Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netragard Ends Exploit Acquisition Program After Hacking Team Breach

Posted by samzenpus on from the Netragard-Ends-Exploit-Acquisition-Program dept.

Trailrunner7 writes: After the fallout from the HackingTeam breach, Netragard, a company that buys and sells exploits, has decided to shut down its exploit acquisition program. Leaked documents show that Natragard was selling exploits to the Italian maker of intrusion and surveillance software. In addition, documents further showed that the company sold its products to a variety of oppressive regimes, including Egypt and Ethiopia. A company statement reads in part: "We’ve decided to terminate our Exploit Acquisition Program (again). Our motivation for termination revolves around ethics, politics, and our primary business focus. The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers. HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations. While it is not a vendors responsibility to control what a buyer does with the acquired product, HackingTeam’s exposed customer list is unacceptable to us. The ethics of that are appalling and we want nothing to do with it."

48 comments

  1. Motivation by Anonymous Coward · · Score: 1

    Our motivation for termination revolves around ethics, politics, and our primary business focus.

    My sides! My sides! Look out Major Tom!

    1. Re:Motivation by Anonymous Coward · · Score: 1

      More like "all the zero days we were selling, HackingTeam had bought and they got leaked. Now we might as well go out of business."

    2. Re:Motivation by arglebargle_xiv · · Score: 1

      Our motivation for termination revolves around ethics, politics, and our primary business focus.

      I am shocked, shocked to discover that our hacking exploits were being sold to totalitarian governments!

  2. NSA by hjf · · Score: 5, Insightful

    Translation: CIA and NSA are pressuring us for exclusivity.

    Seriously, who would believe a sleazy company that makes money off exploits is worried about "human rights violations".

    1. Re:NSA by Anonymous Coward · · Score: 1

      Well the old 'Dot refused to post my comment, so I'll just ramble it here. agree 100%. Who the hell did this company think it's end users were, security researchers?

      Exploits being sold are being sold for 1 single reason, to be used. Nice way to try to save face, but sorry, the intertubes never forget.

    2. Re:NSA by tomhath · · Score: 1

      Or any of dozens of other agencies all around the world who might have made them an offer they couldn't refuse. NSA probably has better stuff than this place anyway.

    3. Re:NSA by hjf · · Score: 1

      Sure, let the enemy get weapons. Ours are better anyway.

      LOL.

    4. Re:NSA by swillden · · Score: 1

      Translation: CIA and NSA are pressuring us for exclusivity.

      Seriously, who would believe a sleazy company that makes money off exploits is worried about "human rights violations".

      That's a bit too broad. Would a company that makes money by finding exploits and selling them to the makers of the relevant products (via Vulnerability Rewards Programs, or similar), also be sleazy and unworried about human rights violations? There are a lot of highly ethical researchers who make their livings in exactly this way.

      Note that I'm not claiming Netragard is among them.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re:NSA by hjf · · Score: 1

      The "researchers" you mention are able to get into the cesspools of the internet as easily as this company does.

    6. Re:NSA by swillden · · Score: 1

      The "researchers" you mention are able to get into the cesspools of the internet as easily as this company does.

      Why would they risk that?

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    7. Re:NSA by Anonymous Coward · · Score: 0

      Translation: CIA and NSA are pressuring us for exclusivity.

      Seriously, who would believe a sleazy company that makes money off exploits is worried about "human rights violations".

      They aren't. Read between the lines.

      "We’ve decided to terminate our Exploit Acquisition Program (again).

      Emphasis mine. This implies that they did this before, so it is a good assumption that they will probably restart the program once the current Hacking Team controversy dies down.

    8. Re:NSA by shaitand · · Score: 1

      Yes but rebel exploit sellers want rebels to buy exploits to use against oppressive regimes like... essentially everyone who used Hacking Team. Pretty much everyone on their client list qualifies as an oppressive regime. Including the government in control of the servers I'm posting on.

  3. Ethics shmetics by Anonymous Coward · · Score: 1

    They went in and full well knew or should have known what they got into. So no, I'm not buying this in the least. It just means they're spineless cowards.

    If they had any ethics, they either wouldn't haven gotten into this obviously immoral or at least amoral game in the first place, or, going in knowing full well what they got into and why, they'd have the balls to see this through now. So I call them cowards. Spineless cowards. Contemtible wretches.

    Pretty much no better than the rest of the s'kiddie scum in computer "haxx0r" security land, but that doesn't make them any less abject.

    1. Re:Ethics shmetics by AqD · · Score: 1

      Why should they care? It's the same business as making weapons, things we do everyday.

    2. Re:Ethics shmetics by BVis · · Score: 1

      If they had any ethics, they either wouldn't haven gotten into this obviously immoral or at least amoral game in the first place, or, going in knowing full well what they got into and why, they'd have the balls to see this through now. So I call them cowards. Spineless cowards. Contemtible wretches.

      It's ok, though. They made money.

      --
      Never underestimate the power of stupid people in large groups.
  4. How convincing! by Anonymous Coward · · Score: 2, Interesting

    So, these fine and respectable folks are shocked, shocked that dodgy reselling of exploits might be going on. Really. How utterly plausible.

    Unless you are selling to an end user who does their own development, what other possible outcome could you expect? They only want to purchase the exploit from you because they think that they can package it up and sell it on to enough of their own customers to come out in the black. That is a situation where all the incentives push toward transactions being largely secret and provide an incentive to try to be as 'flexible' as possible when screening potential purchasers. The only reasonable expectation is that the exploit you are quietly selling is going to end up in some potentially troubling places.

    1. Re:How convincing! by shaitand · · Score: 1

      There are different flavors of troubling. Many of the hacking groups out there are effectively digital rebel warriors trying to fight oppressive regimes like Egypt and the US. Their actions may be criminal and in some cases immoral but they are fighting greater evils perpetrated by the powers we've failed to resist by conventional means. That is civil disobedience. Perhaps they considered that getting tools to these elements was worth the risk of simple profiteers getting some exploits but did not consider that the regimes themselves might be getting the exploits.

  5. Re:Netragard is for cows. by Anonymous Coward · · Score: 0

    Just stop. You will never, ever, be a replacement for the Golden Girls cosmonaut.

  6. Meanwhile... by Anonymous Coward · · Score: 1

    Meanwhile, Intertrode (who just happens to have the same owners) have now covertly begun an open exploit acquisition program.

    1. Re:Meanwhile... by shaitand · · Score: 1

      They are probably actually working as a front for the western repressive regimes.

  7. Vendor's responsibiity over buyer's actions by mi · · Score: 1

    While it is not a vendor's responsibility to control what a buyer does with the acquired product

    Anti 2nd-Amendment zealots would disagree.

    And, although the above lists mere tort-claims, there are movements afoot towards criminal liabilities for gun-sellers as well. For the Greater Good.

    --
    In Soviet Washington the swamp drains you.
    1. Re:Vendor's responsibiity over buyer's actions by BVis · · Score: 1

      Dammit, /r/ammosexuals is leaking again.

      Go grind your axe somewhere else.

      --
      Never underestimate the power of stupid people in large groups.
    2. Re:Vendor's responsibiity over buyer's actions by shaitand · · Score: 1

      Consider this, there would be no democracy in the world if the powers at be did not have to fear the mob which is why we have a 2nd amendment. Now that every nation in the world including ours has disarmed the people to the point the powers-at-be no longer have to fear the mob... what happens to democracy and do you honestly think it hasn't happened already?

    3. Re:Vendor's responsibiity over buyer's actions by BVis · · Score: 1

      Time to change the tinfoil in your hat, Sparky.

      --
      Never underestimate the power of stupid people in large groups.
  8. who again? by TheCarp · · Score: 2

    HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations."

    So would that include the US government and its allies? The Washington gang certainly falls under "parties known for human rights violations" (including torture)

    --
    "I opened my eyes, and everything went dark again"
    1. Re:who again? by alvinrod · · Score: 2

      Almost certainly, though it would be rather stupid of them not to make the purchase through some kind of shell organization. The simple fact that a government agency is acquiring information about a specific exploit is itself valuable information. At the same time, you'd almost think that the government would try to do a lot of this work in-house.

    2. Re:who again? by Anonymous Coward · · Score: 0

      Torture like hooking up electrodes to belly muscles and making men experience the same pains as women do during childbirth. That's protected the Geneva Conventions or sometin isn't it?

    3. Re:who again? by bluefoxlucid · · Score: 1

      Honestly, this whole stance is stupid. You can't control that kind of information in any meaningful way. It's like deciding only the Shepherds of the Righteous will have weapons: you're just creating an imbalance.

      The more access dangerous criminals have to dangerous toys, the more society moves to control them. When society gives up hope on controlling their access to dangerous toys, it finds other ways to control criminals. In the most extreme, the criminals become so dangerous as to create a failing no-man's land; but they are still taken by infighting, until you have a small group of leaders controlling a large group of subjects. Essentially, the most-powerful group beats down the least-powerful for encroaching on their power; then everyone feels the sting of oppression, and, eventually, society rises up to crush them, learning (temporarily) from the experience to be more hostile to people who threaten society.

      People have this idea that they can keep dangerous hacking technology out of the hands of parties known for human rights violations. Strange that they don't take an aggressive stance against such parties; they simply want to protect themselves, without really removing that threat. It's as if they want to hide their heads down and go largely unnoticed, not drawing the attention, and not giving them any new toys to get their adrenaline rushing over the prospect of rushing into town guns blazing to show off what they've just acquired.

      --
      Support my political activism on Patreon.
    4. Re:who again? by drinkypoo · · Score: 1

      At the same time, you'd almost think that the government would try to do a lot of this work in-house.

      As bad as the economy is, they're still having trouble attracting the kind of people who do this work. Their general hiring policies are a big part of the problem, obviously. A lot of the qualified candidates aren't interested in pissing in a cup, and wouldn't pass if they did

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:who again? by TheCarp · · Score: 1

      I was actually thinking the holding a cloth over a persons face and restraining him upside down while pouring water over the cloth, and hitting him in the diaphram if he tries to not breathe.

      Nobody seems to want to take me up on my sincere offer to listen to their arguments about why it is certainly not torture, as long as they are willing to demonstrate by being waterboarded until I believe them.

      --
      "I opened my eyes, and everything went dark again"
    6. Re:who again? by shaitand · · Score: 1

      What on earth makes you think that Netragard and the same people's instant new exploit selling system to replace it after this announcement Intertrode aren't shell organizations for the western regimes?

    7. Re:who again? by shaitand · · Score: 1

      That's not torture it's just good fun.

    8. Re:who again? by TheCarp · · Score: 1

      So are you volunteering to explain then?

      Let me grab my bucket and we can get started. :)

      --
      "I opened my eyes, and everything went dark again"
  9. Re:Netragard is for cows. by Chris+Mattern · · Score: 1

    Why in the name of hell would we want a replacement for the Golden Girls cosmonaut, if it comes to that?

  10. Torn by Anonymous Coward · · Score: 0

    I'm a bit torn with this news

    On one hand it reduces innovative and creative ways to abuse bugs without letting the author know about it but on the other hand who will fund these poor megalomaniac power-crazy companies.

    Maybe I'll start a kickstarter campaign:
    Here's little 5 year old suzy. She's crying.
    Reporter: Why are you crying suzy?
    Suzy: Who's going to pay companies to be unethical now that it isn't popular?
    Reporter: Good question suzy! And now the weather forecast with Jim.

    (grin: this is going to get downvoted :)

  11. to whom? by DriveDog · · Score: 1

    "selling their technology to questionable parties" as if there were any other kind of customer paying for such.

  12. Hypocrisy in action by Virtucon · · Score: 5, Insightful

    Our motivation for termination revolves around ethics, politics, and our primary business focus. The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers. HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations.

    So you were selling these hoping that it would save the whales or make the bunnies happy? You're selling vulnerabilities that you acquire. Specifically weapons and like all weapons, it's a commodity based business and you took the money. The remorse is a bit late and a bit shallow because a weapons manufacturer doesn't feign surprise when somebody gets killed with their product.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:Hypocrisy in action by Anonymous Coward · · Score: 0

      So you were selling these hoping that it would save the whales or make the bunnies happy?

      Don't make excuses for this company, everyone hates lagomorphs.

  13. Well, DUH! What did YOU think your customers do? by Opportunist · · Score: 3, Insightful

    What did you expect your customers to do with the knowledge about unpatched, unknown 0day exploits? Make a funny little collection to show around to their friends?

    "Hey, Fred, look what I got! It's a genuine 0day that MS doesn't know about yet. Ain't it cool? Huh? No, why would I use it?"

    Seriously, what did you expect?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  14. Re:Well, DUH! What did YOU think your customers do by Anonymous Coward · · Score: 0

    They expected customers to use the exploits to gather evidence as permitted by warrants, ultimately to lock up bad guys.

  15. Re:Well, DUH! What did YOU think your customers do by Opportunist · · Score: 1

    Of course. Sure. Absolutely.

    When you sell weapons, you accept that there is a pretty good chance that they will be used for something a normal person would consider "evil". Claiming it ain't so either means you're lying or that you should not do business. Like, ever. And hand your effects over to a custodian. Because you're very blatantly unfit to understand how the world works.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  16. I smell a conspiracy... by Anonymous Coward · · Score: 0

    Have you ever seen HackingTeam & Netragard in the same room, at the same time? No? Because they're the same person!

  17. Darkode arrests are surely the reason? by Anonymous Coward · · Score: 0

    Surely the reason they are stopping the program is because Darkode forum was raided and the administrators arrested, the forum for buying and selling exploits some of which may be used for illegal purposes!

    So this company has realized that what its doing may be a MAJOR FUCKING CRIME, and perhaps they were even some of the buyers and sellers on Darkode.

    I don't think it has much to do with Hacking Team, because the timing is just after the Darkode raid.

  18. i hate to break it to these assholes by Anonymous Coward · · Score: 0

    but there are human rights violations in every country on this planet, just like there are criminals in every city on the face of the earth

    questionable regimes MY ASS

  19. Re:Well, DUH! What did YOU think your customers do by shaitand · · Score: 1

    They expected the digital rebel good guys to use them against the guys do the gathering, warranting, lobbying, etc the real bad guys. And spammers and malware people of course but that's just collateral damage.

  20. Re:Well, DUH! What did YOU think your customers do by shaitand · · Score: 1

    When you sell weapons to civilians you expect nothing of the sort. Civilians using weapons to do something normal people would consider evil is exceeding rare. In the US for instance there are millions of guns in civilian hands but civilians kill people with guns very very rarely. Gun death statistics for a year are well below automobile death statistics in a day and almost in almost all cases the shooter is an agent of government (usually police domestically).