Auction Site To Sell Security Vulnerabilities

talkinsecurity writes "A Swiss research lab has built an eBay-like marketplace where hackers and researchers can sell the security vulnerabilities they discover to the highest bidder. WabiSabiLabi could replace the back-room, secret sites where researchers and hackers used to sell their exploits and replace them with a neat, clean way to make money by finding security flaws. Those who have seen the site say they are concerned about how the buyers will be vetted, and how the marketplace will ensure the flaws aren't found through illegal methods."

Bidding up

[Joebert (946227)]

I don't think the big boys are going to play along here, sicking attack dog lawyers on them would probably be less expensive than trying to outbid a group of people who bid on their own stuff when the companies show interest in paying up.

Re:Bidding up

[MadUndergrad (950779)]

Yeah, like it or not there's a good deal of trust involved for sites like eBay. I don't think that's going to work when extortion and thousands of dollars are on the line.

Re:

[Joebert (946227)]

Well on the plus side, we'll probably get a few clues on areas to look at by reading the descriptions.

Re:"illegal methods" ?

[Torvaun (1040898)]

Sure. Reverse Engineering - Legal. Stealing source code - Illegal. Just because you're discovering potentially exploitable flaws doesn't mean that you're actually breaking the law yourself.

Re:

[Architect_sasyr (938685)]

Reverse Engineering - Legal

Actually most EULA's prohibit this, thus making it illegal, and I believe copyright law's have a similar result. This is a fine line to walk (and IANAL) but I believe it would still be illegal. Something like fuzzing on the other hand is probably not, except that you then generally have to reverse engineer the application to get some good, solid, working shellcode in there.

Re:

[UncleFluffy (164860)]

Actually most EULA's prohibit this, thus making it illegal,

At best, breach of contract. Even if the EULA is valid, which many aren't. Plus you have to prove that the information was obtained through "illegal" means.

How do you preserve value?

[ushering05401 (1086795)]

The whole value of the exploit is that only a few people know it exists. How do you preserve that when you would need to divulge something of the nature of the exploit for it to be marketable?

I wonder if the people putting this on are actually looking to make a point about software vendors and their products. Any chance that they are looking to do nothing more than score some legal victories for the good of the public?

Regards.

How would you know that it is only sold once?

[EmbeddedJanitor (597831)]

After all, who's going to try claim "ownership" of an exploit?

Re:

[Divebus (860563)]

If I see the cross platform vulnerability I just bought again, I'm suing!

1. Login to your computer
2. Stand up
3. Put your foot through your monitor
4. PROFIT!

Re:How do you preserve value?

[GizmoToy (450886)]

I agree. Once you tell the bidder what the flaw is in, and give a good enough description of it to garner bids, someone is going to be able to track it down for themselves for free. Not the best business model.

Its simpl;e, really - and why it won't work

[tomhudson (43916)]

It reminds me of the joke:

Man: I just lost my wallet with $1,000.00 and my credit cards in it. I'll give whoever finds it $100.00.
Voice from back of room: $I'll give $200.00

If its a real vulnerability, you can sell it over and over again. None of the buyers is going to leak it - they'd lose their investment, and chance to make $$$.

So, sell it once for $X, or sell it 20 times for $X/2?

This is just someone else with a lame attempt to insert themselves into a market.

Interesting vulnerabilites on the site

[figleaf (672550)]

http://www.wslabi.com/wabisabilabi/initPublishedBi d.do [wslabi.com]?

How can anyone exploit a memory leak?

Re:Interesting vulnerabilites on the site

[stonecypher (118140)]

Tons of ways. One of the most common and easily explained is a denial of service attack. People tend to think that DoS just means hammering the line into submission; it's a broader topic than that. If that kernel memory leak can be triggered by any outside signal, then anyone who wants to bring that box down just needs to trigger it over and over until the box has run out of RAM and swap. On a high speed network, that can often be done shockingly quickly - on the order of tens of minutes, occasionally faster.

If you're interested in these things, in my opinion, the best thing you can do is read a good operating system book - in my opinion you're best off with either Tanenbaum [amazon.com] or Silberschatz [amazon.com] - those books describe these problems in detail in terms of debugging your work, but in many cases, compromising a system is about leveraging unfixed bugs (enbugging, if you'll pardon the coining;) as such, a book meant to teach one to fix these is a great way to learn what needs to be protected against, as well as why.

easy

[r00t (33219)]

Start by calling mmep() with MAP_FIXED. This lets you allocate memory at any legal address of your choice. You choose 0, the NULL pointer area which is normally never allocated.

Next, place a pointer there.

Next, run the kernel out of memory.

Next, ask the kernel to do a getsockopt() call that needs memory. The kernel will get back a NULL. The kernel will keep going, eventually using the NULL pointer to get some critical data like a kernel pointer. (a data pointer in this case, but it could well be a function

sounds good to me

[nanosquid (1074949)]

Companies like Microsoft seem to have developed the attitude that people shouldn't find their security holes at all, but if they do, they should be obligated to report them for free.

I think a free market approach like this is good.

As for vetting buyers and sellers, I don't think that's either necessary or desirable. If people find security holes through "illegal means" (whatever that means), it's a matter for the police and courts. And if the mafia outbids Microsoft, well, then Microsoft will have to live with the consequences or pay more next time. Companies like Microsoft should be exposed to the true costs of their security vulnerabilities, and they will be exposed to that only if the "bad guys" are in on the bidding, because vulnerabilities aren't worth a lot to the other "good guys".

If prices and damages get high enough, companies will invest enough in software development to stop creating security vulnerabilities in the first place.

Re:sounds good to me

[suv4x4 (956391)]

Companies like Microsoft seem to have developed the attitude that people shouldn't find their security holes at all, but if they do, they should be obligated to report them for free.

I think a free market approach like this is good.

Oh yea, free market always works! Especially when the bidders in this case would actually gain financial benefit from said "goods" by illegal access to people's machines.

Software companies that produce products will be forced to "pay up" or let the vulnerability go to said parties above.

Other free markets that work just fine, and bidding works miracles in there:

* Human Organ Markets
* Internet domains
* Fire Weapons, Biological Weapons, Missiles
* Kidnapping journalists in Iraq for bounty
* De-regulated utility monopolies
* Open Market Health Insurances

The world is full of amazing examples where the best thing EVAH to do, was just sit there in awe and think "it's perfect"!

Now bidding

[nrgy (835451)]

System - Microsoft Windows
Flaw - You name it
Bid - 1 beeeeellllion dollars

Ripoff Central?

[Penguinisto (415985)]

eBay is bad enough when it comes to the occasional scam (though I've been quite lucky with all the purchases and sales on it I'd made thus far, there are more than enough ripoff stories about...)

While someone dumb enough to, say, screw over a Russian Mafiya buywer, I can see where there would be more than enough idiots out there who would happily try (and hiding behind eGold and proxies, etc for payments... it may even be feasible )

Not like there would be much in the way of honor among theives when it comes to a near-total-anonymous thing like malware and malware kiddies...

(besides, all one would really have to do to make a killing as a seller is to dredge through securityfocus' vulns DB... the smart crims would avoid bidding on it, and the dumb ones? Well...)

/P

Exploit name, Outlook

[edwardpickman (965122)]

Specific exploits. Where would you like me to begin?

Self Exploitation

[Alchemist253 (992849)]

I wonder how long it will be before someday auctions a vulnerability discovered in the auction site itself.

Laws Are _Not_ Universal

[Secret Rabbit (914973)]

"""
and how the marketplace will ensure the flaws aren't found through illegal methods.
"""

In which country?

Sell the same 0-day several times?

[Safiire Arrowny (596720)]

So an exploit is auctioned to the highest bidder, and then on a different account the researcher auctions the same exploit to yet another highest bidder.

Sounds good to me, but don't the buyers feel cheated? I can't see anything to stop this from happening, so it doesn't seem like much of an _auction_ to me.

Also, consequently, after you buy an exploit you could auction it off to a bunch of other people and potentially make all your money back and more.

I don't really see how the auction format can support non-tangible items, is all I'm saying.

I give it a month.

[jcr (53032)]

This is going to vanish under an avalanche of litigation.

-jcr

Wabisabi is a cool concept

[TheModelEskimo (968202)]

Might as well post an explanatory link - it's a Japanese term, if anyone was wondering about the origin of the name: http://nobleharbor.com/tea/chado/WhatIsWabi-Sabi.h tm [nobleharbor.com]

Had this type of subject come up in class

[bryan1945 (301828)]

It was an InfoSec class in a Masters program.

Question- what do you do if you come upon a security hole?
Answer- ?

Case in point, some grad student in physics accidentally came across a vulnerability in the engineering dept's site. He reported it to his adviser the same day. (Yes, it was all proven). Adviser told the engineering dept., they fixed it, high fives all around. About a year later, the psych dept. gets broken into with a quasi-semi like exploit. Who does the uni and cops go straight after as a suspect? Yup, the kid who turned in the engineering vulnerability. Eventually was cleared, but how great is it to be a "Good Samaritan"?

So now you are student who comes across a commercial exploit. Now what? Auction is off for some moohla, let the company know, sit tight? If you auction it off and don't get sued by the company, does the school have a right to kick you out due to "unethical behavior"? If you let the company know, what kind of exposure do you have then? Can they accuse of being a hacker? If something similar in the future happens, can they come back to you? If you're a fan (or fanboy) of the company and sit tight, and later it gets hit by the same exploit, how is your conscience?

Now ramp the whole thing up to be a person in the commercial field. Tell your boss, etc.?

Now ramp it up to government level. Tell.... ? (underpant gnomes- had to fit that in somewhere)

Now ramp it up to classified level. Wait... nah, you cool as long as you tell your boss so -they- can exploit it.

As an individual at home, you'll probably be fine as long as you don't use the exploit to your advantage, and if you report it to a security site or the company I would think you would be fine.

Personally, I wouldn't touch this site with a 6 foot pole.