Zero-Day Vulnerabilities On the Market

An anonymous reader writes "Zero-day vulnerabilities have become prized possessions to attackers and defenders alike. As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days. There is an underground market growing around these vulnerabilities, but there are also 'white markets' — set up by VeriSign, TippingPoint, Google — where they buy zero-day flaws and alert the companies so that they can patch their products before the vulnerabilities can be taken advantage of."

This is why we need...

someone to invent time travel. Then someone could go into the future, get all the patches and fixes to various popular software, come back in time, and give it to us. Problem solved.

Re:This is why we need...

But the evil hackers with time travel will then go to the future to find out exploits before they've been found in the past.

Re:This is why we need...

[BartholomewBernsteyn]

But the evil hackers with time travel will then go to the future to find out exploits before they've been found in the past.

...and that's exactly why need regulation with regards to time travel and access to time travel machinery, now. You there, drop that screwdriver!

Re:This is why we need...

[_Sprocket_]

"Dude. As soon as Bill stops screwing around with card games, we're going to be set!"

"Why?"

"I just got a whole bunch of neg 7300 day exploits for Win95, dude. We're gonna be set."

"Cool. Hey.... have you even been born yet?"

"Awww crap..." (poof)

Re:This is why we need...

[guruevi]

Don't worry, almost all classic DeLorean's have rotted away and we're still waiting on non-Newtonian Physicists to invent a Flux Capacitor.

Good to know

I always appreciate the clarification that a growing market is growing.

I'm surprised white markets aren't more common

[swb]

...especially when the market is fairly inelastic.

The best "white market" tale I've ever heard is the militias that ran the "Golden Triangle" in the Southeast Asian highlands offering to sell the US the entire opium crop.

I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market. They could even use the opium for the production of painkillers for the legitimate market, which I understand is actually constrained sometimes by strict production limitations.

You would think that white marketing the supply of illicit drugs would make a lot of sense -- by buying up supplies at the volume end of the market and denying it to the market, you would drive street prices through the roof and have far more impact on the consumers, pricing many out of the market. Cocaine supply diversity may make this difficult, but if pursued quietly it might actually be effective there too.

Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals. It'd be great to see a cost analysis to see if it would actually be cheaper to just buy up the drugs at the point of production versus the drug war, which doesn't work.

Re:I'm surprised white markets aren't more common

[adonoman]

It'd work great until a few farmers, who sold to the government instead of the local underground, wind up dead.

Re:I'm surprised white markets aren't more common

[bluesatin]

I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market.

This would probably cause a knock-on effect of increasing production in the area, due to the fact that you will be increasing the profits for the poppy growers, and perhaps also encouraging people to start poppy farming; selling to US troops is probably a hell of a lot less scary than selling to the Taliban.

Re:I'm surprised white markets aren't more common

[L4t3r4lu5]

Buying products other than opium, i.e. incentives to plant other crops would be better.

On another point, don't you think the Taliban might be a little irritated by this and, ooooh I don't know, cut off some farmers heads? I hear they've been known to do that to make a point.

Re:I'm surprised white markets aren't more common

[Ltap]

You're right. The drug-growing problem in Afghanistan is two-fold: very little will grow there other than desert plants. Opium grows there and is extremely profitable to grow, so if they were to try and grow other crops, they would probably not be sustainable without more infrastructure (such as an irrigation network to grow crops that need more ground water). There have been attempts to cultivate some local plants to extract oils for use in beauty products, but it's a niche market and only a small amount of farmers can do it without over-saturating the market. A crop that would grow in Afghanistan, is in demand, and is rare enough to warrant transportation costs to the rest of the world is the ideal crop, and right now that is opium. Until there is a viable alternative, that is what farmers will grow.

Re:I'm surprised white markets aren't more common

[microbox]

Selling to US troops is probably a hell of a lot less scary than selling to the Taliban.

That is unlikely from the farmer's perspective -- who may fear violent reprisals from the Taliban, and don't trust the christian infidels (US troops) anyway.

Re:I'm surprised white markets aren't more common

[swb]

We can incentivize the growing of other crops, too, but we should also be prepared to buy up the opium crop.

The alternative is destroying the opium crop; this impoverishes the farmer further, destroys his livelihood and causes him to not just grow opium, but join the Taliban.

Re:I'm surprised white markets aren't more common

I know you are being flippant but your average Afgani (or any muslim) doesn't think in terms of "christian infidels", that is the kind of talk you get from radical mullahs, talk show hosts, or rednecks. Depending on their education they are more likely to think "here are non-muslems who are going to try to take over and get us to convert like they did during the crusades, or the British...". Most people are just like you and me, they just want to be left alone, be relatively comfortable, not be afraid all the time, and be with family and friends.

Re:I'm surprised white markets aren't more common

[Yvanhoe]

The taliban are actually opposed to drugs production. While they were in power, the area of opium cultures fell down incredibely quick. It came back thanks to the war. The drugs lords are a faction different from the talibans.

Re:I'm surprised white markets aren't more common

[SeePage87]

Another problem with the strategy is that more drugs will be produces. If you buy up all the drugs at high prices, you'll have artificially injected a huge amount of demand into the market, as well as effectively condoned drug production. The existing producers will produce much more, since they can move it, and other's will flock to the drug trade, knowing that the U.S. government will buy it. If we don't, they'll just sell it to the Taliban again and, since we never put it on the streets, they'll still receive good prices and have no problems moving it. Always remember to apply the game theoretical implications of any can of economic policy (which I've found very few in Congress do.

Re:I'm surprised white markets aren't more common

[Jenming]

I bet the Opium would still reach the consumer at comparable prices.

The Opiate trade does not exist because of Afghanistan farmers or the Taliban, it exists because consumers really want Opiates.

Re:I'm surprised white markets aren't more common

[Hasai]

Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals.

And where, in regions that routinely grow opium, would this be an 'option?' The criminals will show up at the farmer's doorstep, take the money, then butcher both the farmer and his family to make an example.

I saw the same sort of thing happen in S.A., where this one campesino decided he wasn't going to grow coca anymore: the local enforcers promptly showed-up, dragged him and his family out and forced them to kneel in front of their house, then went right down the row, from youngest to oldest. Pop, pop, pop, pop, pop.

The term 'naive' doesn't even begin to describe your idea.

Re:I'm surprised white markets aren't more common

[ratboy666]

The Taliban sells heroin?

Um... no. In July 2000, Mullah Omar ordered a ban on poppy cultivation. As far as I know, this hasn't been lifted. Other members of the Northern Alliance are responsible.

I presume you are a US citizen; please know your enemy. The Taliban may be at war with the US, but they are even harder on drugs. It is about as conceivable as Pat Robertson selling heroin to fund Christian Outreach.

Re:I'm surprised white markets aren't more common

[dave562]

Two things your logic misses. First you've completely ignored the fact that the profits from drugs are used to finance the war. It isn't just the Taliban who are trading dope for military hardware. The drug trade is a perfect way for the government and companies to launder money. Here is a link to a PBS article that details a small, ACKNOWLEDGED portion of the process.

http://www.pbs.org/wgbh/pages/frontline/shows/drugs/special/us.html

The PBS article talks about legit goods like appliances and automobiles. The arms market is a whole other beast. The CIA and other agencies use drugs to fund operations that they can't go to Congress for.

Here's an article about how the CIA was involved in running drugs through Arkansas.

http://www.serendipity.li/cia/hayes2.html

The other thing that I think you should consider is that the farmers need an alternate crop. As others have stated, there isn't much that will grown in Afghanistan. They could grow hemp though. In my mind, and I've said it before, it would be great to switch them from opium to hemp. Opium has one use. It is a pain killer. Hemp has multiple uses. The way I conceived of it working, the UN or US or whoever would buy the opium for a few years while the transition takes place. Once the farmers start growing hemp, they could sell to local markets in the provincial capitols. The capitols could start to build infrastructure to use the hemp. Hemp can be turned into cloth for clothing. The oil can be used for cooking and heating. The farmers could be allowed to grow marijuana too. It's about time that people pull their heads of their asses regarding marijuana prohibition. It isn't the best substance in world for your body, but it isn't any worse than cigarettes or alcohol. The added benefit of hemp is that it encourages companion industries like textiles.

Re:I'm surprised white markets aren't more common

[wintercolby]

I remember the Karzai's government trying to do just what you're suggesting here, and the Bush Administration refuting it. Most of our current legal opium supply comes from Turkey, which houses several US Military bases. Ultimately, purchasing opium for use in purposely restricted legal markets would flood those markets, driving down prices and alienating our allies. That said, I would be willing to bet that purchasing opium from farmers and storing it would be cheaper than prosecuting the war against the Taliban as well as the expensive war on drugs.

Re:I'm surprised white markets aren't more common

[SnarfQuest]

Since these "farmers" will know that the drugs they produce will never be used, what's to stop them from selling fake drugs which have fixed to make the tests turn out right to the US government, and selling the real ones to the Taliban? All you need is some cheap chemical that makes the test kit change color, and I'm sure that there are things other than opium that can fake out the tests. Maybe just some food coloring mixed in.

Re:I'm surprised white markets aren't more common

[SnarfQuest]

Buying products other than opium, i.e. incentives to plant other crops would be better.

Like industrial strength hemp?

They grow drugs because it is more profitable than food crops. They probably get 10 times the earnings per acre for opium than they would get for any food crop. If the US bought up all the opium one year, the farmers would just convert more of their fields over to opium. After one year, there would me more than enough opium for the US and the Taliban, and anyone else who wants it.

If you went to California, and put up an ad specifying that the government would pay $1000/pound for marajuana, with no legal problems, would you expect the quantity grown in that state to decrease?

Re:I'm surprised white markets aren't more common

[_Sprocket_]

The taliban are actually opposed to drugs production. While they were in power, the area of opium cultures fell down incredibely quick. It came back thanks to the war. The drugs lords are a faction different from the talibans.

Which is all nice and fine as long as the Taliban remains in control. But what happened after?

There are reports that the Taliban are now involved in the drug trade again. Despite the use of this as obvious propaganda, it isn't that far fetched as the Taliban initially hadn't had a problem with opium since it was a drug for foreigners (hashish was another matter). Of course, it's also very likely that the Taliban is only one of many players in the increased trade. Narcotics is a major industry and quickly becomes prominent in any unstable environment. It becomes a vehicle for not only criminals and warlords but other traders in power to include intelligence agencies and legitimate businesses.

Re:I'm surprised white markets aren't more common

[Zerth]

Taliban suspected of stockpiling 12,000 tons of poppies?

Re:I'm surprised white markets aren't more common

[swb]

Except that we didn't have 50,000 troops in South America.

Re:I'm surprised white markets aren't more common

[wintercolby]

I'm sure that this is as much a possibility as reporting a bogus security flaw to a software company. It wouldn't take long for a proper chemist to determine that what they were testing wasn't the real thing. On the up side, it could mean more science jobs and thus more of a push for better geeky ed in public schools.

Re:I'm surprised white markets aren't more common

[Z34107]

It's a great idea in the term, but I think it might have problems long-term. Vastly increasing the demand for heroin (exactly what buying all production at the best price possible is!) would encourage more people to enter heroin production. Maybe convert farmland from food production to "cash crops."

However, unlike the "war" on drugs, I'm convinced your idea has a least a snowball's chance of working. The DEA's budget should be transferred immediately to you, our new Drug Czar.

Re:I'm surprised white markets aren't more common

[aurumdib]

You assume that the offer will be constant but is not. Each farmer would have the possibility to plant opium or coca with a sure mark, do you think that all the farmers will be happy to plant anything else... in the long term, the farmer will loss because of the mono plantation, but that will be not the only problem, in short term the government will be broke for buyout the special plantations.

If you propose the enforcement of the control in the limits of the production (to assure the constant offer) you will generate what already are in Peru or Columbia or Bolivia (black mark), Here again with the same problem of the start.

Re:I'm surprised white markets aren't more common

[ArsonSmith]

I'd complain more that driving the street price up would also drive up the drug related street crime here close to home. Providing incentive for more local growers and strain the local enforcements.

"Zero-day" is just noise

[Imagix]

OK, this is a pet peeve of mine, but why the heck do these get called "Zero-day vulnerabilities". Yes, I understand that the definition is that the zero-day refers to the time between the vulnerability is made public and the time that an exploit is made available. However, I don't get why this needs an additional moniker on top of being a vulnerability in the first place. Don't most of the vulnerabilities have an exploit the same day that the vulerability is published (wouldn't you want to have a proof of concept that the vulnerability exists, I'd assume one was created.)? I haven't heard of many "7-day vulnerabilities". So why isn't the "zero-day" thing implied? If a vulnerability is exposed and there is no exploit available, the vendors already make statements such as "there are no known exploits for this". Where I would think that the "zero-day" moniker would actually add some information is if the vulnerability is exposed on the zeroith day of release of the product in question. _That_ would be something to give a special name to. That would mean that the developer has botched it so badly that it didn't even take 24 hours before someone found a hole. As it is now (IMHO) the "zero-day" moniker is simply being alarmist and only trying to add sparkle to the term, and carries no significant information.

Re:"Zero-day" is just noise

[chill]

0-day means there is no patch available, as opposed to vulns that come out after patches are issued and you could possibly upgrade your system to being secure.

Anything that is patched, but you haven't bothered to update your system and are thus vulnerable to, isn't a 0-day.

Re:"Zero-day" is just noise

[bsDaemon]

I always thought 0-day should refer to time between the software itself is releasedand an exploit is found. Frankly, that would make more sense and that's the type of vulnerability that would actually be somewhat impressive as well as potentially devastating. If a piece of software has been floating around for a few months and then an attack against it is announced, I assume that the vector has been exploited already without an announcement and am hardly surprised that a vulnerability has been found by that point in time.

Re:"Zero-day" is just noise

[maxume]

I agree with this definition (i.e., "A patch has been available for 0 days" being the basis of the phrase), but I predict people are going to argue with you. A lot.

Re:"Zero-day" is just noise

[zippthorne]

So, every vulnerability is zero-day, then? Sounds redundant.

Re:"Zero-day" is just noise

[maxume]

Sure, because there are no systems out there that are not up to date with patches.

I can also see the case for 0 day meaning vulnerabilities that the vendor has not been notified of yet.

Re:"Zero-day" is just noise

[jofny]

0day implies that there is a --non public-- vulnerability and/or exploit out in the wild that has not yet been disclosed outside of relatively small private circles (nothing to do with the time between vuln and exploit). Its meaning has been lately bastardized to include "things for which we dont have a patch yet" - and it's that bastardization which creates scenarios that don't make "sense".

Re:"Zero-day" is just noise

[bughunter]

Its meaning has been lately bastardized

So zero-day has joined the rather exclusive League of Semiotic Hyperlatives, along with other misused terms such as Robot, Virtual Reality, 3D, and Artificial Intelligence.

... you are sadly mistaken

[thijsh]

You seem to be under the impression that the war (on drugs) has anything to do with logical reasoning...
It's a great idea though, and I bet it will in fact work *and* be cheaper.

Exactly.

[khasim]

Remember, we're not talking about the farmers being the equal of the distributors.

If you start taking away a source of revenue, you had better be able to defend that with violence of your own.

And anyway, if the farmers are growing dope, they're not growing food. How about offer to buy the food that the farmers grow at a higher rate than the processors pay for the dope?

Re:Exactly.

[hduff]

And anyway, if the farmers are growing dope, they're not growing food. How about offer to buy the food that the farmers grow at a higher rate than the processors pay for the dope?

Then farmers get killed for growing food instead of drugs. The best solution (for the farmers) is for there to be no demand for the drugs or no profit in providing them. Given that will never happen, the farmers are sooo screwed.

Re:Exactly.

[mcgrew]

Have you compared the cost of a pound of corn (an ear or two) compared to the cost of a pond of opium? A pound of flour compared to the cost of a pound of heroin?

Are you willing to pay $100 for a loaf of bread and seventy five follars for a beer?

Buy them

[microbox]

Surely companies could just buy the zero-day exploits, study them, and patch their software. Turn the black market to your own end. Then the problem is solved without time travel.

Re:Buy them

[SeePage87]

Wow, I know /.ers rarely read TFA, but did you even read the summary? They explicitly mention "white markets" where companies can do just that. If the white markets are well known about, learning of an exploit is often likely to be more valuable to the company than a hacker. A company can suffer liability for damages, lose clients, suffer hits to their company's good will, and, depending on the nature of the software and what it's used for, and the exploit and how it works, any number of other things. Those buying the exploits can't know how long it will be effective, or how profitable it will be. My guess is, the more profitable it could be, the quicker it will get fixed, so how much can the black market pay? Besides companies potentially paying better, there's the added bonus of not having to do something illegal, harmful and immoral, though I know that doesn't matter to some. And there might be the appeal of being on the side of preventing malicious attacks. Think about it, all the CS nerds will be able to effectively become digital Jack Bauers, and that's bound to get chicks.

poor grammar

[FredThompson]

"...can be taken advantage of."

should be something like,

"can be exploited."

How does the purchaser of an exploit...

[John+Hasler]

...know that it has not also been sold to someone else? And who brokers these deals? I can't imagine the parties trusting each other.

Does it matter?

[khasim]

If you are the company who wrote the software, you now know where the flaw is and can fix it.

If you release a patch, that could be reverse engineered and the bad guys would find the flaw anyway.

Re:Does it matter?

[John+Hasler]

> If you are the company who wrote the software, you now know where the flaw
> is and can fix it.

But if you are a black hat (or a government: same thing) you want exclusive ownership. Even if you are the company that wrote the software you don't want the exploit sold to black hats who will exploit it between now and the time you deploy your fix (or afterward against the many customers who won't upgrade).

Re:Sure is...

[insufflate10mg]

Damn straight it is.

The 0day black market has been thriving for over a decade; I remember being 13-14 years old, spent every day and night reading and learning about computer security. It was a different world in hacking back then; the reason was because the lines between a secure system and an insecure system were more blurred. Most machines/network one would target had a vulnerability that was exploitable, it was just a matter of spending enough days reading to discover it. It was an incredible time in the Internet's young life, but it is long gone. By the time I was 16 years old, I had joined my mentors in writing white papers relating to security, pen-testing, and trying to maintain integrity within the game. Technology moved faster than any of us had imagined, and we all moved on to our own specializations in computer science. Hacking was so open, so possible: it just took the right amount of knowledge to do it, and everyone who would do anything to not be a skiddie was busting their ass every day.

We have moved on to different times. The line in the sand is so broad and sharp; you're either an advanced black hat, an advanced white hat, script kiddie, or nothing. Although I miss the old days, it is nice to see how far computer security has come. I'm proud to say that I am an "newer old school" hacker because with that area-of-specialization comes a unique set of skills that new-age "hackers" don't have. There are still the real old school hackers though, and I could only imagine the nostalgia they feel everyday and have been feeling for decades.

Hacking is just not what it used to be, but this article (and the post I'm replying to) echo the faint sounds of the old days when we used to discover 0days, share them with our friends, protect them honorably, use them when necessary, and end up selling them out to their victim's companies to make the internet just a little bit safer.

Re:Sure is...

[insufflate10mg]

I just realized the parent was trying to make a joke about how 0days have been on the black market since the 90's. When I read it the first time I thought it was a nostalgic reference, not a reference to the fact that the news contained in this story is far from news. Maybe olds, but not news.

Be careful.

[John+Hasler]

> Besides companies potentially paying better, there's the added bonus of not
> having to do something illegal, harmful and immoral...

Be careful. If the company learns your identity during negotiations they might have you arrested for extortion.

Re:Be careful.

[SeePage87]

Maybe. The interesting thing is that the exploit is both the attack also what is needed to fix it. There's a credible threat that others may use the same exploit, not just the one who found it. A company who did this openly, whose founding documents declare they only sell software vulnerability information with the software's creator, whose NDAs included clauses that they will never share this information with others in to perpetuity regardless of the potential client's decision on whether to buy the information... I think they could develop a defensible case and eventually a trusted brand image. Just because a company sells fire insurance doesn't mean they're really threatening to commit arson.

Bad guys don't trust bad guys. :)

[khasim]

But if you are a black hat (or a government: same thing) you want exclusive ownership.

:) And that is part of the problem when you choose to be one of the bad guys. You cannot trust the other bad guys to be honest in their deals.

And that doesn't bother me. If anything, it should drive down the prices as none of the bad guys are going to invest a lot of money on something that they cannot be sure they have an exclusive option on.

Link?

[spydabyte]

I like the link to the black markets but not to the white markets. Hackers would probably benefit from these new "white-markets" you speak of.

Re:white market in zero-day vulnerabilities

[spydabyte]

my guess is Microsoft... purchased... that report.

How do you evaluate an open market item?

[filesiteguy]

Though I'm not surprised that this exists, I wonder how one prices a zero-day exploit. Do you get a return on investment? Number of PC's infected? Number of bank accounts stolen?

When will companies be held liable for bugs?

[jollyreaper]

Toyota's gonna catch holy hell for the whole "car randomly becomes kamikaze" bug with the accelerator. There are regulations and laws about this sort of thing. If I run a slaughterhouse and knowingly ship bad meat, I could go to jail. This isn't home hobbyist shit anymore, computers are serious business and Microsoft is wearing the big boy pants. Lives are at stake over this sort of thing. Dissidents can be targeted and killed. And even if it's not political but just plain' ol' computer crime, the losses can really add up.

I'm not a fan of bogging the industry down with so much regulation that nobody can get anything done but it's clear that businesses are, generally, not self-policing and concern for public welfare is not on the agenda. They will not consider it until compelled to by force of law. And to all the business apologists complaining about the stifling hand of government laying heavily upon the necks of business, just remember that there wouldn't be a call for regulation if there wasn't a need for regulation. If slaughterhouse owners applied the same standard to meat intended for public consumption that they would apply for meat intended for their own tables, Upton Sinclair wouldn't have had a novel and we wouldn't have had an FDA.

Re:When will companies be held liable for bugs?

[GNious]

Question: Are there no laws on the merchantability of a product where you live?

Re:When will companies be held liable for bugs?

[jollyreaper]

Question: Are there no laws on the merchantability of a product where you live?

Not for software. The EULA's seem to indemnify software companies of all liability. You don't like it, don't use computers.

Re:When will companies be held liable for bugs?

[sincewhen]

It is interesting to speculate upon how we could possibly get there from here.
Obviously the software industry is too large to allow legislation to be forced upon it.
And the comments the other day from the Microsoft CTO indicate no willingness to acccept any responsibility.
My best guess is that locked-down devices like the iPad could be seen in the marketplace as much more secure and therefore a better choice for most people. Whether this will actually come to pass I doubt though, as other manufacturers will cloud the market with similar products making similar claims, which will tarnish the reputation of all such devices when they do fall prey to exploits.
Can anyone else see any other path by which we can move beyond our hobbyist past with it's "build now fix problems later" attitude?

Not a trend.

[yoda]

The vulnerability contributor program @ Verisign and TippingPoint were setup by the same person. I know this because that person used to work for me. Google is buying simply as a reaction to the China stuff. This isn't a trend...though on the surface, it appears that way.

Hard decision

[edxwelch]

"Charlie Miller ... who sold a bug he discovered in the Linux OS to a government contractor for $50,000 dollars, said that choosing whether to sell such an item or give it away for free to Microsoft is a hard decision to make"

Hmm, doesn't sound that hard to me.

Just wondering, what exactly did the government contractor do with the vunerability afterwards?

What passes for Insightful...

[Gary+W.+Longsine]

Taliban and the Drug Trade
Some members of the U.S. drug enforcement community suggest that a new strategy may have been adopted by the Taliban in the wake of their July 27, 2000 announced ban on cultivation. This strategy would reflect a desire by the Taliban to use their “monopoly” position to maximize profits, i.e. restrict supply by restricting cultivation; drive prices up dramatically; and sell from an extensive supply of stockpiled opium. According to the United Nations Drug Control Program (UNDCP) personnel, in the past, up to 60% of opium stock has been stored for sale in future years."

Uhm, no. What nut jobs like Mullah Omar say, and what they actually do, might overlap, but may not be entirely equivalent.

Re:Terminator revisited

[hesaigo999ca]

But the white hatters being able to time travel send a robot back in time far enough to look up all the evil hacker's mom's and kill them all before any of this has started.

I just wonder if evil hackers that did make it into the future before they got diced, were able to find a way to look up those white hackers grandparents and send a robot back then , ...or wait a minute...

maybe I can get you a job

[poppopret]

I remember being 13-14 years old, spent every day and night reading and learning about computer security.

Nice.

The line in the sand is so broad and sharp; you're either an advanced black hat, an advanced white hat, script kiddie, or nothing.

Really? What if you pwn an evildoer? Send a resume to doubleplusgoodalbert@gmail.com if that sounds really cool.

Re:maybe I can get you a job

[poppopret]

BTW, an informal "resume" beats nothing. Say a bit about when/where are you willing to move, how broad/deep your hacking experience is, etc.

Re:maybe I can get you a job

[insufflate10mg]

If we were moving back in time to 1999, I'd be a hell of a candidate. For now, hit me up if you need someone to write your thesis paper or ghost-write a book for you.

Re:Terminator revisited

[initialE]

Machines? Who needs machines?

Most of the successful attacks?

[Hurricane78]

As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days.

I highly doubt that. I think that, compared to social engineering, zero-day attacks are pretty much an insignificant slice of the cake.

I mean, it’s much easier to hack a PEBKAC. And as the biggest ranks usually also are the biggest PEBKACs, it’s a clear winner. ^^

Re:Sure is...

[AG+the+other]

The word news didn't have anything to do with new. It stood, at least originally, for North East West and South.

Re:need a job?

[insufflate10mg]

You just proved my point PERFECTLY. I said that today "you're either an advanced black hat, an advanced white hat, script kiddie, or nothing." I am none of those. I considered myself a hacker at one time, after being mentored for years by a white-hat working in the Italian government and a black-hat creating/selling neural-network software for hospital uses in Nashville. It was a different time back then, I guess that's all I can say.

Re:Sure is...

[insufflate10mg]

No shit? The fact that the point of news is to spread new information had nothing to do with it?