Slashdot Mirror
Zero-Day Vulnerabilities On the Market
An anonymous reader writes "Zero-day vulnerabilities have become prized possessions to attackers and defenders alike. As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days. There is an underground market growing around these vulnerabilities, but there are also 'white markets' — set up by VeriSign, TippingPoint, Google — where they buy zero-day flaws and alert the companies so that they can patch their products before the vulnerabilities can be taken advantage of."
someone to invent time travel. Then someone could go into the future, get all the patches and fixes to various popular software, come back in time, and give it to us. Problem solved.
...especially when the market is fairly inelastic.
The best "white market" tale I've ever heard is the militias that ran the "Golden Triangle" in the Southeast Asian highlands offering to sell the US the entire opium crop.
I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market. They could even use the opium for the production of painkillers for the legitimate market, which I understand is actually constrained sometimes by strict production limitations.
You would think that white marketing the supply of illicit drugs would make a lot of sense -- by buying up supplies at the volume end of the market and denying it to the market, you would drive street prices through the roof and have far more impact on the consumers, pricing many out of the market. Cocaine supply diversity may make this difficult, but if pursued quietly it might actually be effective there too.
Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals. It'd be great to see a cost analysis to see if it would actually be cheaper to just buy up the drugs at the point of production versus the drug war, which doesn't work.
You seem to be under the impression that the war (on drugs) has anything to do with logical reasoning...
It's a great idea though, and I bet it will in fact work *and* be cheaper.
Remember, we're not talking about the farmers being the equal of the distributors.
If you start taking away a source of revenue, you had better be able to defend that with violence of your own.
And anyway, if the farmers are growing dope, they're not growing food. How about offer to buy the food that the farmers grow at a higher rate than the processors pay for the dope?
0-day means there is no patch available, as opposed to vulns that come out after patches are issued and you could possibly upgrade your system to being secure.
Anything that is patched, but you haven't bothered to update your system and are thus vulnerable to, isn't a 0-day.
Learning HOW to think is more important than learning WHAT to think.
...know that it has not also been sold to someone else? And who brokers these deals? I can't imagine the parties trusting each other.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I always thought 0-day should refer to time between the software itself is releasedand an exploit is found. Frankly, that would make more sense and that's the type of vulnerability that would actually be somewhat impressive as well as potentially devastating. If a piece of software has been floating around for a few months and then an attack against it is announced, I assume that the vector has been exploited already without an announcement and am hardly surprised that a vulnerability has been found by that point in time.
If you are the company who wrote the software, you now know where the flaw is and can fix it.
If you release a patch, that could be reverse engineered and the bad guys would find the flaw anyway.
Wow, I know /.ers rarely read TFA, but did you even read the summary? They explicitly mention "white markets" where companies can do just that. If the white markets are well known about, learning of an exploit is often likely to be more valuable to the company than a hacker. A company can suffer liability for damages, lose clients, suffer hits to their company's good will, and, depending on the nature of the software and what it's used for, and the exploit and how it works, any number of other things. Those buying the exploits can't know how long it will be effective, or how profitable it will be. My guess is, the more profitable it could be, the quicker it will get fixed, so how much can the black market pay? Besides companies potentially paying better, there's the added bonus of not having to do something illegal, harmful and immoral, though I know that doesn't matter to some. And there might be the appeal of being on the side of preventing malicious attacks. Think about it, all the CS nerds will be able to effectively become digital Jack Bauers, and that's bound to get chicks.
Damn straight it is.
The 0day black market has been thriving for over a decade; I remember being 13-14 years old, spent every day and night reading and learning about computer security. It was a different world in hacking back then; the reason was because the lines between a secure system and an insecure system were more blurred. Most machines/network one would target had a vulnerability that was exploitable, it was just a matter of spending enough days reading to discover it. It was an incredible time in the Internet's young life, but it is long gone. By the time I was 16 years old, I had joined my mentors in writing white papers relating to security, pen-testing, and trying to maintain integrity within the game. Technology moved faster than any of us had imagined, and we all moved on to our own specializations in computer science. Hacking was so open, so possible: it just took the right amount of knowledge to do it, and everyone who would do anything to not be a skiddie was busting their ass every day.
We have moved on to different times. The line in the sand is so broad and sharp; you're either an advanced black hat, an advanced white hat, script kiddie, or nothing. Although I miss the old days, it is nice to see how far computer security has come. I'm proud to say that I am an "newer old school" hacker because with that area-of-specialization comes a unique set of skills that new-age "hackers" don't have. There are still the real old school hackers though, and I could only imagine the nostalgia they feel everyday and have been feeling for decades.
Hacking is just not what it used to be, but this article (and the post I'm replying to) echo the faint sounds of the old days when we used to discover 0days, share them with our friends, protect them honorably, use them when necessary, and end up selling them out to their victim's companies to make the internet just a little bit safer.
> Besides companies potentially paying better, there's the added bonus of not
> having to do something illegal, harmful and immoral...
Be careful. If the company learns your identity during negotiations they might have you arrested for extortion.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
:) And that is part of the problem when you choose to be one of the bad guys. You cannot trust the other bad guys to be honest in their deals.
And that doesn't bother me. If anything, it should drive down the prices as none of the bad guys are going to invest a lot of money on something that they cannot be sure they have an exclusive option on.
Toyota's gonna catch holy hell for the whole "car randomly becomes kamikaze" bug with the accelerator. There are regulations and laws about this sort of thing. If I run a slaughterhouse and knowingly ship bad meat, I could go to jail. This isn't home hobbyist shit anymore, computers are serious business and Microsoft is wearing the big boy pants. Lives are at stake over this sort of thing. Dissidents can be targeted and killed. And even if it's not political but just plain' ol' computer crime, the losses can really add up.
I'm not a fan of bogging the industry down with so much regulation that nobody can get anything done but it's clear that businesses are, generally, not self-policing and concern for public welfare is not on the agenda. They will not consider it until compelled to by force of law. And to all the business apologists complaining about the stifling hand of government laying heavily upon the necks of business, just remember that there wouldn't be a call for regulation if there wasn't a need for regulation. If slaughterhouse owners applied the same standard to meat intended for public consumption that they would apply for meat intended for their own tables, Upton Sinclair wouldn't have had a novel and we wouldn't have had an FDA.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
The vulnerability contributor program @ Verisign and TippingPoint were setup by the same person. I know this because that person used to work for me. Google is buying simply as a reaction to the China stuff. This isn't a trend...though on the surface, it appears that way.
Uhm, no. What nut jobs like Mullah Omar say, and what they actually do, might overlap, but may not be entirely equivalent.
If you mod me down, I shall become more powerful than you could possibly imagine.