Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Site Aims To Be iTunes For Exploits

Posted by Soulskill on from the bet-they-won't-cost-99-cents dept.

Trailrunner7 writes "It's been tried before, but NSS Labs founder Rick Moy says his company's new Exploit Hub — a store front for exploit code — can work. In an interview, he explains why the current market for exploits doesn't work for the good guys, and why zero-day exploits don't help anyone. Above-board markets for software vulnerabilities have been around for close to a decade, but previous efforts to market exploits have had mixed results. The business of selling exploits versus vulnerabilities is fraught with danger, and organizations like WabiSabiLabi have operated eBay-style marketplaces for zero-day exploits for years, but haven't seen exploit writers beating a path to their door. The need for an above-board marketplace that can compete with the black market surely exists, but getting it to work is another matter entirely."

55 comments

  1. Moy didn't say "iTunes" by BadAnalogyGuy · · Score: 5, Informative

    He compared his company to "Craigslist", not "iTunes".

    I'm not sure that's the image you'd want to project for your company, but I'm not that guy.

    1. Re:Moy didn't say "iTunes" by spamking · · Score: 0, Offtopic

      So you're not all for the get a free hooker with your exploit ad?

    2. Re:Moy didn't say "iTunes" by chrisj_0 · · Score: 1

      He did reference AppStore in TFA

    3. Re:Moy didn't say "iTunes" by putch · · Score: 2, Informative

      There ain't no such thing as a free hooker

      --
      just because I don't care doesn't mean I don't understand!
    4. Re:Moy didn't say "iTunes" by Dishevel · · Score: 0, Redundant

      I can not tell. Is it worse if you are a GNAA dumbass or if you are so needy that you have to take credit for modding a post?

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    5. Re:Moy didn't say "iTunes" by spamking · · Score: 1

      Now that you mention it I guess that's true . . .

    6. Re:Moy didn't say "iTunes" by c6gunner · · Score: 1

      TANSTAAFH?

      I dunno, it just doesn't have the same ring to it ...

    7. Re:Moy didn't say "iTunes" by Anonymous Coward · · Score: 1, Funny

      If you have to bring rings into the discussion, it's not a hooker. Just sayin'...

    8. Re:Moy didn't say "iTunes" by Anonymous Coward · · Score: 0

      I think a better slogan would be "Who do you want to pwn today?"

  2. New Site Aims To Be iTunes For Exploits by Anonymous Coward · · Score: 0

    Does this mean they force you to install quicktime?

    Just say no.

    1. Re:New Site Aims To Be iTunes For Exploits by Anonymous Coward · · Score: 0

      Well, naturally... all the exploits run on QuickTime anyway.

      (And Flash, and Adobe Reader, and Windows Media Player... let’s not single any one out in particular, here...)

  3. What the hell by mrsteveman1 · · Score: 1

    An "above-board" market for exploits?

    Who exactly is planning on buying these things and NOT planning to do something illegal with them?

    1. Re:What the hell by mea37 · · Score: 4, Interesting

      RTFA. Or educate yourself generally on how the IT security industry operates. Either way works.

    2. Re:What the hell by clone53421 · · Score: 4, Interesting

      The people who wrote the software in the first place. They want to produce software that isn’t buggy and exploitable, and the only way to find exploitable bugs is to be actively looking for them and to be good at exploiting them.

      They need good software crackers (in both senses of the word: skilled and working for them) working on betas to find vulnerabilities in the software so that the vulnerabilities can be fixed before the alpha of the software is released.

      Note that it specifically says that they won’t be dealing with 0-day exploits (critical exploits in existing, already-released software products). They want to find these before they release, and to do that, they have to hire crackers.

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    3. Re:What the hell by Anonymous Coward · · Score: 0

      People who want to develop protection against the exploits.

      Giving a financial incentive for exploit discoverers to reveal them to the good guys seems to be the whole point here - like a bug bounty.

    4. Re:What the hell by GameboyRMH · · Score: 0

      Companies who want to patch the holes in their software...but charging a company money for information you have on security holes in their software doesn't sound "above board" to me in the least.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    5. Re:What the hell by WCguru42 · · Score: 4, Insightful

      charging a company money for information you have on security holes in their software doesn't sound "above board" to me in the least.

      And not earning anything for your work does? If I help you fix your broken program I'm within my rights to ask for compensation. Now, threatening to release and abuse it if you don't pay isn't so ethical.

      --
      "Educate the mind but never at the expense of the soul."~Blessed Basil Moreau
    6. Re:What the hell by Lazareth · · Score: 1

      I can kind of see the justification. They're basically providing a service and charging a fee for it after the fact, a fee that you can even choose to ignore. "Hi, I made this suit specially tailored for you. If you don't want it, that's fine. If you want it, well here you go!"

      However it does lay a pressure on the buyer to buy it, since otherwise others can choose to buy it and exploit it without the programmers knowing exactly what the exploit entails. That's somewhat alike to extortion.

      I can see both sides of the coin, both as a genuine service and as extortion. Regardless of how you view it it's a business and the goal is money.

    7. Re:What the hell by Dishevel · · Score: 1

      How is that you get guys working on Beta software before the Alpha is released? :)

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    8. Re:What the hell by Dishevel · · Score: 2, Interesting
      No. If you say I have found an exploit for your software. If you want it it will cost you X. If not, have a nice day. I hope no one else can find the same type of exploit. There is nothing wrong with that.

      If on the other hand you you tell the company that wither they buy it or you will sell it to others then that is extortion and is illegal. You do one or the other. There is now other side to the coin.

      They are separate coins altogether.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    9. Re:What the hell by falsified · · Score: 1

      Really? Do you refuse to pay doctors and nurses, too?

      --
      HI, MY NAME IS ISAAC.
    10. Re:What the hell by clone53421 · · Score: 1

      Erm, yeah, I meant the release version.

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    11. Re:What the hell by spamking · · Score: 1

      True, but the white hats gotta make their money some how.

    12. Re:What the hell by Dishevel · · Score: 1

      Just playing the /. game. :)

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    13. Re:What the hell by CannonballHead · · Score: 1

      So charging companies for security exploits found with your own labor is ok with Slashdot. Charging money for software you created 'with your own labor' is generally bad.

      It seems that some ideals in the OSS community tend to be a bit conflicting/self-contradictory.

      (note: I don't know what you personally think, I'm just using your post as a springboard :) )

    14. Re:What the hell by GameboyRMH · · Score: 2, Interesting

      Here's how I see it, it's like inspecting a dam (on your own time) and finding a crack. Now you could charge the dam company (haha) for the information you found - even though they didn't ask for it. If they were nice, fair people and you ask a fair price, they'd pay you, but they may decide not to (or you could be an asshole and ask way too much), they may say go screw yourself and not fix the crack. What then? Now you can either:

      1. Give up the information anyways - the dam company will never pay you for any information in the future, and neither will anyone else who hears about it.

      2. Sit on the information that threatens the people of Floodplain Valley until the dam company pays (if ever). Maybe it's just me but I would find this very wrong.

      3. Release the information to the public and hope the dam engineers get to the crack before Snidely Whiplash.

      Now you are left with a bunch of bad options, all of which have put innocent third parties at more risk than if you'd given up the information freely.

      This is why I say that if you find an exploit on your own time in someone's software, you should give them the information for free. If you have a problem with this, then either stop spending your time looking for the exploits (can't blame you, you're not getting paid and if you feel you must get paid for doing it, you obviously don't do it for fun) or drop the pretense of morality and become a black hat.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    15. Re:What the hell by c6gunner · · Score: 1

      That's kinda dumb.

      For one thing, options 1 is no worse than if you had just given up the info in the first place, for free, and option 3 is only slightly worse in the short term and possibly better in the long term (it might teach them to pay up next time).

      For another, you're ignoring the 4th option: tell everyone who will listen that you've found a crack in the dam, and would LOVE to show the dam engineers how to fix the dam thing, only they won't give you the dam money that you worked dam hard for. Public pressure and negative publicity ought to get them to cough up the dough.

    16. Re:What the hell by Anonymous Coward · · Score: 0

      So, what about consultation and inspection contractors? Why should their businesses exist? They're hired to find/solve problems in services or structures. Should 'Dam Inpectors Ltd' exist or should they do the work for free? If the Ltd. exists, do they now have a moral obligation, by the fact of their existence, to find and point out flaws in dams or are they morally sound by asking dam builders to hire them to find problems?

            Now, the model of going to a dam without a contract, finding flaws, then approaching the builder asking for money is more slippery, but I don't think it is as bad as it seems. The headlines if the dam broke in the meantime would be something like, "Person knew about flaw, didn't report it because he wanted money! Evil!" However, it could also read, "Dam contractor that specialized in inspections existed within 50 miles of the dam, but didn't do free inspections that could have saved lives!".

            I guess if these exploit companies simply only 'strongly implied' to the software producers that their services could be useful without actually admitting they found anything, it would be more like an inspection contractor and not as morally grey..

    17. Re:What the hell by GameboyRMH · · Score: 1

      So, what about consultation and inspection contractors? Why should their businesses exist? They're hired to find/solve problems in services or structures. Should 'Dam Inpectors Ltd' exist or should they do the work for free? If the Ltd. exists, do they now have a moral obligation, by the fact of their existence, to find and point out flaws in dams or are they morally sound by asking dam builders to hire them to find problems?

      Yes they should exist. Dam Inspectors Ltd would have no moral obligation by the fact that they exist to perform inspections, and I would see no problem with them asking the dam builders to hire them to find problems.

      Now, the model of going to a dam without a contract, finding flaws, then approaching the builder asking for money is more slippery, but I don't think it is as bad as it seems. The headlines if the dam broke in the meantime would be something like, "Person knew about flaw, didn't report it because he wanted money! Evil!" However, it could also read, "Dam contractor that specialized in inspections existed within 50 miles of the dam, but didn't do free inspections that could have saved lives!"

      Why should the inspection company be obligated in any way to do free inspections? It's up to the dam company to take the initiative to get their work checked - it would be their fault for not doing this, nobody else's in any way.

      I guess if these exploit companies simply only 'strongly implied' to the software producers that their services could be useful without actually admitting they found anything, it would be more like an inspection contractor and not as morally grey..

      That would be a little better than scaring the company into paying for an exploit you found on your own free will in your own time.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    18. Re:What the hell by GameboyRMH · · Score: 1

      I dunno your option 3 and 4 both sound rather extortion-ey...

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    19. Re:What the hell by stephanruby · · Score: 4, Informative

      Charging money for software you created 'with your own labor' is generally bad.

      No. Open source doesn't mean free. It never did. RMS, the GPL, they all say that you can charge for your work. Do I really need to find the citation for this? Or are you just pulling my leg?

    20. Re:What the hell by c6gunner · · Score: 1

      If I tell you that the brakes on your car are failing and it'll cost $300 to replace them, and you refuse to get the work done .... is it extortion when I go and tell other people that you're an idiot who is not only risking his own life, but also endangering others?

      I know it's not a perfect analogy, but I really don't see why you'd consider one scenario to be extortion, and not the other.

    21. Re:What the hell by GameboyRMH · · Score: 1

      The problem is that it's not like saying that the brakes on the car are failing and it'll cost $300 to replace them, it's like saying that something is wrong with your car and it'll cost $300 to tell you what it is and get it fixed.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    22. Re:What the hell by Anonymous Coward · · Score: 0

      2. Sit on the information that threatens the people of Floodplain Valley until the dam company pays (if ever). Maybe it's just me but I would find this very wrong.

      That's the same situation they'd be in if you hadn't gone digging for exploits.

    23. Re:What the hell by Anonymous Coward · · Score: 0

      The situation with dams is different. If the dam fails, the company that built it is probably liable. If people use exploits in Flash to hack your computer, Adobe couldn't care less. Companies need to be more responsible about the security of the software they release. Either hire full-time security professionals or pay people for exploits.

    24. Re:What the hell by c6gunner · · Score: 2, Interesting

      *shrug* I would have no problem with that. I don't see why you should get a free diagnostic out of the deal. Hell, unless you have your own ODBC reader, most mechanics will charge you $50 just for a basic readout. I bought the code reader because it pays for itself in the long run, but I see nothing wrong with mechanics wanting to get paid for the work they do.

    25. Re:What the hell by tomhudson · · Score: 1
      Nonsense. It's ethically the same as paying a blackmailer.

      Oh, right - silly me, ethics no longer has anything to do with business decisions.

      -- Barbie

    26. Re:What the hell by Draek · · Score: 1

      You're forgetting that the "innocent third parties" aren't at risk from the information on the crack but rather from the crack itself being there in the first place, and you not knowing about it won't make the crack on the dam magically dissapear.

      --
      No problem is insoluble in all conceivable circumstances.
    27. Re:What the hell by clone53421 · · Score: 1

      Well... that depends on what the guy who found the exploitable bug is planning on doing with it if you don’t buy it...

      (and if he’s threatening to sell it to highest bidder if you won’t buy it, that is blackmail/extortion, and quite illegal)

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    28. Re:What the hell by Anonymous Coward · · Score: 0

      Not quite - its ethically the same as paying an advisor to warn of you things that may lead to you getting blackmailed (or exploited). You still have to pay out to someone, but you don't have to suffer the other consequences i.e. embarrassment etc. It's all pretty standard in politics etc.

  4. MetaSploit Framework anyone? by Anonymous Coward · · Score: 1, Interesting

    I'm not all that familiar with the MetaSploit Framework (which has been bought out) but don't things like this already exist...except they're...you know...free!

    1. Re:MetaSploit Framework anyone? by Sarten-X · · Score: 1

      And that's the problem. If an unscrupulous hacker finds a 0-day exploit, are they really more likely to give it away for free than to sell it to the highest bidder?

      Similarly, even knowing that companies are willing to pay (rather than sue/prosecute/harass/whatever) may lead to more exploration of vulnerabilities, and that means more secure programs overall.

      Sure, I'd love to see more hackers meeting the minimum ethical requirements to follow responsible disclosure, but there's still a black market for exploits, and legitimizing it may be the best way to kick the various criminals out of the game.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:MetaSploit Framework anyone? by jandrese · · Score: 1

      As I understand it, organized crime is willing to pay for exploits because they don't have direct access to real hackers but still want to set up bot nets for various purposes. If someone is willing to pay for something you made (well discovered), then why give it away for free? Especially if you're some anonymous teenager still living at home.

      --

      I read the internet for the articles.
    3. Re:MetaSploit Framework anyone? by munky99999 · · Score: 1

      The problem is that there are so many companies who sue/prosecute/harass/discredit and with law as it is... a hacker is liable to lose their life to such things. Not literally but going to jail or having lost your job and all your money to protect yourself from a large corporation with bored lawyers/PR on staff is awful. In addition many companies dont offer $$$ for exploits; they expect to get them for free. Sooooo many factors all forcing hackers to go to the black market.

  5. Ebay for exploits by munky99999 · · Score: 2, Interesting

    We need an auction site where vendors, bad guys, and good guys all bid on 0days.

  6. "iTunes for exploits" doesn't sound illegal by Sloppy · · Score: 1

    (I didn't RTFA, but in this case, that probably helped.) I interpret "iTunes for exploits" as meaning that you go to the trouble to load up your computer with exploits, then you do a sync, and suddenly all of the exploits which you had loaded, but which didn't come from their "iTunes for exploits" are inexplicably missing. So as long as you install this "iTunes for exploits" software but don't ever use it for installing your malware, then occasional syncs can function as malware disinfectant. That doesn't sound illegal; it sounds like the natural progression of AV software.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  7. Re-packaging what is already free by checkitout · · Score: 1

    I'm sure most of this will come from metasploit, packetstorm, and exploit-db. Directly selling exploits is shady, no matter what company is backing it.

  8. Bad Analogy by GameboyRMH · · Score: 1

    Really, really awful analogy. I've already explained my viewpoint here:

    http://slashdot.org/comments.pl?sid=1822976&cid=33911372

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  9. An economics analysis by Anonymous Coward · · Score: 0

    Exploits have value on the 'black' market: they can be used to steal information or to redirect computer resources for the exploiters ends. Both information and captive computer resources are fungible; there are active markets for them.

    In the hands of a cracker, an exploit can be used over and over to create value (illegally, immorally, unethically, etc, but so what.) It is a capital investment that can continue to pay dividends and has a long expected life span.

    The value that is taken is spread out over diffuse and disorganized individuals.

    Even better for the exploit writer, the exploit is a product that can be sold to many crackers at zero marginal cost. So the 'black' market for exploits has a large payoff for the exploit writer: the total value of the exploit is: what can be stolen X how often it can be reused X how many times it can be reused X the number of people who can use it

    Now the legal market:
    The exploit writer sells the exploit once, then it disappears. Potential buyers in this market are not the same people who are threatened directly by the exploit; instead, they are usually the creators of the exploited product. They have less to lose than the potential victims do, which is the same as saying that they have less to gain in preventing the exploit than the numerous crackers do in using it.

    This is why the legal market does not work: the exploit writer is being asked to sell the exploit for less than its value elsewhere, and therefore is losing money.

    The probability of being caught on the cross-border Internet ase pretty low, so its a good bet to try and profit from an illegal exploit.

    So:
    If you are willing to pay less than the total value of the exploit as a criminal tool, no one will sell it to you
    If you are willing to pay the exact value, you can buy it, but you have created no value; you have only shifted wealth from your pocket to those of the potential victims.
    If you are willing to pay more, you will get even more exploits created by raising the value of all exploits

    Good luck with that.

  10. iTunes for exploits? by slapout · · Score: 3, Funny

    So you're going to start out selling exploits for 99 cents? And then create a(n expensive) portable device that people can buy to run your exploits on? And then become the market leader? And then introduce new models of your hardware? And then create an "exploit" store sdk so people can sell there own exploits? And them submit to exploit creators demands that the price be raised to $1.29? And then remove color from the user interface?
     

    --
    Coder's Stone: The programming language quick ref for iPad
  11. Not a bad idea at all by ladadadada · · Score: 1

    Seems like a nice easy way to make a bit of cash in your spare time without any particularly rare skills needed. Just find a vulnerability from CVE that doesn't have a corresponding Metasploit module, write a Metasploit module and put it up in Exploit Hub.

    Since it's not a 0-day, there's nothing to be gained by getting an exclusive purchase so the prices will be reasonable. There's less risk of being sued too because it's not a 0-day; just a bit of code that you can use to test for an already disclosed vulnerability.

    • The company who wrote the vulnerable software will want it to put into their QA cycle to guard against regressions.
    • Anyone who writes penetration testing software will want it to integrate into their product... unless the price is higher than just having their own coders do it.
    • Penetration testers will want it in their arsenal to make sure they get the maximum coverage possible.

    The "bad guys" probably won't want it. It's already known and getting patched and they'll have to rewrite it anyway because it will have an easily identifiable signature as it comes from Exploit Hub.

    There will still be a market for 0-day exploits, but as the article mentions, it's a finicky market. Setting up a market for turning disclosed vulnerabilities into Metasploit modules is smart.

    --
    Sig matters not. Judge me by my sig, do you?
  12. iTunes for exploits by allo · · Score: 0

    bloated and unstable exploits?