Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cornering the Market On Zero-Day Exploits

Posted by Unknown on from the sell-out-or-get-the-hammer dept.

Nicola Hahn (1482985) writes Kim Zetter of Wired Magazine has recently covered Dan Greer's keynote speech at Black Hat USA. In his lengthy address Greer, representing the CIA's venture funding arm, suggested that one way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities.

While this would no doubt make zero-day vendors like VUPEN and middlemen like the Grugq very wealthy, is this strategy really a good idea? Can the public really trust the NSA to do the right thing with all those zero-day exploits? Furthermore, recall the financial meltdown of 2008 where the public paid the bill for Wall Street's greed. If the government pays for information on all these unpatched bugs would society simply be socializing the cost of hi-tech's sloppy engineering? Whose interests does this "corner-the-market" approach actually serve?

9 of 118 comments (clear)

  1. Really? by meerling · · Score: 5, Insightful

    The answer is NO,
    If you don't know the question, it was, "Can the public really trust the NSA to do the right thing with all those zero-day exploits?"

    That's not speculation, that's based on what they are already known to have done with exploits they've discovered or otherwise obtained already.

    1. Re:Really? by Mr+D+from+63 · · Score: 3, Insightful

      The government would get screwed in the deal. The most effective exploits would somehow be left out of the deal.

    2. Re:Really? by mi · · Score: 4, Insightful

      The government would get screwed in the deal. The most effective exploits would somehow be left out of the deal.

      Worse. The proposed program would encourage the software vendors to deliberately place bugs into their code — so as to sell them to government later. It would not even be illegal for them to do so, it seems, not under the current laws.

      --
      In Soviet Washington the swamp drains you.
    3. Re:Really? by GuB-42 · · Score: 3, Insightful

      What's the difference between the NSA having 10 ways to hack into your computer vs having 100 ways ?
      The NSA can do whatever it wants in both cases. Except in the second case, there'll be less exloits available to the much more dangerous blackhats.

      Why are blackhats more dangerous ? Because the NSA will "just" invade your privacy. Blackhats will steal your identity, ransom you hard drive, use your computer as a spambot and turn over your private data to anyone with money (this includes the NSA).

  2. *cough* BULLSHIT *cough* by gstoddart · · Score: 4, Insightful

    Greer, representing the CIA's venture funding arm, suggested that one way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities

    This doesn't improve cyber security, it just guarantees the CIA et al have access to everything on the planet.

    This enhances their job security, and extends their ways and means ... but in no way does it make anybody else more secure.

    The venture funding arm of the CIA presenting at a black hat conference ... capitalism has truly met the surveillance state, and it isn't going to end well.

    --
    Lost at C:>. Found at C.
  3. Typical great government idea by frovingslosh · · Score: 4, Insightful

    This is a typical great government idea. The really great thing about the idea is that once you deal with a zero-day vendor and buy a vulnerability, giving them a lot of money in the process, you can rest assured that they would never sell the same vulnerability to anyone else. 'cause that would be wrong.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  4. So many problems by sideslash · · Score: 4, Insightful

    1. Exploit sellers will turn around and secretly sell the same goods to other parties regardless of any agreement they signed with the US government.

    2. This will inflate the sale price and create perverse incentives to inject defects to "discover" and sell them later.

    3. The government is really bad at pretty much everything it does. Some of it is necessary stuff so we tolerate it, but c'mon, this isn't!

    4. Everybody is mad at the NSA for its misbehavior and spying on Americans/the world right now -- is this really the best time to remind people that the US government wants to collect tools to hack everybody?

  5. Re:They'll do the right thing by mr_mischief · · Score: 3, Insightful

    Nah. The CIA spies overseas. The FBI spies domestically. The NSA does both. Then they all hand their analyses to DHS overlords to put us on watch lists for further Fourth Amendment violations with no actual evidence of anything.

  6. How about instead by Anonymous Coward · · Score: 2, Insightful

    How about instead governments issuing fines to software companies for every security vulnerability found. Perhaps the fines might be calculated based on the amount of copies of the software sold with a set minimum amount. Fines could increase the longer the vulnerability remains unpatched. The revenue raised by these fines could then pay for more education and tools for ensuring better software security and security researchers.