Zero-Day Vulnerabilities On the Market

An anonymous reader writes "Zero-day vulnerabilities have become prized possessions to attackers and defenders alike. As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days. There is an underground market growing around these vulnerabilities, but there are also 'white markets' — set up by VeriSign, TippingPoint, Google — where they buy zero-day flaws and alert the companies so that they can patch their products before the vulnerabilities can be taken advantage of."

I'm surprised white markets aren't more common

[swb]

...especially when the market is fairly inelastic.

The best "white market" tale I've ever heard is the militias that ran the "Golden Triangle" in the Southeast Asian highlands offering to sell the US the entire opium crop.

I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market. They could even use the opium for the production of painkillers for the legitimate market, which I understand is actually constrained sometimes by strict production limitations.

You would think that white marketing the supply of illicit drugs would make a lot of sense -- by buying up supplies at the volume end of the market and denying it to the market, you would drive street prices through the roof and have far more impact on the consumers, pricing many out of the market. Cocaine supply diversity may make this difficult, but if pursued quietly it might actually be effective there too.

Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals. It'd be great to see a cost analysis to see if it would actually be cheaper to just buy up the drugs at the point of production versus the drug war, which doesn't work.

Exactly.

[khasim]

Remember, we're not talking about the farmers being the equal of the distributors.

If you start taking away a source of revenue, you had better be able to defend that with violence of your own.

And anyway, if the farmers are growing dope, they're not growing food. How about offer to buy the food that the farmers grow at a higher rate than the processors pay for the dope?

How does the purchaser of an exploit...

[John Hasler]

...know that it has not also been sold to someone else? And who brokers these deals? I can't imagine the parties trusting each other.

Re:Buy them

[SeePage87]

Wow, I know /.ers rarely read TFA, but did you even read the summary? They explicitly mention "white markets" where companies can do just that. If the white markets are well known about, learning of an exploit is often likely to be more valuable to the company than a hacker. A company can suffer liability for damages, lose clients, suffer hits to their company's good will, and, depending on the nature of the software and what it's used for, and the exploit and how it works, any number of other things. Those buying the exploits can't know how long it will be effective, or how profitable it will be. My guess is, the more profitable it could be, the quicker it will get fixed, so how much can the black market pay? Besides companies potentially paying better, there's the added bonus of not having to do something illegal, harmful and immoral, though I know that doesn't matter to some. And there might be the appeal of being on the side of preventing malicious attacks. Think about it, all the CS nerds will be able to effectively become digital Jack Bauers, and that's bound to get chicks.

Re:I'm surprised white markets aren't more common

[Hasai]

Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals.

And where, in regions that routinely grow opium, would this be an 'option?' The criminals will show up at the farmer's doorstep, take the money, then butcher both the farmer and his family to make an example.

I saw the same sort of thing happen in S.A., where this one campesino decided he wasn't going to grow coca anymore: the local enforcers promptly showed-up, dragged him and his family out and forced them to kneel in front of their house, then went right down the row, from youngest to oldest. Pop, pop, pop, pop, pop.

The term 'naive' doesn't even begin to describe your idea.

Re:Sure is...

[insufflate10mg]

Damn straight it is.

The 0day black market has been thriving for over a decade; I remember being 13-14 years old, spent every day and night reading and learning about computer security. It was a different world in hacking back then; the reason was because the lines between a secure system and an insecure system were more blurred. Most machines/network one would target had a vulnerability that was exploitable, it was just a matter of spending enough days reading to discover it. It was an incredible time in the Internet's young life, but it is long gone. By the time I was 16 years old, I had joined my mentors in writing white papers relating to security, pen-testing, and trying to maintain integrity within the game. Technology moved faster than any of us had imagined, and we all moved on to our own specializations in computer science. Hacking was so open, so possible: it just took the right amount of knowledge to do it, and everyone who would do anything to not be a skiddie was busting their ass every day.

We have moved on to different times. The line in the sand is so broad and sharp; you're either an advanced black hat, an advanced white hat, script kiddie, or nothing. Although I miss the old days, it is nice to see how far computer security has come. I'm proud to say that I am an "newer old school" hacker because with that area-of-specialization comes a unique set of skills that new-age "hackers" don't have. There are still the real old school hackers though, and I could only imagine the nostalgia they feel everyday and have been feeling for decades.

Hacking is just not what it used to be, but this article (and the post I'm replying to) echo the faint sounds of the old days when we used to discover 0days, share them with our friends, protect them honorably, use them when necessary, and end up selling them out to their victim's companies to make the internet just a little bit safer.

Be careful.

[John Hasler]

> Besides companies potentially paying better, there's the added bonus of not
> having to do something illegal, harmful and immoral...

Be careful. If the company learns your identity during negotiations they might have you arrested for extortion.

Bad guys don't trust bad guys. :)

[khasim]

But if you are a black hat (or a government: same thing) you want exclusive ownership.

:) And that is part of the problem when you choose to be one of the bad guys. You cannot trust the other bad guys to be honest in their deals.

And that doesn't bother me. If anything, it should drive down the prices as none of the bad guys are going to invest a lot of money on something that they cannot be sure they have an exclusive option on.

When will companies be held liable for bugs?

[jollyreaper]

Toyota's gonna catch holy hell for the whole "car randomly becomes kamikaze" bug with the accelerator. There are regulations and laws about this sort of thing. If I run a slaughterhouse and knowingly ship bad meat, I could go to jail. This isn't home hobbyist shit anymore, computers are serious business and Microsoft is wearing the big boy pants. Lives are at stake over this sort of thing. Dissidents can be targeted and killed. And even if it's not political but just plain' ol' computer crime, the losses can really add up.

I'm not a fan of bogging the industry down with so much regulation that nobody can get anything done but it's clear that businesses are, generally, not self-policing and concern for public welfare is not on the agenda. They will not consider it until compelled to by force of law. And to all the business apologists complaining about the stifling hand of government laying heavily upon the necks of business, just remember that there wouldn't be a call for regulation if there wasn't a need for regulation. If slaughterhouse owners applied the same standard to meat intended for public consumption that they would apply for meat intended for their own tables, Upton Sinclair wouldn't have had a novel and we wouldn't have had an FDA.