Cornering the Market On Zero-Day Exploits

Nicola Hahn (1482985) writes Kim Zetter of Wired Magazine has recently covered Dan Greer's keynote speech at Black Hat USA. In his lengthy address Greer, representing the CIA's venture funding arm, suggested that one way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities.

While this would no doubt make zero-day vendors like VUPEN and middlemen like the Grugq very wealthy, is this strategy really a good idea? Can the public really trust the NSA to do the right thing with all those zero-day exploits? Furthermore, recall the financial meltdown of 2008 where the public paid the bill for Wall Street's greed. If the government pays for information on all these unpatched bugs would society simply be socializing the cost of hi-tech's sloppy engineering? Whose interests does this "corner-the-market" approach actually serve?

The answer is to lessen the bugs at the source

[Taco+Cowboy]

The zero-day bugs are bugs, while we know bugs are inevitable (nobody is perfect), it does not mean that we should just throw up our hands and say "Oh, there is nothing we can do"

We can !

We can do something at the source level - at the very least we should be able to, after so many years of programming culture, to inculcate the correct way to future crops of programmer so that they produce stuffs that contain less bugs

Some of those bugs were actually added when the original program gone through an update, with extra bells and whistles - and if we can stick to the original Unix principle, in which, one utility does one thing, and one thing only, and does it very efficiently, the chances of "introducing added bugs" would be drastically lessen