An eBay For Hackers 60
cyberdelicat writes to let us know about a Swiss security firm called WabiSabiLabi that is causing waves with its open auction for zero-day security vulnerabilities. While WSLabi claims they will thoroughly vet both buyers and sellers of vulnerabilities, many researchers are skeptical about how effectively they can do this. The Washington Post article mentions the guy who almost opened a similar auction site several years back, to be called Zero-Bay, but pulled the plug at the last minute. SearchSecutiry notes that some security researchers are now referring to WSLabi as "zerobay" as they undermine the auction site by reproducing and publishing vulnerabilities as soon as they appear for sale.
How about an Ebay for Dupes? (Score:3, Funny)
Re: (Score:2, Informative)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
All kinds of new auction sites (Score:1, Informative)
Re: (Score:1)
YAD (Score:1, Redundant)
Re: (Score:2)
WAD (Score:2)
So what happens when... (Score:4, Funny)
Hmm (Score:2, Insightful)
What's next? (Score:1)
Re: (Score:2)
CERT is sitting on at least a few vulnerabilities, and has been doing so for at least 5 years on some of them
Re: (Score:1)
Isn't part of computer security security through obscurity?
Re: (Score:2)
Re: (Score:2)
Wow. (Score:1)
Problem is, like many functional solutions in this world, it may be just stupid enough actually work.
Re: (Score:1)
Sounds dumb (Score:2)
OK, so there is an open auction for a remote exploit for Yahoo Messenger. So if I wanted to steal bank account information from lots of Yahoo Messenger users, this would be a good start. The minimum bid is 2000 Euro, which
Re:Sounds dumb (Score:4, Insightful)
Researching security holes should be a legitimate and profitable R&D investment, and should be done in an up front manner such as this rather than via the black market where your dire vision already thrives.
Well it depends (Score:4, Insightful)
There are additional problem when you start dealing with certain classes of items. If something has substantial legal uses you are on much more solid ground. To use the gun example again, guns are widely used for hunting, target shooting, personal and home defense, all perfectly legal uses. Thus it isn't a stretch to assume someone has a legal use for it, unless there's specific reason to believe otherwise. However if the item in question has little to no legal use, then there can be problems. I see exploits as being mostly in this category. Other than the companies, who really has a legit use for the details behind an exploit? Now this isn't a challenge to try and come up with obscure reasons someone might want it, it is something to think about in general. What would people by and large want to buy these for? If the majority of realistic answers are illegal ones, then you can have a real problem when you sell it if you aren't real careful.
Re: (Score:2)
Any user of that software that won't/can't/doesn't want to wait for the company to get off of their lazy asses and fix it, so they need a workaround.
Re: (Score:2)
Vulnerability Info Exchange is Good (Score:3, Interesting)
Selling information about security vulnerabilities may be considered unethical by some, but it is perfectly legal in almost all countries (notable exception: France). Don't forget that a vuln is just a bug, they are selling information about how to trigger a bug. Why would that be illegal ? If a buyer exploit the bug for nefarious purposes, then the buyer is doing something illegal, not the seller. There are plenty of legitimate cases where a market for selling vulnerabilities is a good thing:
Amen! (Score:2)
Big security problems currently come from people not installing patches. You can't fix this since you can't write perfect code. But you can help by writing better code. So we must make venders see the real costs.
Don't let stupidity fool you (Score:3, Interesting)
Re: (Score:1)
Re: (Score:2)
Good show!
Dude, this sucks (Score:3, Interesting)
Good idea, actually... (Score:2)
whoa! (Score:1)
Auctioning known defects (Score:1)
???
Profit!!
the idea has merit (Score:2)
What happens when this site gets cracked? (Score:2)
I think you mean an eBay for crackers. (Score:1)
I use it regularly to buy PIC controllers, semi-exotic silicon, and weird computer hardware (i.e. anything 'the natives' can't Install Windoze on here in tardo flyoverlandia). I also sell a lot of cool stuff, like PDP-11 hardware, etc. Without eBay or at the least the Web and mail order, a person such as myself couldn't live in this godforsaken (actually, god-addled) part of the country.