Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cornering the Market On Zero-Day Exploits

Posted by Unknown on from the sell-out-or-get-the-hammer dept.

Nicola Hahn (1482985) writes Kim Zetter of Wired Magazine has recently covered Dan Greer's keynote speech at Black Hat USA. In his lengthy address Greer, representing the CIA's venture funding arm, suggested that one way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities.

While this would no doubt make zero-day vendors like VUPEN and middlemen like the Grugq very wealthy, is this strategy really a good idea? Can the public really trust the NSA to do the right thing with all those zero-day exploits? Furthermore, recall the financial meltdown of 2008 where the public paid the bill for Wall Street's greed. If the government pays for information on all these unpatched bugs would society simply be socializing the cost of hi-tech's sloppy engineering? Whose interests does this "corner-the-market" approach actually serve?

13 of 118 comments (clear)

  1. Really? by meerling · · Score: 5, Insightful

    The answer is NO,
    If you don't know the question, it was, "Can the public really trust the NSA to do the right thing with all those zero-day exploits?"

    That's not speculation, that's based on what they are already known to have done with exploits they've discovered or otherwise obtained already.

    1. Re:Really? by Mr+D+from+63 · · Score: 3, Insightful

      The government would get screwed in the deal. The most effective exploits would somehow be left out of the deal.

    2. Re:Really? by mi · · Score: 4, Insightful

      The government would get screwed in the deal. The most effective exploits would somehow be left out of the deal.

      Worse. The proposed program would encourage the software vendors to deliberately place bugs into their code — so as to sell them to government later. It would not even be illegal for them to do so, it seems, not under the current laws.

      --
      In Soviet Washington the swamp drains you.
    3. Re:Really? by GuB-42 · · Score: 3, Insightful

      What's the difference between the NSA having 10 ways to hack into your computer vs having 100 ways ?
      The NSA can do whatever it wants in both cases. Except in the second case, there'll be less exloits available to the much more dangerous blackhats.

      Why are blackhats more dangerous ? Because the NSA will "just" invade your privacy. Blackhats will steal your identity, ransom you hard drive, use your computer as a spambot and turn over your private data to anyone with money (this includes the NSA).

  2. *cough* BULLSHIT *cough* by gstoddart · · Score: 4, Insightful

    Greer, representing the CIA's venture funding arm, suggested that one way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities

    This doesn't improve cyber security, it just guarantees the CIA et al have access to everything on the planet.

    This enhances their job security, and extends their ways and means ... but in no way does it make anybody else more secure.

    The venture funding arm of the CIA presenting at a black hat conference ... capitalism has truly met the surveillance state, and it isn't going to end well.

    --
    Lost at C:>. Found at C.
  3. Typical great government idea by frovingslosh · · Score: 4, Insightful

    This is a typical great government idea. The really great thing about the idea is that once you deal with a zero-day vendor and buy a vulnerability, giving them a lot of money in the process, you can rest assured that they would never sell the same vulnerability to anyone else. 'cause that would be wrong.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  4. The answer is to lessen the bugs at the source by Taco+Cowboy · · Score: 4, Interesting

    The zero-day bugs are bugs, while we know bugs are inevitable (nobody is perfect), it does not mean that we should just throw up our hands and say "Oh, there is nothing we can do"

    We can !

    We can do something at the source level - at the very least we should be able to, after so many years of programming culture, to inculcate the correct way to future crops of programmer so that they produce stuffs that contain less bugs

    Some of those bugs were actually added when the original program gone through an update, with extra bells and whistles - and if we can stick to the original Unix principle, in which, one utility does one thing, and one thing only, and does it very efficiently, the chances of "introducing added bugs" would be drastically lessen

    --
    Muchas Gracias, Señor Edward Snowden !
  5. More money just increases the price by petes_PoV · · Score: 3, Interesting
    If a new buyer comes into the market - a buyer with lots of money, then all that happens is that the price goes up. It's simple economics and we see this happening in every market: from commodities to TV programmes.

    If the price becomes high enough, new exploiters will enter the market and start discovering exploits, in competition with the original suppliers. Then the NSA would have to start dealing with those guys, too. And so the circle would keep going round: more money, new exploit finders, asking higher prices.

    If the NSA wants to improve security, they would set up their own zero-day exploiters to not only find, but to fix security holes and then issue those fixes for free (or use the exploits to force fixes on the exploited software. They might also ask for new laws that would require software vendors to pay them for fixing these problems. However, it's by no means certain that this would be their intention. They may simply be collecting hacks for their own nefarious purposes.

    After all, we haven't seen a government agency buying up all the drugs, in order to stop them being supplied to the population - so why would they use that tactic here?

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
    1. Re:More money just increases the price by Geoffrey.landis · · Score: 3, Interesting

      If a new buyer comes into the market - a buyer with lots of money, then all that happens is that the price goes up. It's simple economics

      Well, yes, but that's exactly what was desired:
      You want the price to go up, so that it's more valuable to disclose the bug than it is for some thief exploit it.

      If the price becomes high enough, new exploiters will enter the market and start discovering exploits

      Exactly. You mine out the easy-to-find exploits until they are depleted, and start in on the harder-to-find bugs, so that you get to the point where amateur hackers simply aren't sophisticated enough to find them.

      ... After all, we haven't seen a government agency buying up all the drugs, in order to stop them being supplied to the population

      Well, of course you can always manufacture more drugs; you don't "find" them. They don't get harder to make as the market increases.

      If the objection here is "software companies will start deliberately introducing vulnerabilities, so that they can make money by selling the vulnerabilities to the government"-- yes, that might be an objection.

      --
      http://www.geoffreylandis.com
  6. So many problems by sideslash · · Score: 4, Insightful

    1. Exploit sellers will turn around and secretly sell the same goods to other parties regardless of any agreement they signed with the US government.

    2. This will inflate the sale price and create perverse incentives to inject defects to "discover" and sell them later.

    3. The government is really bad at pretty much everything it does. Some of it is necessary stuff so we tolerate it, but c'mon, this isn't!

    4. Everybody is mad at the NSA for its misbehavior and spying on Americans/the world right now -- is this really the best time to remind people that the US government wants to collect tools to hack everybody?

  7. Re:They'll do the right thing by mr_mischief · · Score: 3, Insightful

    Nah. The CIA spies overseas. The FBI spies domestically. The NSA does both. Then they all hand their analyses to DHS overlords to put us on watch lists for further Fourth Amendment violations with no actual evidence of anything.

  8. ? Plenty of competition when I looked by raymorris · · Score: 3, Interesting

    > can't help but think "bug bounties" aren't proper capitalism since there's little competition.

    I'm not sure quite what you mean here. Just the other day I looked over a list of bug bounty programs to see if it might mange sense for me to analyze some of the software specifically for the purpose of collecting bounties. There were quite a few companies offering bounties, competing for my services analyzing their software. Based on what I saw, there is a reasonable amount if competition on that side, many buyers of bugs.

    One company I saw has a bug bounty program sells software that I use on a daily basis and occasionally debug. I've sent them patches and suggestions before, outside of any bug-bounty program. Looking at the rewards offered, it seemed to me that it _might_ make sense for me to analyze certain software for security bugs. The price offered, based on the number of other programmers competing for the money, seemed just about right, maybe slightly low. On the other hand, the rewards are enough that it DEFINITELY makes sense for me to spend the time and hassle reporting bugs that I happen to notice while I'm using and configuring the software. So based on what I saw, there is enough competition on both sides to have prices tend toward reasonable numbers.

    I noticed that a lot of companies don't have bug-bounty programs yet, though many do. It reminds me of 15 years ago when a lot of sites had referral programs, but most did not. That changed when third parties including CCBill made it easy to add a referral program. I suspect many more companies will add bug-bounty programs when they don't have to develop and manage the system themselves. If they can just buy or subscribe to an easy-to-use software package for running it, and maybe let the third party vendor handle payments, it will become much more common.

  9. "Once you pay the Dane-geld, you never get rid ... by davidwr · · Score: 3, Interesting

    ... of the Dane." -Rudyard Kipling

    Rudyard Kipling, Dane-Geld, A.D. 980-1016

    It is always a temptation to an armed and agile nation
        To call upon a neighbour and to say: --
    "We invaded you last night--we are quite prepared to fight,
        Unless you pay us cash to go away."

    And that is called asking for Dane-geld,
        And the people who ask it explain
    That you've only to pay 'em the Dane-geld
        And then you'll get rid of the Dane!

    It is always a temptation for a rich and lazy nation,
        To puff and look important and to say: --
    "Though we know we should defeat you, we have not the time to meet you.
        We will therefore pay you cash to go away."

    And that is called paying the Dane-geld;
        But we've proved it again and again,
    That if once you have paid him the Dane-geld
        You never get rid of the Dane.

    It is wrong to put temptation in the path of any nation,
        For fear they should succumb and go astray;
    So when you are requested to pay up or be molested,
        You will find it better policy to say: --

    "We never pay any-one Dane-geld,
        No matter how trifling the cost;
    For the end of that game is oppression and shame,
        And the nation that pays it is lost!"

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.