Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploit Vendor Publishes Prices For Zero-Day Vulnerabilities

Posted by samzenpus on from the paying-for-problems dept.

An anonymous reader writes: An exploit vendor published a price list for the zero-day bugs it's willing to buy. The highest paid bugs are for remote jailbreaks for iOS. Second is Android and Windows Phone. Third there are remote code execution bugs for Chrome, Flash, and Adobe's PDF Reader. This is the same company that just paid $1 million to a hacker for the first iOS9 jailbreak.

21 comments

  1. Still legal? by phishybongwaters · · Score: 4, Interesting

    I'm still confused as how this exploit market is still legal. Security research has legal purposes, exploit discovery has legal purposes. But the selling of exploits on an open market seems to only have one purpose. Using those exploits for something nefarious. So on the one hand according to some, just the fact that there is torrent traffic on my network makes me a criminal..... but on the other this company can buy and sell exploits to be used to hack and attack people and it's perfectly legal? Sounds about right.

    1. Re:Still legal? by MagickalMyst · · Score: 0

      "I'm still confused as how this exploit market is still legal. "

      The company is probably a front for NSA/CSIS/GCHQ/Mossad/.

      For all intensive purposes, these agencies are above the law.

      --
      Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
    2. Re:Still legal? by phishybongwaters · · Score: 1

      From what I've read and watched, the NSA/CSIS/GCHQ/Mossad are some of these vendors biggest, mostly undisclosed, customers

    3. Re:Still legal? by Anonymous Coward · · Score: 5, Informative

      For all intensive purposes

      For all intents and purposes.

    4. Re:Still legal? by Anonymous Coward · · Score: 0

      lol. Kind of like when people say "suppose" instead of "supposed" and "walla" instead of...well you get the picture.

    5. Re:Still legal? by Anonymous Coward · · Score: 0

      What about for unintensive purposes like catching cat-nappers? Are they above the law for those as well, or is it only intensive stuff like counter-terrorism? I guess they don't need to be above the law for less intensive purposes like finding who stole someone's cat and such so I guess you're right, it is just intensive purposes that they're above the law for?

    6. Re: Still legal? by ememisya · · Score: 1

      Because people realized there is more money in selling broken products which are not immediately obvious than selling non-broken products. Pop-Station (PSP knock-off) from China is a similar story. Is it possible to make a secure product? Absolutely. Will any company produce one? Absolutely not, because triple letter companies (err security organizations), and friends, need to get in your phone. For your safety of course, or the terrorists win.

    7. Re:Still legal? by Anonymous Coward · · Score: 0

      Look at the semi-literate making fun of the other semi-literate! Isn't this fun?

    8. Re:Still legal? by Anonymous Coward · · Score: 0

      Thanks. :)

      Now me english 'll be getting gooder!

    9. Re: Still legal? by swillden · · Score: 1

      Is it possible to make a secure product? Absolutely.

      Stop right there. This statement is false, at least with respect to systems of significant complexity. This is completely obvious when you realize that software security defects are just bugs. You'll never have perfectly secure software until you have perfect software.

      Unless we want to dramatically reduce the complexity (and hence capabilities) of the systems we use, to a point where we can produce formally-verifiable security and correctness proofs, there will always be vulnerabilities. If you accept your software to be orders of magnitude less functional and also orders of magnitude more expensive, then you might be get perfect security.

      In the real world, settle in for a continual cat and mouse game. There will always be vulnerabilities, so the best we can do is design defense in depth with lots of firewalls so that hopefully one vulnerability won't be easy to chain into a full exploit, and to try to stay ahead of the bad guys for when the defensive measures break down. The second point is actually not unrealistic if the "bad guys" in question are criminals. While it may be slightly less lucrative to be a white hat security researcher, it's much safer and it's still a pretty good life, especially with the growing prominence of vulnerability reward programs. If the "bad guys" in question are nation states, however, forget it. They can and do hire people who are every bit as good as the public researchers, and their employees also have good, safe lives.

      So, your cynical assumption that secure products cannot be allowed so that TLAs have access is wrong... but the true reasons that completely secure products are infeasible still do mean that TLAs will have access.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    10. Re:Still legal? by Anonymous Coward · · Score: 0

      IBut the selling of exploits on an open market seems to only have one purpose.

      ...which is making sure the people who discover the exploits get paid the best possible price for their hard work. If companies are forced to outbid third parties angling for a flaw in their products, it keeps those companies from treating hackers the way they treat artists. "Can't you just give us this exploit on spec? Think of the exposure!"

    11. Re:Still legal? by Guybrush_T · · Score: 1

      That could actually turn into a very sane situation. If you add a constraint to sell the vulnerability to the responsible company if that company is willing to match the highest bidder, then it could be really helpful :

      - Security researchers get paid for their work

      - Companies get an incentive to improve security before releasing products

    12. Re:Still legal? by invictusvoyd · · Score: 1

      Are you suggesting they don't have the money to hire talent for zero day exploits?

    13. Re:Still legal? by Anonymous Coward · · Score: 0

      Thanks. :)

      Now me english 'll be getting gooder!

      gooderer.

    14. Re: Still legal? by ememisya · · Score: 1

      So your argument is that we are too dumbto make a secure product. It's possible, but it takes too much effort to understand the complexity so we should have faith. Right. I'll get back to you on that.

  2. Vendor buys its own exploits? by Anonymous Coward · · Score: -1

    > An exploit vendor published a price list for the zero-day bugs it's willing to buy.

    huh?

    1. Re:Vendor buys its own exploits? by phishybongwaters · · Score: 2

      No, the vendor buys exploits from the researchers that discover them. Then the vendor turns around and sells said exploit. You can google a bit and find some enlightening interviews about this, including one from one of the most prominent researchers from years past who notes that most of the exploits he sold (very nasty, made lots of money) were never actually patched, some of which likely showed up in that trove of NSA docs. The vendor has to have a product to sell, and these guys are mostly a market so they don't actively find and build exploits, they simply created the market to sell them and make profit. 1000$ to hacker A for finding it then they turn around and sell it to the NSA for 15,000$ (pure speculation on my part)

  3. Warrant or 5 eyes for US brands? by AHuxley · · Score: 1

    Warrant or NSL for US brands access?
    If the 5 eye nations can just ask for US access or go to a friendly US court or have access designed in under US law whats the payment for the big US brands for?
    Why is Linux, VM and Tor browser so cheap or easy or well covered vs US brands that enthusiastically helped US and UK gov with decryption in the past are so expensive? Even some anti virus options seem to be lower on the list?
    A remote jail break on a cell like device seems like any offering that a US warrant would get under what emerged from the early build out of the Communications Assistance for Law Enforcement Act (CALEA).

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:Warrant or 5 eyes for US brands? by Actually,+I+do+RTFA · · Score: 1

      Why is Linux, VM and Tor browser so cheap or easy or well covered vs US brands that enthusiastically helped US and UK gov with decryption in the past are so expensive?

      Because the number of Linux people who do online bakning in a VM hrough TOR is small. The number of iOS people who do banking on their phoine is large.

      --
      Your ad here. Ask me how!
  4. Room for corruption here by bagofbeans · · Score: 2

    Software developer in cahoots with security researcher could design in an obscure bug for the security researcher to 'find', and $$$.

    1. Re:Room for corruption here by Sir+Holo · · Score: 1

      MOD PARENT UP!

      Spot-on. The phenomenon is not new, either. Symantec got big in the late 1980's and early 1990's by awarding bounties for discovery of "new viruses". To help, they provided examples of 'known' viruses.

      To a kid in high school or college, this was an easy $50.
          * Copy one of their "examples"
          * Change something very minor in a hex editor
          * Use a printout or send code via a BBS (per-internet, remember?)
          * Profit! (I did.)

      And PROFIT Symantec did, too (Norton then). Why else, in the early days of the virus, do you think that there were sometimes 100 variations of a virus, with only a difference in text displayed, or a change in some other 'non-functional' part of the virus?

      The answer, of course, was that Symantec could claim each month the 'discovery' of "a new variant(s) of a known virus", or similar. Please, anyone who recalls using Norton Antivirus way back then, think back. Do you remember this specific error message? I sure do.

      Other interests have recognized the value of scare tactics and broken software since then, of course. But they were the ones who really kicked it off (on the public scale – with ads in PC World, etc. for the 'bounties').