended for public consumption that they would apply for meat intended for their own tables, Upton Sinclair wouldn't have had a novel and we wouldn't have had an FDA.

--
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
1. Re:When will companies be held liable for bugs? by GNious · 2010-02-08 09:14 · Score: 1
  
  Question: Are there no laws on the merchantability of a product where you live?
2. Re:When will companies be held liable for bugs? by jollyreaper · 2010-02-08 10:09 · Score: 1
  
  Question: Are there no laws on the merchantability of a product where you live?
  Not for software. The EULA's seem to indemnify software companies of all liability. You don't like it, don't use computers.
  
  --
  Kwisatz Haderach
  Sell the spice to CHOAM
  This Mahdi took Shaddam's Throne
3. Re:When will companies be held liable for bugs? by sincewhen · 2010-02-08 14:54 · Score: 1
  
  It is interesting to speculate upon how we could possibly get there from here.
  Obviously the software industry is too large to allow legislation to be forced upon it.
  And the comments the other day from the Microsoft CTO indicate no willingness to acccept any responsibility.
  My best guess is that locked-down devices like the iPad could be seen in the marketplace as much more secure and therefore a better choice for most people. Whether this will actually come to pass I doubt though, as other manufacturers will cloud the market with similar products making similar claims, which will tarnish the reputation of all such devices when they do fall prey to exploits.
  Can anyone else see any other path by which we can move beyond our hobbyist past with it's "build now fix problems later" attitude?
  
  --
  -- Braden's law of data: All data spends some of its lifetime in an excel spreadsheet.
Inside exploitation of these systems? by Anonymous Coward · 2010-02-08 05:28 · Score: 0

Is it possible that a developer or contractor close to a product preparing to launch could engineer a vulnerability in to the software and then conspire with a free-lance hacker working these sorts of projects to snatch up the payout? This is especially worrisome for government software, especially if they are paying out 5-6 figures for an identified vulnerability.
Re:Help me get free! by Anonymous Coward · 2010-02-08 05:30 · Score: 0

I hope this is just another troll, because if you actually killed a person and you're bitching about anything less than life behind bars, you need to just shut up right now. You've ended another person's life through your own stupidity and actions, now shut up and reap what you sowed.
Not a trend. by yoda · 2010-02-08 05:49 · Score: 2, Informative

The vulnerability contributor program @ Verisign and TippingPoint were setup by the same person. I know this because that person used to work for me. Google is buying simply as a reaction to the China stuff. This isn't a trend...though on the surface, it appears that way.
Smart idea by Anonymous Coward · 2010-02-08 06:52 · Score: 0

"White marketing" this makes perfect sense to me. After all, if you spend your time productively searching for flaws in products, this benefits the company thus exposed.
This "involuntary outsourcing" deserves compensation, and at the same time keeps these flaws away from those who would exploit them.
Hard decision by edxwelch · 2010-02-08 07:54 · Score: 1

"Charlie Miller ... who sold a bug he discovered in the Linux OS to a government contractor for $50,000 dollars, said that choosing whether to sell such an item or give it away for free to Microsoft is a hard decision to make"
Hmm, doesn't sound that hard to me.
Just wondering, what exactly did the government contractor do with the vunerability afterwards?
What passes for Insightful... by Gary+W.+Longsine · 2010-02-08 08:13 · Score: 2, Informative

Taliban and the Drug Trade
Some members of the U.S. drug enforcement community suggest that a new strategy may have been adopted by the Taliban in the wake of their July 27, 2000 announced ban on cultivation. This strategy would reflect a desire by the Taliban to use their “monopoly” position to maximize profits, i.e. restrict supply by restricting cultivation; drive prices up dramatically; and sell from an extensive supply of stockpiled opium. According to the United Nations Drug Control Program (UNDCP) personnel, in the past, up to 60% of opium stock has been stored for sale in future years."

Uhm, no. What nut jobs like Mullah Omar say, and what they actually do, might overlap, but may not be entirely equivalent.

--
If you mod me down, I shall become more powerful than you could possibly imagine.
need a job? by Anonymous Coward · 2010-02-08 09:49 · Score: 0

If you think you can actually find holes or build tools to find them, post some contact info. Also good would be writing proof-of-concept exploits.
1. Re:need a job? by insufflate10mg · 2010-02-09 03:12 · Score: 1
  
  You just proved my point PERFECTLY. I said that today "you're either an advanced black hat, an advanced white hat, script kiddie, or nothing." I am none of those. I considered myself a hacker at one time, after being mentored for years by a white-hat working in the Italian government and a black-hat creating/selling neural-network software for hospital uses in Nashville. It was a different time back then, I guess that's all I can say.
Re:Terminator revisited by hesaigo999ca · 2010-02-08 09:52 · Score: 1

But the white hatters being able to time travel send a robot back in time far enough to look up all the evil hacker's mom's and kill them all before any of this has started.
I just wonder if evil hackers that did make it into the future before they got diced, were able to find a way to look up those white hackers grandparents and send a robot back then , ...or wait a minute...
Some groups won't give up exploits by Anonymous Coward · 2010-02-08 11:05 · Score: 0

Unfortunately it all comes down to greed. Why would someone who finds an exploit report it to Microsoft for free or give it to Google for $500, when they can sell it and make $50,000 or more on the "black" market. Also, their are many groups out there that are looking for exploits that have no desire to report them to anyone. Chinese and Russian government hacker groups prize these back doors...
cyberarms.wordpress.com
maybe I can get you a job by poppopret · 2010-02-08 12:13 · Score: 1

I remember being 13-14 years old, spent every day and night reading and learning about computer security.
Nice.

The line in the sand is so broad and sharp; you're either an advanced black hat, an advanced white hat, script kiddie, or nothing.
Really? What if you pwn an evildoer? Send a resume to doubleplusgoodalbert@gmail.com if that sounds really cool.
1. Re:maybe I can get you a job by poppopret · 2010-02-08 12:18 · Score: 1
  
  BTW, an informal "resume" beats nothing. Say a bit about when/where are you willing to move, how broad/deep your hacking experience is, etc.
2. Re:maybe I can get you a job by insufflate10mg · 2010-02-09 03:15 · Score: 1
  
  If we were moving back in time to 1999, I'd be a hell of a candidate. For now, hit me up if you need someone to write your thesis paper or ghost-write a book for you.
Re:Terminator revisited by initialE · 2010-02-08 14:38 · Score: 1

Machines? Who needs machines?

--
Starbucks, Harbuckle of Breath.
Most of the successful attacks? by Hurricane78 · 2010-02-08 16:28 · Score: 1

As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days.
I highly doubt that. I think that, compared to social engineering, zero-day attacks are pretty much an insignificant slice of the cake.
I mean, it’s much easier to hack a PEBKAC. And as the biggest ranks usually also are the biggest PEBKACs, it’s a clear winner. ^^

--
Any sufficiently advanced intelligence is indistinguishable from stupidity.