Slashdot Mirror
Zero-Day Vulnerabilities On the Market
An anonymous reader writes "Zero-day vulnerabilities have become prized possessions to attackers and defenders alike. As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days. There is an underground market growing around these vulnerabilities, but there are also 'white markets' — set up by VeriSign, TippingPoint, Google — where they buy zero-day flaws and alert the companies so that they can patch their products before the vulnerabilities can be taken advantage of."
...1998 in here.
someone to invent time travel. Then someone could go into the future, get all the patches and fixes to various popular software, come back in time, and give it to us. Problem solved.
I always appreciate the clarification that a growing market is growing.
"I hereby sentence you to a term of no less than 6 years and not exceeding 12 years" bellowed the Judge at my court case. You could tell in the sterness of his voice and his general demeanor that he took delight in sending scum like me up the river. A fucking DUI that ended up killing some black kid in Detroit was all it took to sealed my fate for the next decade. I had thoughts of appeal but I figured it wouldn't be worth the little savings I had left and my sentence would probably stand. To this day I still believe had the kid been white, my life would have been much easier, inside and outside of prison.
Now, don't believe what you see on Televison about prison, it is a far worse place than any 32" screen could every conjure up. Imagine watching an MSNBC special on jail or an episode of OZ and take that experience and double it. That's about the wretched hell I have come to know for the past 3 1/2 years. Sometimes I don't know who is worse and my already fazed and battered mind, the prison guards or the inmates. It really takes a certain type of psychopath to want to work around this place, 8 hours a day or longer and that's exactly the type of labor pool this place picks from.
I can't say my first week was the worst week of my life, but I can certainly say it was the scariest, most horrifying change change in lifestyle I can remember. The dynamic between my old life as a software developer with a modest 1 bedroom downtime, to sharing a tiny cell with a sexual deviant is enough to make anyone go insane. But anyway let me talk about my first day of 12 long years here.
As I was escorted on to the prison bound bus with the day's newly convicted felons, it was already starting. I was chained next to this black man named Napps. I am sure this wasn't his real name but you can't tell these days with the way these people are named. Now Napps was a pretty built man, and I could tell by the excess amount of tattos and his attitude, that this wasn't the first time he was getting bussed off to a stint in the State Penetentary. Napps upon being forced to sit next to me had given me a look that you would imagine a wolf would give towards their defenseless prey. That was what I officially was now, defensless prey for Napps and God knows who else now. Napps, with a smug and deviously look in his eye asked me "What's a white boy like yourself doing going to the shit?". "Pardon?", I said uneasily almost choking on my words. "This white boy dinks we at da country club.", he said to the rest of the bus, while the bus started roaring in laughter. Now all eyes and ears on the bus were tuned in to me. "I says, wat a tender cracka like you doing here wit the rest of us?", he said in a more pointed fashion. "I'm here...for drunk driving. I killed someone in Brightmore", I shamefully admitted. "So you the motherfucka who killed dat black kid!", now furious with me. The rest of the bus, still focused on me began roaring again loudly as if my crime is more terrible than raping and killing a white woman in the suburbs (I eventually find this out later on). "You lucky da guards are here bitch, you hear me? When we get down to the shit, your ass belongs to the blacks, you got it cracker?". My heart jumped, not even in prison yet, and I am already targeted for what I am sure is to be a stabbing. Shit.
The bus finally turned into the outer gate, which seemed to stretch on for ever, Napps was still from time to time threatening me. I didn't think I would even make it into prison alive. "So you kill one of ours, huh?", he uttered with extreme hatred. "Well, I took one of yours too bitch ass. 4 of my boys went to your white part of town and and took a bitch. We ran a train on dat fo 8 hours, den we pours acid on that cunt", he must have enjoyed the thought as he laughed sadisticly while telling me his crime. As we got manhandled off of the bus one by one, Napps turned around and said "watch yo ass, lit'ry!", before being forced face first by the guard.
By now I was too much in shock from being scared to even be scared. I
...especially when the market is fairly inelastic.
The best "white market" tale I've ever heard is the militias that ran the "Golden Triangle" in the Southeast Asian highlands offering to sell the US the entire opium crop.
I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market. They could even use the opium for the production of painkillers for the legitimate market, which I understand is actually constrained sometimes by strict production limitations.
You would think that white marketing the supply of illicit drugs would make a lot of sense -- by buying up supplies at the volume end of the market and denying it to the market, you would drive street prices through the roof and have far more impact on the consumers, pricing many out of the market. Cocaine supply diversity may make this difficult, but if pursued quietly it might actually be effective there too.
Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals. It'd be great to see a cost analysis to see if it would actually be cheaper to just buy up the drugs at the point of production versus the drug war, which doesn't work.
OK, this is a pet peeve of mine, but why the heck do these get called "Zero-day vulnerabilities". Yes, I understand that the definition is that the zero-day refers to the time between the vulnerability is made public and the time that an exploit is made available. However, I don't get why this needs an additional moniker on top of being a vulnerability in the first place. Don't most of the vulnerabilities have an exploit the same day that the vulerability is published (wouldn't you want to have a proof of concept that the vulnerability exists, I'd assume one was created.)? I haven't heard of many "7-day vulnerabilities". So why isn't the "zero-day" thing implied? If a vulnerability is exposed and there is no exploit available, the vendors already make statements such as "there are no known exploits for this". Where I would think that the "zero-day" moniker would actually add some information is if the vulnerability is exposed on the zeroith day of release of the product in question. _That_ would be something to give a special name to. That would mean that the developer has botched it so badly that it didn't even take 24 hours before someone found a hole. As it is now (IMHO) the "zero-day" moniker is simply being alarmist and only trying to add sparkle to the term, and carries no significant information.
Does anyone have a breakdown as to the number of zero-day vulnerabilities per platform and Operating System ?
You seem to be under the impression that the war (on drugs) has anything to do with logical reasoning...
It's a great idea though, and I bet it will in fact work *and* be cheaper.
Remember, we're not talking about the farmers being the equal of the distributors.
If you start taking away a source of revenue, you had better be able to defend that with violence of your own.
And anyway, if the farmers are growing dope, they're not growing food. How about offer to buy the food that the farmers grow at a higher rate than the processors pay for the dope?
Surely companies could just buy the zero-day exploits, study them, and patch their software. Turn the black market to your own end. Then the problem is solved without time travel.
Like all pain, suffering is a signal that something isn't right
"...can be taken advantage of."
should be something like,
"can be exploited."
...know that it has not also been sold to someone else? And who brokers these deals? I can't imagine the parties trusting each other.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
If you are the company who wrote the software, you now know where the flaw is and can fix it.
If you release a patch, that could be reverse engineered and the bad guys would find the flaw anyway.
> Besides companies potentially paying better, there's the added bonus of not
> having to do something illegal, harmful and immoral...
Be careful. If the company learns your identity during negotiations they might have you arrested for extortion.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
:) And that is part of the problem when you choose to be one of the bad guys. You cannot trust the other bad guys to be honest in their deals.
And that doesn't bother me. If anything, it should drive down the prices as none of the bad guys are going to invest a lot of money on something that they cannot be sure they have an exclusive option on.
I like the link to the black markets but not to the white markets. Hackers would probably benefit from these new "white-markets" you speak of.
Though I'm not surprised that this exists, I wonder how one prices a zero-day exploit. Do you get a return on investment? Number of PC's infected? Number of bank accounts stolen?
The Kai's Semi-Updated Website Thingy
Toyota's gonna catch holy hell for the whole "car randomly becomes kamikaze" bug with the accelerator. There are regulations and laws about this sort of thing. If I run a slaughterhouse and knowingly ship bad meat, I could go to jail. This isn't home hobbyist shit anymore, computers are serious business and Microsoft is wearing the big boy pants. Lives are at stake over this sort of thing. Dissidents can be targeted and killed. And even if it's not political but just plain' ol' computer crime, the losses can really add up.
I'm not a fan of bogging the industry down with so much regulation that nobody can get anything done but it's clear that businesses are, generally, not self-policing and concern for public welfare is not on the agenda. They will not consider it until compelled to by force of law. And to all the business apologists complaining about the stifling hand of government laying heavily upon the necks of business, just remember that there wouldn't be a call for regulation if there wasn't a need for regulation. If slaughterhouse owners applied the same standard to meat intended for public consumption that they would apply for meat intended for their own tables, Upton Sinclair wouldn't have had a novel and we wouldn't have had an FDA.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
Is it possible that a developer or contractor close to a product preparing to launch could engineer a vulnerability in to the software and then conspire with a free-lance hacker working these sorts of projects to snatch up the payout? This is especially worrisome for government software, especially if they are paying out 5-6 figures for an identified vulnerability.
The vulnerability contributor program @ Verisign and TippingPoint were setup by the same person. I know this because that person used to work for me. Google is buying simply as a reaction to the China stuff. This isn't a trend...though on the surface, it appears that way.
"White marketing" this makes perfect sense to me. After all, if you spend your time productively searching for flaws in products, this benefits the company thus exposed.
This "involuntary outsourcing" deserves compensation, and at the same time keeps these flaws away from those who would exploit them.
"Charlie Miller ... who sold a bug he discovered in the Linux OS to a government contractor for $50,000 dollars, said that choosing whether to sell such an item or give it away for free to Microsoft is a hard decision to make"
Hmm, doesn't sound that hard to me.
Just wondering, what exactly did the government contractor do with the vunerability afterwards?
be 'very pporly play parties the munches the most come Here but now is ingesting
Uhm, no. What nut jobs like Mullah Omar say, and what they actually do, might overlap, but may not be entirely equivalent.
If you mod me down, I shall become more powerful than you could possibly imagine.
If you think you can actually find holes or build tools to find them, post some contact info. Also good would be writing proof-of-concept exploits.
But the white hatters being able to time travel send a robot back in time far enough to look up all the evil hacker's mom's and kill them all before any of this has started.
I just wonder if evil hackers that did make it into the future before they got diced, were able to find a way to look up those white hackers grandparents and send a robot back then , ...or wait a minute...
Unfortunately it all comes down to greed. Why would someone who finds an exploit report it to Microsoft for free or give it to Google for $500, when they can sell it and make $50,000 or more on the "black" market. Also, their are many groups out there that are looking for exploits that have no desire to report them to anyone. Chinese and Russian government hacker groups prize these back doors...
cyberarms.wordpress.com
I remember being 13-14 years old, spent every day and night reading and learning about computer security.
Nice.
The line in the sand is so broad and sharp; you're either an advanced black hat, an advanced white hat, script kiddie, or nothing.
Really? What if you pwn an evildoer? Send a resume to doubleplusgoodalbert@gmail.com if that sounds really cool.
Machines? Who needs machines?
Starbucks, Harbuckle of Breath.
As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days.
I highly doubt that. I think that, compared to social engineering, zero-day attacks are pretty much an insignificant slice of the cake.
I mean, it’s much easier to hack a PEBKAC. And as the biggest ranks usually also are the biggest PEBKACs, it’s a clear winner. ^^
Any sufficiently advanced intelligence is indistinguishable from stupidity.