Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cornering the Market On Zero-Day Exploits

Posted by Unknown on from the sell-out-or-get-the-hammer dept.

Nicola Hahn (1482985) writes Kim Zetter of Wired Magazine has recently covered Dan Greer's keynote speech at Black Hat USA. In his lengthy address Greer, representing the CIA's venture funding arm, suggested that one way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities.

While this would no doubt make zero-day vendors like VUPEN and middlemen like the Grugq very wealthy, is this strategy really a good idea? Can the public really trust the NSA to do the right thing with all those zero-day exploits? Furthermore, recall the financial meltdown of 2008 where the public paid the bill for Wall Street's greed. If the government pays for information on all these unpatched bugs would society simply be socializing the cost of hi-tech's sloppy engineering? Whose interests does this "corner-the-market" approach actually serve?

21 of 118 comments (clear)

  1. Really? by meerling · · Score: 5, Insightful

    The answer is NO,
    If you don't know the question, it was, "Can the public really trust the NSA to do the right thing with all those zero-day exploits?"

    That's not speculation, that's based on what they are already known to have done with exploits they've discovered or otherwise obtained already.

    1. Re:Really? by Mr+D+from+63 · · Score: 3, Insightful

      The government would get screwed in the deal. The most effective exploits would somehow be left out of the deal.

    2. Re:Really? by jellomizer · · Score: 2

      Can you trust anyone with a zero-day exploit?

      If you just tell the company and not anyone else, chances are they will thank you, or arrest you, then not put the time or money into fixing the problem.

      If you tell the public, or any other group, they will be some bad apples who will use the information for their own misdeeds.

      If you tell the government, they will use it to their advantage as well.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:Really? by mi · · Score: 4, Insightful

      The government would get screwed in the deal. The most effective exploits would somehow be left out of the deal.

      Worse. The proposed program would encourage the software vendors to deliberately place bugs into their code — so as to sell them to government later. It would not even be illegal for them to do so, it seems, not under the current laws.

      --
      In Soviet Washington the swamp drains you.
    4. Re:Really? by GuB-42 · · Score: 3, Insightful

      What's the difference between the NSA having 10 ways to hack into your computer vs having 100 ways ?
      The NSA can do whatever it wants in both cases. Except in the second case, there'll be less exloits available to the much more dangerous blackhats.

      Why are blackhats more dangerous ? Because the NSA will "just" invade your privacy. Blackhats will steal your identity, ransom you hard drive, use your computer as a spambot and turn over your private data to anyone with money (this includes the NSA).

  2. *cough* BULLSHIT *cough* by gstoddart · · Score: 4, Insightful

    Greer, representing the CIA's venture funding arm, suggested that one way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities

    This doesn't improve cyber security, it just guarantees the CIA et al have access to everything on the planet.

    This enhances their job security, and extends their ways and means ... but in no way does it make anybody else more secure.

    The venture funding arm of the CIA presenting at a black hat conference ... capitalism has truly met the surveillance state, and it isn't going to end well.

    --
    Lost at C:>. Found at C.
  3. Typical great government idea by frovingslosh · · Score: 4, Insightful

    This is a typical great government idea. The really great thing about the idea is that once you deal with a zero-day vendor and buy a vulnerability, giving them a lot of money in the process, you can rest assured that they would never sell the same vulnerability to anyone else. 'cause that would be wrong.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  4. The answer is to lessen the bugs at the source by Taco+Cowboy · · Score: 4, Interesting

    The zero-day bugs are bugs, while we know bugs are inevitable (nobody is perfect), it does not mean that we should just throw up our hands and say "Oh, there is nothing we can do"

    We can !

    We can do something at the source level - at the very least we should be able to, after so many years of programming culture, to inculcate the correct way to future crops of programmer so that they produce stuffs that contain less bugs

    Some of those bugs were actually added when the original program gone through an update, with extra bells and whistles - and if we can stick to the original Unix principle, in which, one utility does one thing, and one thing only, and does it very efficiently, the chances of "introducing added bugs" would be drastically lessen

    --
    Muchas Gracias, Señor Edward Snowden !
  5. More money just increases the price by petes_PoV · · Score: 3, Interesting
    If a new buyer comes into the market - a buyer with lots of money, then all that happens is that the price goes up. It's simple economics and we see this happening in every market: from commodities to TV programmes.

    If the price becomes high enough, new exploiters will enter the market and start discovering exploits, in competition with the original suppliers. Then the NSA would have to start dealing with those guys, too. And so the circle would keep going round: more money, new exploit finders, asking higher prices.

    If the NSA wants to improve security, they would set up their own zero-day exploiters to not only find, but to fix security holes and then issue those fixes for free (or use the exploits to force fixes on the exploited software. They might also ask for new laws that would require software vendors to pay them for fixing these problems. However, it's by no means certain that this would be their intention. They may simply be collecting hacks for their own nefarious purposes.

    After all, we haven't seen a government agency buying up all the drugs, in order to stop them being supplied to the population - so why would they use that tactic here?

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
    1. Re:More money just increases the price by Geoffrey.landis · · Score: 3, Interesting

      If a new buyer comes into the market - a buyer with lots of money, then all that happens is that the price goes up. It's simple economics

      Well, yes, but that's exactly what was desired:
      You want the price to go up, so that it's more valuable to disclose the bug than it is for some thief exploit it.

      If the price becomes high enough, new exploiters will enter the market and start discovering exploits

      Exactly. You mine out the easy-to-find exploits until they are depleted, and start in on the harder-to-find bugs, so that you get to the point where amateur hackers simply aren't sophisticated enough to find them.

      ... After all, we haven't seen a government agency buying up all the drugs, in order to stop them being supplied to the population

      Well, of course you can always manufacture more drugs; you don't "find" them. They don't get harder to make as the market increases.

      If the objection here is "software companies will start deliberately introducing vulnerabilities, so that they can make money by selling the vulnerabilities to the government"-- yes, that might be an objection.

      --
      http://www.geoffreylandis.com
  6. So many problems by sideslash · · Score: 4, Insightful

    1. Exploit sellers will turn around and secretly sell the same goods to other parties regardless of any agreement they signed with the US government.

    2. This will inflate the sale price and create perverse incentives to inject defects to "discover" and sell them later.

    3. The government is really bad at pretty much everything it does. Some of it is necessary stuff so we tolerate it, but c'mon, this isn't!

    4. Everybody is mad at the NSA for its misbehavior and spying on Americans/the world right now -- is this really the best time to remind people that the US government wants to collect tools to hack everybody?

  7. The NSA etc. already are buying exploits by sasparillascott · · Score: 2

    I think the point of the speaker was to create a silo-ed verifiable way to do this (so things couldn't be siphoned off to the NSA like they currently are as those costs are a rounding error for the NSA). I like the idea if its implemented properly, currently we have the NSA & foreign intelligence agencies being the big buyers, keepers and exploiters. JMHO...

  8. Re:They'll do the right thing by mr_mischief · · Score: 3, Insightful

    Nah. The CIA spies overseas. The FBI spies domestically. The NSA does both. Then they all hand their analyses to DHS overlords to put us on watch lists for further Fourth Amendment violations with no actual evidence of anything.

  9. NSA already buys everything ! by eulernet · · Score: 2

    One way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities.

    In my opinion, NSA already buys all existing exploits (as all other secret services), because these are military weapons for the Cyberwar.
    An expensive exploit is nothing for their budget.

    Why would they be required to share these exploits ?
    Any weapon that the enemy doesn't have is a strategic advantage !

  10. The Fundamental Flaw by Anonymous Coward · · Score: 2, Interesting

    The fundamental flaw with this idea is that it assumes there is a finite supply of these 0 day exploits. Even if you think that you can trust who ever we would be buying it from to not sell it to anyone else and that no one else would discover the same exploit you still don't gain anything because you can never buy up all the exploits possible. Creating a stronger market for those exploits will just ensure that more people are looking for and finding them and you have to continue buying them or they'll hit the open market.

  11. ? Plenty of competition when I looked by raymorris · · Score: 3, Interesting

    > can't help but think "bug bounties" aren't proper capitalism since there's little competition.

    I'm not sure quite what you mean here. Just the other day I looked over a list of bug bounty programs to see if it might mange sense for me to analyze some of the software specifically for the purpose of collecting bounties. There were quite a few companies offering bounties, competing for my services analyzing their software. Based on what I saw, there is a reasonable amount if competition on that side, many buyers of bugs.

    One company I saw has a bug bounty program sells software that I use on a daily basis and occasionally debug. I've sent them patches and suggestions before, outside of any bug-bounty program. Looking at the rewards offered, it seemed to me that it _might_ make sense for me to analyze certain software for security bugs. The price offered, based on the number of other programmers competing for the money, seemed just about right, maybe slightly low. On the other hand, the rewards are enough that it DEFINITELY makes sense for me to spend the time and hassle reporting bugs that I happen to notice while I'm using and configuring the software. So based on what I saw, there is enough competition on both sides to have prices tend toward reasonable numbers.

    I noticed that a lot of companies don't have bug-bounty programs yet, though many do. It reminds me of 15 years ago when a lot of sites had referral programs, but most did not. That changed when third parties including CCBill made it easy to add a referral program. I suspect many more companies will add bug-bounty programs when they don't have to develop and manage the system themselves. If they can just buy or subscribe to an easy-to-use software package for running it, and maybe let the third party vendor handle payments, it will become much more common.

  12. "Once you pay the Dane-geld, you never get rid ... by davidwr · · Score: 3, Interesting

    ... of the Dane." -Rudyard Kipling

    Rudyard Kipling, Dane-Geld, A.D. 980-1016

    It is always a temptation to an armed and agile nation
        To call upon a neighbour and to say: --
    "We invaded you last night--we are quite prepared to fight,
        Unless you pay us cash to go away."

    And that is called asking for Dane-geld,
        And the people who ask it explain
    That you've only to pay 'em the Dane-geld
        And then you'll get rid of the Dane!

    It is always a temptation for a rich and lazy nation,
        To puff and look important and to say: --
    "Though we know we should defeat you, we have not the time to meet you.
        We will therefore pay you cash to go away."

    And that is called paying the Dane-geld;
        But we've proved it again and again,
    That if once you have paid him the Dane-geld
        You never get rid of the Dane.

    It is wrong to put temptation in the path of any nation,
        For fear they should succumb and go astray;
    So when you are requested to pay up or be molested,
        You will find it better policy to say: --

    "We never pay any-one Dane-geld,
        No matter how trifling the cost;
    For the end of that game is oppression and shame,
        And the nation that pays it is lost!"

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  13. Proven to not be trustworthy by mcrbids · · Score: 2

    We have a well-funded government agency, tasked with securing its country, actively sabotaging the security frameworks of the nation it has been tasked with protecting, in the name of "security". Never mind that any back door left open to the NSA is also left open to other parties. (EG: China) And now we're supposed to *trust* this agency with even more unfettered access to 0-day exploits?

    If the NSA was really about securing the United States, it would be auditing commercial security products to ensure the *lack* of back doors, not ensuring the presence of them!

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  14. Let's create bugs and get paid for fixing them by SBatman · · Score: 2

    Reminds me of this Dilbert: http://dilbert.com/strips/comi...

  15. HIS NAME IS "GEER" NOT "GREER" by Jeremiah+Cornelius · · Score: 2

    He's wicked smart, and has blind spots the size of a subcontinent.

    One of which is this: He works for the Gestapo, and thinks they're the "good guys". Reminder to smart guys from the best Universities: The Secret Police are the problem, not a solution. If you want examples of where the CIA bought up all the issues and made them "assets" look at the Afghan Mujaheddin. The CIA equiped them with organizational database technology that quickly produced an "Al Qaeda" as one of its effects.

    Bruce Schneier could hand Geer his lunch on the sociological, political and life-quality implications of the proposal. Bruce also has +5 charisma, while Dan is lucky to register +1.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  16. How about instead by Anonymous Coward · · Score: 2, Insightful

    How about instead governments issuing fines to software companies for every security vulnerability found. Perhaps the fines might be calculated based on the amount of copies of the software sold with a set minimum amount. Fines could increase the longer the vulnerability remains unpatched. The revenue raised by these fines could then pay for more education and tools for ensuring better software security and security researchers.