Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day Vulnerabilities On the Market

Posted by CmdrTaco on from the not-as-good-as-my-negative-four-day dept.

An anonymous reader writes "Zero-day vulnerabilities have become prized possessions to attackers and defenders alike. As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days. There is an underground market growing around these vulnerabilities, but there are also 'white markets' — set up by VeriSign, TippingPoint, Google — where they buy zero-day flaws and alert the companies so that they can patch their products before the vulnerabilities can be taken advantage of."

15 of 94 comments (clear)

  1. This is why we need... by Anonymous Coward · · Score: 4, Funny

    someone to invent time travel. Then someone could go into the future, get all the patches and fixes to various popular software, come back in time, and give it to us. Problem solved.

    1. Re:This is why we need... by Anonymous Coward · · Score: 4, Funny

      But the evil hackers with time travel will then go to the future to find out exploits before they've been found in the past.

    2. Re:This is why we need... by BartholomewBernsteyn · · Score: 5, Funny

      But the evil hackers with time travel will then go to the future to find out exploits before they've been found in the past.

      ...and that's exactly why need regulation with regards to time travel and access to time travel machinery, now. You there, drop that screwdriver!

  2. I'm surprised white markets aren't more common by swb · · Score: 4, Interesting

    ...especially when the market is fairly inelastic.

    The best "white market" tale I've ever heard is the militias that ran the "Golden Triangle" in the Southeast Asian highlands offering to sell the US the entire opium crop.

    I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market. They could even use the opium for the production of painkillers for the legitimate market, which I understand is actually constrained sometimes by strict production limitations.

    You would think that white marketing the supply of illicit drugs would make a lot of sense -- by buying up supplies at the volume end of the market and denying it to the market, you would drive street prices through the roof and have far more impact on the consumers, pricing many out of the market. Cocaine supply diversity may make this difficult, but if pursued quietly it might actually be effective there too.

    Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals. It'd be great to see a cost analysis to see if it would actually be cheaper to just buy up the drugs at the point of production versus the drug war, which doesn't work.

    1. Re:I'm surprised white markets aren't more common by bluesatin · · Score: 3, Informative

      I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market.

      This would probably cause a knock-on effect of increasing production in the area, due to the fact that you will be increasing the profits for the poppy growers, and perhaps also encouraging people to start poppy farming; selling to US troops is probably a hell of a lot less scary than selling to the Taliban.

    2. Re:I'm surprised white markets aren't more common by L4t3r4lu5 · · Score: 4, Insightful

      Buying products other than opium, i.e. incentives to plant other crops would be better.

      On another point, don't you think the Taliban might be a little irritated by this and, ooooh I don't know, cut off some farmers heads? I hear they've been known to do that to make a point.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    3. Re:I'm surprised white markets aren't more common by Ltap · · Score: 4, Informative

      You're right. The drug-growing problem in Afghanistan is two-fold: very little will grow there other than desert plants. Opium grows there and is extremely profitable to grow, so if they were to try and grow other crops, they would probably not be sustainable without more infrastructure (such as an irrigation network to grow crops that need more ground water). There have been attempts to cultivate some local plants to extract oils for use in beauty products, but it's a niche market and only a small amount of farmers can do it without over-saturating the market. A crop that would grow in Afghanistan, is in demand, and is rare enough to warrant transportation costs to the rest of the world is the ideal crop, and right now that is opium. Until there is a viable alternative, that is what farmers will grow.

      --
      Yet Another Tech Blog
      (but so much more, including game and movie reviews)
      http://yanteb.peasantoid.org
    4. Re:I'm surprised white markets aren't more common by swb · · Score: 3, Insightful

      We can incentivize the growing of other crops, too, but we should also be prepared to buy up the opium crop.

      The alternative is destroying the opium crop; this impoverishes the farmer further, destroys his livelihood and causes him to not just grow opium, but join the Taliban.

    5. Re:I'm surprised white markets aren't more common by Yvanhoe · · Score: 4, Insightful

      The taliban are actually opposed to drugs production. While they were in power, the area of opium cultures fell down incredibely quick. It came back thanks to the war. The drugs lords are a faction different from the talibans.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    6. Re:I'm surprised white markets aren't more common by Hasai · · Score: 4, Interesting

      Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals.

      And where, in regions that routinely grow opium, would this be an 'option?' The criminals will show up at the farmer's doorstep, take the money, then butcher both the farmer and his family to make an example.

      I saw the same sort of thing happen in S.A., where this one campesino decided he wasn't going to grow coca anymore: the local enforcers promptly showed-up, dragged him and his family out and forced them to kneel in front of their house, then went right down the row, from youngest to oldest. Pop, pop, pop, pop, pop.

      The term 'naive' doesn't even begin to describe your idea.

      --

      Regards;

      Hasai

  3. ... you are sadly mistaken by thijsh · · Score: 4, Insightful

    You seem to be under the impression that the war (on drugs) has anything to do with logical reasoning...
    It's a great idea though, and I bet it will in fact work *and* be cheaper.

  4. Re:"Zero-day" is just noise by chill · · Score: 3, Informative

    0-day means there is no patch available, as opposed to vulns that come out after patches are issued and you could possibly upgrade your system to being secure.

    Anything that is patched, but you haven't bothered to update your system and are thus vulnerable to, isn't a 0-day.

    --
    Learning HOW to think is more important than learning WHAT to think.
  5. How does the purchaser of an exploit... by John+Hasler · · Score: 4, Interesting

    ...know that it has not also been sold to someone else? And who brokers these deals? I can't imagine the parties trusting each other.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  6. Be careful. by John+Hasler · · Score: 3, Interesting

    > Besides companies potentially paying better, there's the added bonus of not
    > having to do something illegal, harmful and immoral...

    Be careful. If the company learns your identity during negotiations they might have you arrested for extortion.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    1. Re:Be careful. by SeePage87 · · Score: 3, Insightful

      Maybe. The interesting thing is that the exploit is both the attack also what is needed to fix it. There's a credible threat that others may use the same exploit, not just the one who found it. A company who did this openly, whose founding documents declare they only sell software vulnerability information with the software's creator, whose NDAs included clauses that they will never share this information with others in to perpetuity regardless of the potential client's decision on whether to buy the information... I think they could develop a defensible case and eventually a trusted brand image. Just because a company sells fire insurance doesn't mean they're really threatening to commit arson.