Slashdot Mirror
Cornering the Market On Zero-Day Exploits
Nicola Hahn (1482985) writes Kim Zetter of Wired Magazine has recently covered Dan Greer's keynote speech at Black Hat USA. In his lengthy address Greer, representing the CIA's venture funding arm, suggested that one way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities.
While this would no doubt make zero-day vendors like VUPEN and middlemen like the Grugq very wealthy, is this strategy really a good idea? Can the public really trust the NSA to do the right thing with all those zero-day exploits? Furthermore, recall the financial meltdown of 2008 where the public paid the bill for Wall Street's greed. If the government pays for information on all these unpatched bugs would society simply be socializing the cost of hi-tech's sloppy engineering? Whose interests does this "corner-the-market" approach actually serve?
While this would no doubt make zero-day vendors like VUPEN and middlemen like the Grugq very wealthy, is this strategy really a good idea? Can the public really trust the NSA to do the right thing with all those zero-day exploits? Furthermore, recall the financial meltdown of 2008 where the public paid the bill for Wall Street's greed. If the government pays for information on all these unpatched bugs would society simply be socializing the cost of hi-tech's sloppy engineering? Whose interests does this "corner-the-market" approach actually serve?
The answer is NO,
If you don't know the question, it was, "Can the public really trust the NSA to do the right thing with all those zero-day exploits?"
That's not speculation, that's based on what they are already known to have done with exploits they've discovered or otherwise obtained already.
This doesn't improve cyber security, it just guarantees the CIA et al have access to everything on the planet.
This enhances their job security, and extends their ways and means ... but in no way does it make anybody else more secure.
The venture funding arm of the CIA presenting at a black hat conference ... capitalism has truly met the surveillance state, and it isn't going to end well.
Lost at C:>. Found at C.
This is a typical great government idea. The really great thing about the idea is that once you deal with a zero-day vendor and buy a vulnerability, giving them a lot of money in the process, you can rest assured that they would never sell the same vulnerability to anyone else. 'cause that would be wrong.
I'm an American. I love this country and the freedoms that we used to have.
The zero-day bugs are bugs, while we know bugs are inevitable (nobody is perfect), it does not mean that we should just throw up our hands and say "Oh, there is nothing we can do"
We can !
We can do something at the source level - at the very least we should be able to, after so many years of programming culture, to inculcate the correct way to future crops of programmer so that they produce stuffs that contain less bugs
Some of those bugs were actually added when the original program gone through an update, with extra bells and whistles - and if we can stick to the original Unix principle, in which, one utility does one thing, and one thing only, and does it very efficiently, the chances of "introducing added bugs" would be drastically lessen
Muchas Gracias, Señor Edward Snowden !
1. Exploit sellers will turn around and secretly sell the same goods to other parties regardless of any agreement they signed with the US government.
2. This will inflate the sale price and create perverse incentives to inject defects to "discover" and sell them later.
3. The government is really bad at pretty much everything it does. Some of it is necessary stuff so we tolerate it, but c'mon, this isn't!
4. Everybody is mad at the NSA for its misbehavior and spying on Americans/the world right now -- is this really the best time to remind people that the US government wants to collect tools to hack everybody?