New Site Aims To Be iTunes For Exploits 55
Trailrunner7 writes "It's been tried before, but NSS Labs founder Rick Moy says his company's new Exploit Hub — a store front for exploit code — can work. In an interview, he explains why the current market for exploits doesn't work for the good guys, and why zero-day exploits don't help anyone. Above-board markets for software vulnerabilities have been around for close to a decade, but previous efforts to market exploits have had mixed results. The business of selling exploits versus vulnerabilities is fraught with danger, and organizations like WabiSabiLabi have operated eBay-style marketplaces for zero-day exploits for years, but haven't seen exploit writers beating a path to their door. The need for an above-board marketplace that can compete with the black market surely exists, but getting it to work is another matter entirely."
Moy didn't say "iTunes" (Score:5, Informative)
He compared his company to "Craigslist", not "iTunes".
I'm not sure that's the image you'd want to project for your company, but I'm not that guy.
Re: (Score:1, Offtopic)
Re: (Score:3, Informative)
There ain't no such thing as a free hooker
Re: (Score:2)
Re: (Score:2)
TANSTAAFH?
I dunno, it just doesn't have the same ring to it ...
Re: (Score:1, Funny)
If you have to bring rings into the discussion, it's not a hooker. Just sayin'...
Re: (Score:1)
What the hell (Score:2)
An "above-board" market for exploits?
Who exactly is planning on buying these things and NOT planning to do something illegal with them?
Re:What the hell (Score:5, Interesting)
RTFA. Or educate yourself generally on how the IT security industry operates. Either way works.
Re:What the hell (Score:5, Interesting)
The people who wrote the software in the first place. They want to produce software that isn’t buggy and exploitable, and the only way to find exploitable bugs is to be actively looking for them and to be good at exploiting them.
They need good software crackers (in both senses of the word: skilled and working for them) working on betas to find vulnerabilities in the software so that the vulnerabilities can be fixed before the alpha of the software is released.
Note that it specifically says that they won’t be dealing with 0-day exploits (critical exploits in existing, already-released software products). They want to find these before they release, and to do that, they have to hire crackers.
Re: (Score:1)
Re: (Score:2)
Erm, yeah, I meant the release version.
Re: (Score:1)
Re: (Score:2)
Oh, right - silly me, ethics no longer has anything to do with business decisions.
-- Barbie
Re: (Score:2)
Well... that depends on what the guy who found the exploitable bug is planning on doing with it if you don’t buy it...
(and if he’s threatening to sell it to highest bidder if you won’t buy it, that is blackmail/extortion, and quite illegal)
Re: (Score:1)
Companies who want to patch the holes in their software...but charging a company money for information you have on security holes in their software doesn't sound "above board" to me in the least.
Re:What the hell (Score:5, Insightful)
charging a company money for information you have on security holes in their software doesn't sound "above board" to me in the least.
And not earning anything for your work does? If I help you fix your broken program I'm within my rights to ask for compensation. Now, threatening to release and abuse it if you don't pay isn't so ethical.
Re: (Score:2)
So charging companies for security exploits found with your own labor is ok with Slashdot. Charging money for software you created 'with your own labor' is generally bad.
It seems that some ideals in the OSS community tend to be a bit conflicting/self-contradictory.
(note: I don't know what you personally think, I'm just using your post as a springboard :) )
Re:What the hell (Score:5, Informative)
Charging money for software you created 'with your own labor' is generally bad.
No. Open source doesn't mean free. It never did. RMS, the GPL, they all say that you can charge for your work. Do I really need to find the citation for this? Or are you just pulling my leg?
Re: (Score:3, Interesting)
Here's how I see it, it's like inspecting a dam (on your own time) and finding a crack. Now you could charge the dam company (haha) for the information you found - even though they didn't ask for it. If they were nice, fair people and you ask a fair price, they'd pay you, but they may decide not to (or you could be an asshole and ask way too much), they may say go screw yourself and not fix the crack. What then? Now you can either:
1. Give up the information anyways - the dam company will never pay you for a
Re: (Score:2)
That's kinda dumb.
For one thing, options 1 is no worse than if you had just given up the info in the first place, for free, and option 3 is only slightly worse in the short term and possibly better in the long term (it might teach them to pay up next time).
For another, you're ignoring the 4th option: tell everyone who will listen that you've found a crack in the dam, and would LOVE to show the dam engineers how to fix the dam thing, only they won't give you the dam money that you worked dam hard for. Publ
Re: (Score:2)
I dunno your option 3 and 4 both sound rather extortion-ey...
Re: (Score:2)
If I tell you that the brakes on your car are failing and it'll cost $300 to replace them, and you refuse to get the work done .... is it extortion when I go and tell other people that you're an idiot who is not only risking his own life, but also endangering others?
I know it's not a perfect analogy, but I really don't see why you'd consider one scenario to be extortion, and not the other.
Re: (Score:2)
The problem is that it's not like saying that the brakes on the car are failing and it'll cost $300 to replace them, it's like saying that something is wrong with your car and it'll cost $300 to tell you what it is and get it fixed.
Re: (Score:3, Interesting)
*shrug* I would have no problem with that. I don't see why you should get a free diagnostic out of the deal. Hell, unless you have your own ODBC reader, most mechanics will charge you $50 just for a basic readout. I bought the code reader because it pays for itself in the long run, but I see nothing wrong with mechanics wanting to get paid for the work they do.
Re: (Score:2)
So, what about consultation and inspection contractors? Why should their businesses exist? They're hired to find/solve problems in services or structures. Should 'Dam Inpectors Ltd' exist or should they do the work for free? If the Ltd. exists, do they now have a moral obligation, by the fact of their existence, to find and point out flaws in dams or are they morally sound by asking dam builders to hire them to find problems?
Yes they should exist. Dam Inspectors Ltd would have no moral obligation by the fact that they exist to perform inspections, and I would see no problem with them asking the dam builders to hire them to find problems.
Now, the model of going to a dam without a contract, finding flaws, then approaching the builder asking for money is more slippery, but I don't think it is as bad as it seems. The headlines if the dam broke in the meantime would be something like, "Person knew about flaw, didn't report it because he wanted money! Evil!" However, it could also read, "Dam contractor that specialized in inspections existed within 50 miles of the dam, but didn't do free inspections that could have saved lives!"
Why should the inspection company be obligated in any way to do free inspections? It's up to the dam company to take the initiative to get their work checked - it would be their fault for not doing this, nobody else's in any way.
I guess if these exploit companies simply only 'strongly implied' to the software producers that their services could be useful without actually admitting they found anything, it would be more like an inspection contractor and not as morally grey..
That would be a little better than scaring the company into paying
Re: (Score:2)
You're forgetting that the "innocent third parties" aren't at risk from the information on the crack but rather from the crack itself being there in the first place, and you not knowing about it won't make the crack on the dam magically dissapear.
Re: (Score:1)
I can kind of see the justification. They're basically providing a service and charging a fee for it after the fact, a fee that you can even choose to ignore. "Hi, I made this suit specially tailored for you. If you don't want it, that's fine. If you want it, well here you go!"
However it does lay a pressure on the buyer to buy it, since otherwise others can choose to buy it and exploit it without the programmers knowing exactly what the exploit entails. That's somewhat alike to extortion.
I can see both side
Re: (Score:2, Interesting)
If on the other hand you you tell the company that wither they buy it or you will sell it to others then that is extortion and is illegal. You do one or the other. There is now other side to the coin.
They are separate coins altogether.
Re: (Score:2)
Bad Analogy (Score:2)
Really, really awful analogy. I've already explained my viewpoint here:
http://slashdot.org/comments.pl?sid=1822976&cid=33911372 [slashdot.org]
Re: (Score:2)
"iTunes for exploits" doesn't sound illegal (Score:2)
(I didn't RTFA, but in this case, that probably helped.) I interpret "iTunes for exploits" as meaning that you go to the trouble to load up your computer with exploits, then you do a sync, and suddenly all of the exploits which you had loaded, but which didn't come from their "iTunes for exploits" are inexplicably missing. So as long as you install this "iTunes for exploits" software but don't ever use it for installing your malware, then occasional syncs can function as malware disinfectant. That doesn't
MetaSploit Framework anyone? (Score:1, Interesting)
I'm not all that familiar with the MetaSploit Framework (which has been bought out) but don't things like this already exist...except they're...you know...free!
Re: (Score:2)
And that's the problem. If an unscrupulous hacker finds a 0-day exploit, are they really more likely to give it away for free than to sell it to the highest bidder?
Similarly, even knowing that companies are willing to pay (rather than sue/prosecute/harass/whatever) may lead to more exploration of vulnerabilities, and that means more secure programs overall.
Sure, I'd love to see more hackers meeting the minimum ethical requirements to follow responsible disclosure, but there's still a black market for exploi
Re: (Score:2)
Re: (Score:1)
Ebay for exploits (Score:2, Interesting)
Re-packaging what is already free (Score:2)
iTunes for exploits? (Score:4, Funny)
So you're going to start out selling exploits for 99 cents? And then create a(n expensive) portable device that people can buy to run your exploits on? And then become the market leader? And then introduce new models of your hardware? And then create an "exploit" store sdk so people can sell there own exploits? And them submit to exploit creators demands that the price be raised to $1.29? And then remove color from the user interface?
Not a bad idea at all (Score:2)
Seems like a nice easy way to make a bit of cash in your spare time without any particularly rare skills needed. Just find a vulnerability from CVE that doesn't have a corresponding Metasploit module, write a Metasploit module and put it up in Exploit Hub.
Since it's not a 0-day, there's nothing to be gained by getting an exclusive purchase so the prices will be reasonable. There's less risk of being sued too because it's not a 0-day; just a bit of code that you can use to test for an already disclosed vul