Auction Site To Sell Security Vulnerabilities

talkinsecurity writes "A Swiss research lab has built an eBay-like marketplace where hackers and researchers can sell the security vulnerabilities they discover to the highest bidder. WabiSabiLabi could replace the back-room, secret sites where researchers and hackers used to sell their exploits and replace them with a neat, clean way to make money by finding security flaws. Those who have seen the site say they are concerned about how the buyers will be vetted, and how the marketplace will ensure the flaws aren't found through illegal methods."

Bidding up

[Joebert]

I don't think the big boys are going to play along here, sicking attack dog lawyers on them would probably be less expensive than trying to outbid a group of people who bid on their own stuff when the companies show interest in paying up.

Re:Bidding up

[MadUndergrad]

Yeah, like it or not there's a good deal of trust involved for sites like eBay. I don't think that's going to work when extortion and thousands of dollars are on the line.

Re:

[Joebert]

Well on the plus side, we'll probably get a few clues on areas to look at by reading the descriptions.

Re:

[Torvaun]

Or so he hears.

"illegal methods" ?

[Anonymous Coward]

The summary writer assumes that those currently exploiting flaws would not use "illegal methods" to discover them?

Re:"illegal methods" ?

[Torvaun]

Sure. Reverse Engineering - Legal. Stealing source code - Illegal. Just because you're discovering potentially exploitable flaws doesn't mean that you're actually breaking the law yourself.

Re:

[Architect_sasyr]

Reverse Engineering - Legal

Actually most EULA's prohibit this, thus making it illegal, and I believe copyright law's have a similar result. This is a fine line to walk (and IANAL) but I believe it would still be illegal. Something like fuzzing on the other hand is probably not, except that you then generally have to reverse engineer the application to get some good, solid, working shellcode in there.

Re:

[UncleFluffy]

Actually most EULA's prohibit this, thus making it illegal,

At best, breach of contract. Even if the EULA is valid, which many aren't. Plus you have to prove that the information was obtained through "illegal" means.

Re:

[Red Flayer]

At best, breach of contract. Even if the EULA is valid, which many aren't. Plus you have to prove that the information was obtained through "illegal" means.

Welcome to the world of the DMCA in the US. If there are security measures on the software, and you attempt to circumvent them (especially knowing that you're not supposed to have access), guess what? That's an illegal act.

Re:

[janrinok]

I will only see the EULA if I install the software. There is nothing to say that I have to view the EULA in order to reverse engineer the software.

However, I agree with the (many) other posters - EULAs are not legally binding where I live.

Re:

[Opportunist]

Our copyright law explicitly allows reverse engineering, and there's a provision in the law that you cannot forfeit it. Contracts that violate the law (and let's pretend for a moment that an EULA is actually one, which has been debunked as well, since there is usually no way to read or even agree to it before the deal is made) are void by definition here.

So I dunno about you and the US, but I can reverse as I please.

Re:

[Seahawk]

Actually most EULA's prohibit this, thus making it illegal

1. Who says EULA's are legally binding? Give me ONE example of a EULA being upheld against an ordinary consumer in a non-US western country.
2. In danish copyrightlaw(Lov om Ophavsret) there are two bits(36 and 37) that talks about reverse engineering. The interesting bit is that part of the law is that NO other contract can forbid reverse engineering! So if the EULA(Which I dont think is legally binding) says you cant reverse engineer the software it

Re:

[Plutonite]

Most of the buffer overrun vulnerabilities in MS software, and software in general, are not found by inspecting stolen source code. MS programmers are nice enough to leave enough doors wide open without us bad people going to the trouble of doing all that illegal stuff.

And as pointed out by others, dissasembly is actually "illegal" according to their EULAs. This is another laughable notion that proprietary SW houses sometimes entertain..they think that when the code passes through a few lines of compiler, i

Re:

[Torvaun]

I know. But I used the source code example to demonstrate that there are indeed illegal ways to find exploits without having to stoop so low as to give the hint of legitimacy to EULA claims.

Re:

[x_MeRLiN_x]

You called them assholes. As if it wasn't obvious?

How do you preserve value?

[ushering05401]

The whole value of the exploit is that only a few people know it exists. How do you preserve that when you would need to divulge something of the nature of the exploit for it to be marketable?

I wonder if the people putting this on are actually looking to make a point about software vendors and their products. Any chance that they are looking to do nothing more than score some legal victories for the good of the public?

Regards.

How would you know that it is only sold once?

[EmbeddedJanitor]

After all, who's going to try claim "ownership" of an exploit?

Re:

[Divebus]

If I see the cross platform vulnerability I just bought again, I'm suing!

1. Login to your computer
2. Stand up
3. Put your foot through your monitor
4. PROFIT!

Re:How do you preserve value?

[GizmoToy]

I agree. Once you tell the bidder what the flaw is in, and give a good enough description of it to garner bids, someone is going to be able to track it down for themselves for free. Not the best business model.

Re:

[JonathanR]

Not sure quite how you track down a security flaw for free. Methinks that the software companies interested in patching to mitigate the exploits in their software will not consider their inhouse resources as cost-free.

The best a software company might hope for by not bidding (or losing) is using the information as a bit of help if narrowing down the search, or more probably, becoming aware of the potential exploit in the first instance.

Re:

[kestasjk]

I don't think so, the description could just detail the kind of exploit and the platforms on which it's exploitable etc. It would be in the seller's best interest to be completely truthful, because if they're not the bidder won't have to pay and they'd have given away their valuable exploit information.

I think this is a good idea though, though I can see why it's controversial. It'll create a market for people looking for security vulnerabilities, it'll make software companies pay attention and perhaps a

Re:

[Opportunist]

This might be already enough information to devaluate the flaw. If a security researcher knows that, e.g., there is a flaw in the executable reading WMF files that allows code execution, he will first of all warn his customers and second he will start digging into it himself. He needn't even be able to find the exploit, he just has to start looking into WMF files that pop up.

The best 0day is one that nobody knows about.

Re:

[CastrTroy]

Also, if you're too vague, such as "buffer overrun vulnerability in Windows that allows user rights escalation", then how do you know that what you are paying for is actually something that hasn't already been patched, or being sold by some other person on the site, or something you may have already discovered. Too specific, and people will be able to find the bug on their own, too vague, and people won't know what they're buying. Seems to me like a pretty hard problem to solve.

Its simpl;e, really - and why it won't work

[tomhudson]

It reminds me of the joke:

Man: I just lost my wallet with $1,000.00 and my credit cards in it. I'll give whoever finds it $100.00.
Voice from back of room: $I'll give $200.00

If its a real vulnerability, you can sell it over and over again. None of the buyers is going to leak it - they'd lose their investment, and chance to make $$$.

So, sell it once for $X, or sell it 20 times for $X/2?

This is just someone else with a lame attempt to insert themselves into a market.

Re:

[RealGrouchy]

You preserve value the same way you do with eBay--you don't.

If you want to make a lot of money selling $PRODUCT, eBay is not a very good place to do it, particularly when the market is flooded.

This will probably only be used by lazy white-hats who don't want to bother finding a black-market purchaser for their exploit--assuming there are sufficient quantities of supply and demand.

As with many "new overarching central service to do X" stories and sites on /., this one will probably also go down the tubes.

- R

Re:

[Opportunist]

Oh c'mon, don't you learn from the mafiaa? Of course it will be DRMified. So it will work for you, and only you, on your machine.

Umm... waitaminute...

Interesting vulnerabilites on the site

[figleaf]

http://www.wslabi.com/wabisabilabi/initPublishedBi d.do [wslabi.com]?

How can anyone exploit a memory leak?

Re:Interesting vulnerabilites on the site

[stonecypher]

Tons of ways. One of the most common and easily explained is a denial of service attack. People tend to think that DoS just means hammering the line into submission; it's a broader topic than that. If that kernel memory leak can be triggered by any outside signal, then anyone who wants to bring that box down just needs to trigger it over and over until the box has run out of RAM and swap. On a high speed network, that can often be done shockingly quickly - on the order of tens of minutes, occasionally faster.

If you're interested in these things, in my opinion, the best thing you can do is read a good operating system book - in my opinion you're best off with either Tanenbaum [amazon.com] or Silberschatz [amazon.com] - those books describe these problems in detail in terms of debugging your work, but in many cases, compromising a system is about leveraging unfixed bugs (enbugging, if you'll pardon the coining;) as such, a book meant to teach one to fix these is a great way to learn what needs to be protected against, as well as why.

Re:

[Joe U]

People tend to think that DoS just means hammering the line into submission; it's a broader topic than that. If that kernel memory leak can be triggered by any outside signal, then anyone who wants to bring that box down just needs to trigger it over and over until the box has run out of RAM and swap. On a high speed network, that can often be done shockingly quickly - on the order of tens of minutes, occasionally faster.


In the web services industry we call this ColdFusion 5 and Microsoft Access.

Re:

[Hal_Porter]

Didn't the name ColdFusion tip you off that the software might be dodgy?

Re:

[stonecypher]

You just made me laugh so hard I almost shit myself. Friended.

Re:

[CastrTroy]

Isn't ColdFusion just about the worst programming language ever? I mean come on. HTML tags are not programming constructs. Stop trying to make programs using HTML tags. I realize this is completely off topic, but ColdFusion has to be the hardest to read programming language of all time.

Re:

[ls671]

I am not sure but they seem to say they are going to scan the memory to read the data in the areas leaked by the kernel. When leaking, the memory is wasted (not freed) and I assume there could be valuable data in those area for which the kernel has more or less lost track off, meaning it doesn't read or write from/into these areas anymore. So those areas would be left untouched available for you to read the data that was writen into them, possibly private keys or sensitive data.

Just my 2 cents ;-)

easy

[r00t]

Start by calling mmep() with MAP_FIXED. This lets you allocate memory at any legal address of your choice. You choose 0, the NULL pointer area which is normally never allocated.

Next, place a pointer there.

Next, run the kernel out of memory.

Next, ask the kernel to do a getsockopt() call that needs memory. The kernel will get back a NULL. The kernel will keep going, eventually using the NULL pointer to get some critical data like a kernel pointer. (a data pointer in this case, but it could well be a function

BTW, this is getting fixed

[r00t]

There will be a global setting to prohibit users from allocating address zero. This will tend to break stuff; maybe root is exempt.

For better control, a SE Linux hook is being added. Not that this isn't an abuse of the SE Linux mechanism, but... it'll work.

Re:

[stonecypher]

Wait, linux mmep() allows allocation at null pointer? I find that hard to believe - even Windows 3.1 gets that kind of thing right. That's a remarkably naïve security hole, and with a userbase the size of Linux', I can't imagine that hasn't been fixed.

no modern kernel works as Intel intended

[r00t]

It's been many years since Linux messed around with switching segmentation tables. Today every process uses the same few segments. When switching processes, the kernel just changes the set of page tables in use. This is way faster on modern hardware.

User code and data resides in addresses from 0x00000000 to 0xbfffffff. The kernel resides in addresses from 0xc0000000 to 0xffffffff. At all times, both user and kernel stuff is in the page tables. At all times, both user and kernel stuff is mapped. At all times

Re:

[ameyer17]

hmm... the memory "leak" seems to be an information leak from fthe friendly vulnerability:

This PoC will demonstrate the Linux kernel CVE-2007-1000 vulnerability and will search for patterns inside memory.

from a description of CVE-2007-1000 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-1000 [mitre.org]

The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL derefer

Re:

[deftcoder]

http://www.amazon.com/Shellcoders-Handbook-Discove ring-Exploiting-Security/dp/047008023X/ref=pd_bbs_ 1/102-1300408-6806538?ie=UTF8&s=books&qid=11836941 54&sr=8-1 [amazon.com]

Buy, read, learn.

Obviously Ok

[walnutmon]

What could possibly go wrong?

sounds good to me

[nanosquid]

Companies like Microsoft seem to have developed the attitude that people shouldn't find their security holes at all, but if they do, they should be obligated to report them for free.

I think a free market approach like this is good.

As for vetting buyers and sellers, I don't think that's either necessary or desirable. If people find security holes through "illegal means" (whatever that means), it's a matter for the police and courts. And if the mafia outbids Microsoft, well, then Microsoft will have to live with the consequences or pay more next time. Companies like Microsoft should be exposed to the true costs of their security vulnerabilities, and they will be exposed to that only if the "bad guys" are in on the bidding, because vulnerabilities aren't worth a lot to the other "good guys".

If prices and damages get high enough, companies will invest enough in software development to stop creating security vulnerabilities in the first place.

Re:

[Joebert]

Why can't we just shoot people caught exploiting theese things again ?

Re:sounds good to me

[suv4x4]

Companies like Microsoft seem to have developed the attitude that people shouldn't find their security holes at all, but if they do, they should be obligated to report them for free.

I think a free market approach like this is good.

Oh yea, free market always works! Especially when the bidders in this case would actually gain financial benefit from said "goods" by illegal access to people's machines.

Software companies that produce products will be forced to "pay up" or let the vulnerability go to said parties above.

Other free markets that work just fine, and bidding works miracles in there:

* Human Organ Markets
* Internet domains
* Fire Weapons, Biological Weapons, Missiles
* Kidnapping journalists in Iraq for bounty
* De-regulated utility monopolies
* Open Market Health Insurances

The world is full of amazing examples where the best thing EVAH to do, was just sit there in awe and think "it's perfect"!

Re:

[Torvaun]

So if this site never goes up, the exploits will never get into the hands of evil people? Yeah, that's likely. With this, the security companies would get a chance to bid too, and potentially keep the bug in-house.

Re:

[suv4x4]

So if this site never goes up, the exploits will never get into the hands of evil people? Yeah, that's likely. With this, the security companies would get a chance to bid too, and potentially keep the bug in-house.

Kinda flawed logic right there. Let's flip it, since a bidder is a bidder, never mind what are his intentions:

"So if this site never goes up, the exploits will never get into the hands of the software vendors? Yeah, that's likely. With this, the malicious companies would get a chance to bid too, a

Re:

[Torvaun]

Ok. So if I can't refute your premise, and you can't refute my premise, then the problem with this site is what, in your eyes? That the people who hunt down exploits might make more money? That this could start an economy in glitches, where a programmer might intentionally insert exploitable flaws in software he's working on, with the intention of selling the exploit, then patching the program the next day? Something else?

Re:

[suv4x4]

Ok. So if I can't refute your premise, and you can't refute my premise, then the problem with this site is what, in your eyes? That the people who hunt down exploits might make more money? That this could start an economy in glitches, where a programmer might intentionally insert exploitable flaws in software he's working on, with the intention of selling the exploit, then patching the program the next day? Something else?

Why, you're doing great yourself. I should just sit here and watch you go against your

Re:

[CodeBuster]

Let's just say that, just like you don't want people freely bidding for, say, a biological weapon some lab came up with

You are cherry-picking [wikipedia.org] from among the few examples that almost everyone agrees should *not* be for sale to anyone with cash (also included in that category would be nukes and selected ICBM technologies). However, it does not follow that computer vulnerabilities are subject to the same level of scrutiny simply because there exist unrelated items, nukes and biological weapons, that almost

Re:

[Architect_sasyr]

(also included in that category would be nukes and selected ICBM technologies).

AND GRANDMA'S SECRET RECIPE FOR CHERRY TARTS!

The comparison does nothing to advance your suggestion that the "free market" is not a good idea in the case of software vulnerabilities.

To further this "cherry-picking" though, software exploit's can be as dangerous as a nuke or an ICBM. What happens if we see a Resident Evil type scenario and a killer virus gets out (no not talking AI here) because some sociopath used an exploit he bought off this site to enter the biological weapons facility. Same scenario but with the hoover dam... someone finds a way in with the exploit and opens all the gates.

True, these are extreme situations, and probab

Re:

[Torvaun]

The economy in glitches thing can already be done, somewhat. I'm actually in favor of freelance reverse engineering being a workable career. While I do like to consider myself a fairly capable devil's advocate, that wasn't really what I was going for here. I wanted to know what your reasons were.

But this isn't like a biological weapon. It's like putting up for bid a set of security schematics for Fort Knox, with possible holes highlighted. If the government wants, it can bid, and win. Then, even if th

why do you think we have an organ shortage?

[r00t]

I certainly don't feel like making all the middlemen rich off of my organs while my family struggles to survive without me. I'd instantly sign up to be an organ seller if I could.

It's such a load of crap. Nobody can sell organs, but the middlemen can charge huge "handling fees" and "processing fees". Grrr. Well, maybe the icky solution is that my surviving family charge such fees. My wife could stand there next to the doctor, dropping organs into a cooler for $1234567/hour. Yuck! This is stupid. Just let me

Re:

[UncleFluffy]

Software companies that produce products will be forced to "pay up" or let the vulnerability go to said parties above.

Or, not sell broken products in the first place. Of course, that will require undoing all the buyer "education" that they've performed over the last 15 years to train the purchaser to (not) distinguish between "shiny things" and "solid and secure code".

Re:

[Antique Geekmeister]

Oh, it's useful. Such a market verifies the existence of these exploits, earlier than otherwise would occur when groups like CERT refuse to publish because the vendor hasn't fixed them.

I welcome the idea. Even if their primary customer is black hats, the ability to point to them and say "see, there are these 5 vital fixes that Symantec hasn't done or MacAfee won't touch" is helpful to making sure they do, indeed, fix them.

Re:

[nanosquid]

Oh yea, free market always works!

No, free market approaches don't always work. But in this case, I think it would.

Re:

[Aussie]

Companies like Microsoft seem to have developed the attitude that people shouldn't find their security holes at all, but if they do, they should be obligated to report them for free.

I think a free market approach like this is good.

What would this mean for the authors of FS who can't afford to buy the exploit ?

Could this create a divide between developers/companies that can afford to buy up exploits and those that can't ?

Re:

[suv4x4]

Companies like Microsoft seem to have developed the attitude that people shouldn't find their security holes at all, but if they do, they should be obligated to report them for free.

You're very conveniently using Microsoft as an example, but Microsoft won't be the one hurt from the entire deal. Microsoft has the money to bid and win, it has the money to lobby for a law that would make this site illegal if it hurts them. It has the lawyers to bring the site down even just like that.

What do FOSS vendors do, h

Re:

[Eivind Eklund]

This stuff could be bad news for open source. If learning about bugs start to require cash, then proprietary software (with its higher cash flow) gains a large advantage compared to open source.

Possible solution: Set up an enterprise pool where enterprises could pool money to buy exploit information, and get fixes up front for those exploits (before the patch was publicly released.) Might still leave those that couldn't afford to be in the pool with a worse situation than today, though.

Eivind.

Re:

[99BottlesOfBeerInMyF]

And if the mafia outbids Microsoft, well, then Microsoft will have to live with the consequences or pay more next time. Companies like Microsoft should be exposed to the true costs of their security vulnerabilities, and they will be exposed to that only if the "bad guys" are in on the bidding, because vulnerabilities aren't worth a lot to the other "good guys".

Microsoft has a monopoly and can bypass free market affects. Here's the situation: MS does not outbid the mafia. The mafia writes a worm which steals $10 from every PC's online bank account. People are angry and upset and trash their computers. Then they go buy a new one they hope won't have that problem. Maybe a Gateway will be more secure than a Dell. Since every computer in all the stores near them comes with Windows installed, people assume it is the most secure option available. They are used to deal

Now bidding

[nrgy]

System - Microsoft Windows
Flaw - You name it
Bid - 1 beeeeellllion dollars

Re:

[JonathanR]

No problem. Microsoft has just bought out the company who developed the frickin' laser beams. Ballmer's ballistic chairs are now suitably equipped.

Re:

[suv4x4]

System - Microsoft Windows
Flaw - You name it
Bid - 1 beeeeellllion dollars

Yep, funny. Let's put Linux up there now. Where will be beeeeellllion dollars come from now? FSF? Yea sure.

Sites like these are a potential disaster for FOSS software.

Re:

[bendodge]

In order to get bids, you will have to post a good description. OSS devs will then be able to have some remote idea of the exploit, and might be able to fix it. But if the flaw is kept hidden in the underworld, it can be exploited without OSS devs knowing anything about it.

I suspect that many other people will think the same way, and so I think this site will tend to be used mostly by "white-hats" who have enough morals not to exploit their exploits.

Re:

[suv4x4]

In order to get bids, you will have to post a good description. OSS devs will then be able to have some remote idea of the exploit, and might be able to fix it.

Yea, just like a good trailer kinda makes it pointless to see the movie, right... Here's the good description:

"An exploit in Apache 2.x which allows a remote attacker sending kdata on port 80 to gain full control of the machine"

"An exploit in PHP core 4.x an 5.x which allows uploading arbitrary content to victim's server in arbitrary locations"

"A sys

Re:

[bendodge]

I said they might have a remote idea. And is it better to know something or nothing?

Ripoff Central?

[Penguinisto]

eBay is bad enough when it comes to the occasional scam (though I've been quite lucky with all the purchases and sales on it I'd made thus far, there are more than enough ripoff stories about...)

While someone dumb enough to, say, screw over a Russian Mafiya buywer, I can see where there would be more than enough idiots out there who would happily try (and hiding behind eGold and proxies, etc for payments... it may even be feasible )

Not like there would be much in the way of honor among theives when it comes to a near-total-anonymous thing like malware and malware kiddies...

(besides, all one would really have to do to make a killing as a seller is to dredge through securityfocus' vulns DB... the smart crims would avoid bidding on it, and the dumb ones? Well...)

/P

Re:

[owlnation]

While someone dumb enough to, say, screw over a Russian Mafiya buywer, I can see where there would be more than enough idiots out there who would happily try

Yeah, and this actually highlights the fundamental difference between this site and eBay. In this Swiss site the buyers are likely Russian/Ukrainian/Romanian mafia, whereas on eBay the sellers are Russian/Ukranian/Romanian mafia.

Exploit name, Outlook

[edwardpickman]

Specific exploits. Where would you like me to begin?

Self Exploitation

[Alchemist253]

I wonder how long it will be before someday auctions a vulnerability discovered in the auction site itself.

Would it turn out to be

[jsse]

100,000++ CREDI7 CARD NUMZ FOR SALEZ!!11!

BANK ACCOUNT INFORMATION FOUND IN HIDDEN FACILITIES BY GABRI31!!

10 WAYS BREAKS INTO NATIONAL RESERVE!!!!

SEX VIDEO OF THE BITCH WHO DUMPED ME

I don't understand some people

[Raptoer]

So why is it that telling a company about a security flaw is a quasi-illegal thing to do? If the company has no proof that you ever used it maliciously, then there is no reason that you shouldn't be able to report security flaws and have like a name/handle put onto a page of contributors. Demanding money for telling them about the flaw is extortion, unless they asked you to do it / offered the reward themselves.

Of course offering money for finding exploits might be a bad idea, it might entice people to look

Laws Are _Not_ Universal

[Secret Rabbit]

"""
and how the marketplace will ensure the flaws aren't found through illegal methods.
"""

In which country?

A mountain of pretense

[jihadist]

I see they want to have a hacker site, but make sure the exploits were obtained through "legal methods." Cigarettes with filters, safe party drugs, condoms, speed limits, and speech codes are the hallmarks of this hypocritical diaper society. I'm sure this will be no different, until an equal and opposite pretense leads to it getting closed down.

Re:

[Lehk228]

you lost me on condoms...... you want to have a kid every X% of encounters?

A Jihad on speed limits?

[TapeCutter]

Perhaps your jihad on condoms has lead to syphilis infecting your brain or maybe I'm just missing the connection between code exploits and speed limits?

Condoms == speech codes?

[Dekortage]

You're either looking to get someone pregnant, or contract an STI. I guess that's the price you pay for fighting the "hypocritical diaper society".

Well...

[flajann]

Really, it doesn't matter if it is found via "legal" or "illegal" methods -- a flaw is a flaw, and the vulnerability should be fixed. Especially when it involves private information such as your credit card numbers, social security numbers, and the like.

At least such a site will keep those holding our precious information on their toes to make sure any holes are plugged QUICKLY!

Sell the same 0-day several times?

[Safiire Arrowny]

So an exploit is auctioned to the highest bidder, and then on a different account the researcher auctions the same exploit to yet another highest bidder.

Sounds good to me, but don't the buyers feel cheated? I can't see anything to stop this from happening, so it doesn't seem like much of an _auction_ to me.

Also, consequently, after you buy an exploit you could auction it off to a bunch of other people and potentially make all your money back and more.

I don't really see how the auction format can support non-tangible items, is all I'm saying.

Competition for VCP and ZDI

[Anonymous Coward]

This will be interesting to see how it plays out. The two main legitimate vulnerability purchasers at the moment are iDefense's VCP ( http://labs.idefense.com/vcp/ [idefense.com]) and Tippingpoint's ZDI (http://www.zerodayinitiative.com/ [zerodayinitiative.com]). An open market place for researchers to sell their work is a good thing if implemented correctly. Previously their is little or no room to negotiate a fair price and all the information must be disclosed to the buyers first (Trust is assumed they will not use the information if they deci

perceived problem

[mathfeel]

While I applaud this free-market approach to vulnerability and that careless software engineering should cost company money, I have to ask the question. How do bidder verified that a bug is indeed found as claim? I mean, what's stop someone from claiming bug X exist, ask for a bid, and leave the bidder in cold? I suppose the same problem with ebay but in ebay, at least there is a picture (not necessarily of the item itself of course). What's there to stop cyber racketeering and blackmailing??

Re:

[Anonymous Coward]

...well in the case of WabiSabiLabi marketplace, WabiSabiLabi will verify the bug/vulnerability is real and as described by the seller and the buyer will have to trust WabiSabiLabi as the intermediary party who are orchestrating the sale.

I wonder though if they do have a process for unhappy buyers who arn't satisfied with what they buy. How do you return Intellectual Property??

Re:

[BlueTrin]

You can't return intellectual property usually, what they could do is that returning an item involves agreeing to a contract where you are forbidden to use what you returned, which in the case of software means nothing as it would be difficult to prove that you did not use it ...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Of course, the site itself...

[stox]

will be the target of a huge number of hackers. I hope they're an OpenBSD shop.

Nice Registration Form

[Joebert]

ATTENTION! In order to be able to access the full marketplace services you will be asked to fax us your id card and your telephone number.

Sure, I'll get right on that.

Wabisabi is a cool concept

[TheModelEskimo]

Might as well post an explanatory link - it's a Japanese term, if anyone was wondering about the origin of the name: http://nobleharbor.com/tea/chado/WhatIsWabi-Sabi.h tm [nobleharbor.com]

Speaking of auctions and bugs...

[macraig]

... on Sunday I encountered a bug in eBay, having to do with last-second bidders. I was involved in an auction, and updated the auction page immediately after it was scheduled to close; it reported me as the winning bidder at a price of $77.01. Since I was at a friend's house, when I got home I went to arrange payment and discovered that a last-seconds bidder had been inserted after the fact, and my winning bid had now jumped to $93.50. I had set a max bid higher than his, otherwise presumably the interl

Re:

[BLKMGK]

That's normal - someone used a bid sniping service like Phantombidder.com to bid at the last possible split second. A lag in processing that bid is why you were first shown a win and then later shown it at a higher price - I've actually won and lost auctions like that :-) Yes, I snipe often - keeps me from bidding against sheeple who just bid ever higher instead of simply setting a bid and forgetting...

Re:

[macraig]

I smell a class action lawsuit here.

I doubt that eBay can present me with a confirmation of acceptance of an offer at a specific price, and then later retract it saying, "Oh, wait... we were a bit hasty, made a mistake, didn't notice this other coincidentally higher bid here."

I suspect we can all hold eBay legally liable for those initial confirmations and make eBay eat the difference, since they're in turn confirming only the later higher bids to the sellers, rather than the initial ones reported to buyers

Re:

[h4ck7h3p14n37]

Yes, I snipe often - keeps me from bidding against sheeple who just bid ever higher instead of simply setting a bid and forgetting...

I know that sniping can be used to defend against shill bidding, but I don't see the value in using the technique against people who don't understand that eBay auctions are designed for proxy bidding.

Whether a legitimate bidder places one or one hundred bids is irrelevent; they will ultimately reach their final price. I don't see how the number of bids that it takes them

Re:

[BLKMGK]

Here's how it goes. Price is say $20 so sheeple says what a bargain and bids $22. I see it and decide to bid $25, sheeple sees that their price has been beaten and bids it up past my final bid - my bid loses.

Sniping - I see price at $22 and instead of beating that price right away I logon to the snipe service, type in my max amount, I log off happy. 5 SECONDS before the auction closes, with potentially the sheeple who bid first refreshing like mad, my bid is entered. Before said sheeple can decide that yeah

Re:

[h4ck7h3p14n37]

Again, that makes no sense to me. Maybe it's because I have a firm maximum bid in mind whereas some people decide that they're willing to increase their maximum bid in certain situations?

In the first case you mentioned, your maximum bid was $25. Someone had a higher maximum bid than this so you lost. I don't see how the other party throwing out several max bids alters things. The only way it does make sense is if your first maximum bid wasn't really your max bid.

In the second situation, you're just

Re:

[BLKMGK]

No no, it's not ME that doesn't have a firm fixed upper limit - it's the sheeple :-) When they see that my max is above their's durng a normal non-snipe bid process after they have bid and mine bumps it becomes a competition to outbid and "win" - prices spiral. Worse comes to worse they don't beat me and simply bump the price up and I pay more. Generally I set my max bid and leave it alone until the snipe is done. Just lost one tonight actually - bummer.

You still don't win all the time because sometimes oth

Yes

[Slashdot Parent]

Maybe it's because I have a firm maximum bid in mind whereas some people decide that they're willing to increase their maximum bid in certain situations?

Yes, that is exactly why you can't understand the benefit of sniping.

Most people are not engineers and have zero discipline. They act on their emotions and do illogical things. The average person does not enter his true maximum bid into the proxy system. He enters some idea of his max, but then his emotions take over. "Am I willing to lose this auction over $1 or $2?" And he raises his bid.

Watch the bidding on an item for evidence. You'll see some joker increasing his "maximum" bid by $1 or $2 for ab

I wash my hands.

[WK2]

Sounds like a great way to wash your hands after selling a vulnerability to the mafia. "I don't know who you are, or what you intend to do with this weapon. I don't want to know."

Had this type of subject come up in class

[bryan1945]

It was an InfoSec class in a Masters program.

Question- what do you do if you come upon a security hole?
Answer- ?

Case in point, some grad student in physics accidentally came across a vulnerability in the engineering dept's site. He reported it to his adviser the same day. (Yes, it was all proven). Adviser told the engineering dept., they fixed it, high fives all around. About a year later, the psych dept. gets broken into with a quasi-semi like exploit. Who does the uni and cops go straight after as a suspect? Yup, the kid who turned in the engineering vulnerability. Eventually was cleared, but how great is it to be a "Good Samaritan"?

So now you are student who comes across a commercial exploit. Now what? Auction is off for some moohla, let the company know, sit tight? If you auction it off and don't get sued by the company, does the school have a right to kick you out due to "unethical behavior"? If you let the company know, what kind of exposure do you have then? Can they accuse of being a hacker? If something similar in the future happens, can they come back to you? If you're a fan (or fanboy) of the company and sit tight, and later it gets hit by the same exploit, how is your conscience?

Now ramp the whole thing up to be a person in the commercial field. Tell your boss, etc.?

Now ramp it up to government level. Tell.... ? (underpant gnomes- had to fit that in somewhere)

Now ramp it up to classified level. Wait... nah, you cool as long as you tell your boss so -they- can exploit it.

As an individual at home, you'll probably be fine as long as you don't use the exploit to your advantage, and if you report it to a security site or the company I would think you would be fine.

Personally, I wouldn't touch this site with a 6 foot pole.

Eh?

[8ball629]

The real question is who is going to give out their personal information upon signing up for this site? Doesn't sound like a very good place to be submitting your name, address and etc. to does it?

I will let the legends speak for me

[DimGeo]

Here's [youtube.com] what I'm thinking.

Good!

[Quixote]

I'm a budding photographer. I would love to get my hands on Photoshop, so I can fix up some of my photos.
Will Adobe give me Photoshop CS3 for free? Of course not.

Then why do people expect these companies to get vulnerabilities for free?

I know, a vulnerability in $SoftwareVendor's product could be exploited by Some Nefarious Person ($SNP) to cause damage. So what's preventing $SoftwareVendor from bidding on the same vulnerability and beating out $SNP?.

Don't companies spend $$$ doing security audits,

Re:

[Slashdot Parent]

Will Adobe give me Photoshop CS3 for free?

No, but they will give you Photoshop Elements for $30, which is probably the best value you will ever see in the retail software market. It is truly amazing what they pack into that little $30 powerhouse.

Anyhow, the companies are giving you value for reporting vulnerabilities. They are fixing them. That gives value to a user of that product, anyway.

Re:

[ArsenneLupin]

Methinks you misunderstood something here. You are not supposed to put that link directly on slashdot. Or if you do, at least obfuscate it using a redirector of some kind or tinyurl.

What you're supposed to do is find some suitable site (preferably running ASP and Cold Fusion), sprinkle it liberally with apostrophe's, and if some MS SQL Server error pops out, stuff the link in there. And then link that site from Slashdot.

Alternatively, spot a comment (or even better: a frontpage story...) which already lin