Forgot your password?

Close
typodupeerror
Businesses Security IT

Zero-Day Vulnerabilities On the Market 94

Posted by CmdrTaco
from the not-as-good-as-my-negative-four-day dept.
An anonymous reader writes "Zero-day vulnerabilities have become prized possessions to attackers and defenders alike. As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days. There is an underground market growing around these vulnerabilities, but there are also 'white markets' — set up by VeriSign, TippingPoint, Google — where they buy zero-day flaws and alert the companies so that they can patch their products before the vulnerabilities can be taken advantage of."
This discussion has been archived. No new comments can be posted.

Zero-Day Vulnerabilities On the Market More

Zero-Day Vulnerabilities On the Market

Comments Filter:

  • Re:I'm surprised white markets aren't more common (Score:4, Informative)

    by bluesatin (1350681) on Monday February 08 2010, @12:06PM (#31061184)

    I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market.

    This would probably cause a knock-on effect of increasing production in the area, due to the fact that you will be increasing the profits for the poppy growers, and perhaps also encouraging people to start poppy farming; selling to US troops is probably a hell of a lot less scary than selling to the Taliban.

  • Re:I'm surprised white markets aren't more common (Score:4, Informative)

    by Ltap (1572175) on Monday February 08 2010, @12:14PM (#31061264) Homepage
    You're right. The drug-growing problem in Afghanistan is two-fold: very little will grow there other than desert plants. Opium grows there and is extremely profitable to grow, so if they were to try and grow other crops, they would probably not be sustainable without more infrastructure (such as an irrigation network to grow crops that need more ground water). There have been attempts to cultivate some local plants to extract oils for use in beauty products, but it's a niche market and only a small amount of farmers can do it without over-saturating the market. A crop that would grow in Afghanistan, is in demand, and is rare enough to warrant transportation costs to the rest of the world is the ideal crop, and right now that is opium. Until there is a viable alternative, that is what farmers will grow.

  • Re:"Zero-day" is just noise (Score:4, Informative)

    by chill (34294) on Monday February 08 2010, @12:22PM (#31061368) Journal

    0-day means there is no patch available, as opposed to vulns that come out after patches are issued and you could possibly upgrade your system to being secure.

    Anything that is patched, but you haven't bothered to update your system and are thus vulnerable to, isn't a 0-day.

  • Does it matter? (Score:3, Informative)

    by khasim (1285) <brandioch.conner@gmail.com> on Monday February 08 2010, @12:29PM (#31061466)

    If you are the company who wrote the software, you now know where the flaw is and can fix it.

    If you release a patch, that could be reverse engineered and the bad guys would find the flaw anyway.

  • Re:Does it matter? (Score:3, Informative)

    by John Hasler (414242) on Monday February 08 2010, @12:45PM (#31061688) Homepage

    > If you are the company who wrote the software, you now know where the flaw
    > is and can fix it.

    But if you are a black hat (or a government: same thing) you want exclusive ownership. Even if you are the company that wrote the software you don't want the exploit sold to black hats who will exploit it between now and the time you deploy your fix (or afterward against the many customers who won't upgrade).

  • Not a trend. (Score:2, Informative)

    by yoda (79150) on Monday February 08 2010, @01:49PM (#31062408)

    The vulnerability contributor program @ Verisign and TippingPoint were setup by the same person. I know this because that person used to work for me. Google is buying simply as a reaction to the China stuff. This isn't a trend...though on the surface, it appears that way.

  • What passes for Insightful... (Score:3, Informative)

    by Gary W. Longsine (124661) on Monday February 08 2010, @04:13PM (#31064214) Homepage Journal

    Taliban and the Drug Trade [state.gov]
    Some members of the U.S. drug enforcement community suggest that a new strategy may have been adopted by the Taliban in the wake of their July 27, 2000 announced ban on cultivation. This strategy would reflect a desire by the Taliban to use their “monopoly” position to maximize profits, i.e. restrict supply by restricting cultivation; drive prices up dramatically; and sell from an extensive supply of stockpiled opium. According to the United Nations Drug Control Program (UNDCP) personnel, in the past, up to 60% of opium stock has been stored for sale in future years."

    Uhm, no. What nut jobs like Mullah Omar say, and what they actually do, might overlap, but may not be entirely equivalent.

I guess the Little League is even littler than we thought. -- D. Cavett