Cornering the Market On Zero-Day Exploits 118
Nicola Hahn (1482985) writes Kim Zetter of Wired Magazine has recently covered Dan Greer's keynote speech at Black Hat USA. In his lengthy address Greer, representing the CIA's venture funding arm, suggested that one way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities.
While this would no doubt make zero-day vendors like VUPEN and middlemen like the Grugq very wealthy, is this strategy really a good idea? Can the public really trust the NSA to do the right thing with all those zero-day exploits? Furthermore, recall the financial meltdown of 2008 where the public paid the bill for Wall Street's greed. If the government pays for information on all these unpatched bugs would society simply be socializing the cost of hi-tech's sloppy engineering? Whose interests does this "corner-the-market" approach actually serve?
While this would no doubt make zero-day vendors like VUPEN and middlemen like the Grugq very wealthy, is this strategy really a good idea? Can the public really trust the NSA to do the right thing with all those zero-day exploits? Furthermore, recall the financial meltdown of 2008 where the public paid the bill for Wall Street's greed. If the government pays for information on all these unpatched bugs would society simply be socializing the cost of hi-tech's sloppy engineering? Whose interests does this "corner-the-market" approach actually serve?
Really? (Score:5, Insightful)
If you don't know the question, it was, "Can the public really trust the NSA to do the right thing with all those zero-day exploits?"
That's not speculation, that's based on what they are already known to have done with exploits they've discovered or otherwise obtained already.
The answer is to lessen the bugs at the source (Score:4, Interesting)
The zero-day bugs are bugs, while we know bugs are inevitable (nobody is perfect), it does not mean that we should just throw up our hands and say "Oh, there is nothing we can do"
We can !
We can do something at the source level - at the very least we should be able to, after so many years of programming culture, to inculcate the correct way to future crops of programmer so that they produce stuffs that contain less bugs
Some of those bugs were actually added when the original program gone through an update, with extra bells and whistles - and if we can stick to the original Unix principle, in which, one utility does one thing, and one thing only, and does it very efficiently, the chances of "introducing added bugs" would be drastically lessen
HIS NAME IS "GEER" NOT "GREER" (Score:3)
He's wicked smart, and has blind spots the size of a subcontinent.
One of which is this: He works for the Gestapo, and thinks they're the "good guys". Reminder to smart guys from the best Universities: The Secret Police are the problem, not a solution. If you want examples of where the CIA bought up all the issues and made them "assets" look at the Afghan Mujaheddin. The CIA equiped them with organizational database technology that quickly produced an "Al Qaeda" as one of its effects.
Bruce Schneier could h
Re: (Score:2)
You'll have to start at the language level. Trigraphs? WTF? En\
d of line continuations absolutely anywhere?
Protip: Languages that are a nightmare to lex parse and implement have terrible security. You made your own bed, now die in it.
Re:Really? (Score:4, Insightful)
Re:Really? (Score:5, Insightful)
Worse. The proposed program would encourage the software vendors to deliberately place bugs into their code — so as to sell them to government later. It would not even be illegal for them to do so, it seems, not under the current laws [acm.org].
Re: (Score:3)
Can you trust anyone with a zero-day exploit?
If you just tell the company and not anyone else, chances are they will thank you, or arrest you, then not put the time or money into fixing the problem.
If you tell the public, or any other group, they will be some bad apples who will use the information for their own misdeeds.
If you tell the government, they will use it to their advantage as well.
Re: (Score:2)
If you're fearful, and maybe it this case you're right to be, you can always anonymously report exploits to the company that released the software.
Re: (Score:2)
Just NO? I would have said HELL TO THE FUCK NO to that!
Furthermore to the problems pointed out in TFS, they would quickly drive up the price of vulnerabilities until the US government can't justify the cost, leaving them priced out of the means of garden-variety crooks but conveniently reserved for other very dangerous, high-profile buyers who may be interested.
Re:Really? (Score:4, Insightful)
What's the difference between the NSA having 10 ways to hack into your computer vs having 100 ways ?
The NSA can do whatever it wants in both cases. Except in the second case, there'll be less exloits available to the much more dangerous blackhats.
Why are blackhats more dangerous ? Because the NSA will "just" invade your privacy. Blackhats will steal your identity, ransom you hard drive, use your computer as a spambot and turn over your private data to anyone with money (this includes the NSA).
Re: (Score:1)
What the hell? I know no one reads the linked article, but doesn't the *submitter*, let alone anyone else, even read the *title* of the linked piece? I'll give you a hint:
CIA Insider: U.S. Should Buy All Security Exploits, Then Disclose Them
Also, for the record, his name is Dan Geer, not "Greer". Jeez, people.
Re: (Score:2)
Why are blackhats more dangerous ? Because the NSA will "just" invade your privacy. Blackhats will steal your identity, ransom you hard drive, use your computer as a spambot and turn over your private data to anyone with money (this includes the NSA).
hahaha. You haven't been paying attention to the FBI creating terrorists or the various things the CIA has done over its lifetime at all, have you? Government agencies have done all kinds of fun things like that to people for all kinds of reasons.
Re: (Score:2)
sadly true. Sadly because helping fix vulnerabilities is part of the NSA's job, and this would directly contribute to it. But they're in "best defense is a good offense" mode, so they'll sacrifice the defenses of their allies to keep from strengthening the defenses of their opponents.
Proven to not be trustworthy (Score:3)
We have a well-funded government agency, tasked with securing its country, actively sabotaging the security frameworks of the nation it has been tasked with protecting, in the name of "security". Never mind that any back door left open to the NSA is also left open to other parties. (EG: China) And now we're supposed to *trust* this agency with even more unfettered access to 0-day exploits?
If the NSA was really about securing the United States, it would be auditing commercial security products to ensure the
ARM THE CIA IN CYBERWAR AGAINST US ENEMY (Score:2)
That is sitting in the halls of Congress. [nytimes.com]
The Secret Police don't need this kind of help.
*cough* BULLSHIT *cough* (Score:5, Insightful)
This doesn't improve cyber security, it just guarantees the CIA et al have access to everything on the planet.
This enhances their job security, and extends their ways and means ... but in no way does it make anybody else more secure.
The venture funding arm of the CIA presenting at a black hat conference ... capitalism has truly met the surveillance state, and it isn't going to end well.
Re: (Score:1)
Exactly, that's defining "security" as "pwning all computer based systems on the planet, all at once"
Re: (Score:1)
? Plenty of competition when I looked (Score:4, Interesting)
> can't help but think "bug bounties" aren't proper capitalism since there's little competition.
I'm not sure quite what you mean here. Just the other day I looked over a list of bug bounty programs to see if it might mange sense for me to analyze some of the software specifically for the purpose of collecting bounties. There were quite a few companies offering bounties, competing for my services analyzing their software. Based on what I saw, there is a reasonable amount if competition on that side, many buyers of bugs.
One company I saw has a bug bounty program sells software that I use on a daily basis and occasionally debug. I've sent them patches and suggestions before, outside of any bug-bounty program. Looking at the rewards offered, it seemed to me that it _might_ make sense for me to analyze certain software for security bugs. The price offered, based on the number of other programmers competing for the money, seemed just about right, maybe slightly low. On the other hand, the rewards are enough that it DEFINITELY makes sense for me to spend the time and hassle reporting bugs that I happen to notice while I'm using and configuring the software. So based on what I saw, there is enough competition on both sides to have prices tend toward reasonable numbers.
I noticed that a lot of companies don't have bug-bounty programs yet, though many do. It reminds me of 15 years ago when a lot of sites had referral programs, but most did not. That changed when third parties including CCBill made it easy to add a referral program. I suspect many more companies will add bug-bounty programs when they don't have to develop and manage the system themselves. If they can just buy or subscribe to an easy-to-use software package for running it, and maybe let the third party vendor handle payments, it will become much more common.
technical side, security and incident response (Score:2)
I'm on the technical side. Marketing and especially advertising annoys me greatly. My experience is primary in prevention and incident response for web server security. So finding and eliminating potential risks. "Security researcher" might emplo imply actually developing specific exploits, whereas I'd sanitize and bind all input, not often spending time developing a specific injection string.
I've tried to get a breadth of relevant experience, though. My time working as a locksmith informs my info sec wo
no, apk. Have you not read any of posts? (Score:2)
Have you not read any of my posts you've replied to?
My company does no advertising whatsoever. Since 1997, we've had all the work we can handle.
yeah I'm the CEO of Microsoft too, spammer (Score:2)
Yeah, sure I'm the CTO of Clickbank. I'm all 296 people on Linked In named Ray Morris.
https://www.linkedin.com/vsear... [linkedin.com]
Just like I'm also the CEO of Microsoft, and the president of the United States.
If you'd read half of my posts that you replied to, you'd know exactly who I am. I talk about my work all the damn time on Slashdot.
How about you. We know who you are. You post unwanted promotional messages. Unwanted promotional messages are spam. You are therefore a spammer. Advertisers are annoying, but p
Typical great government idea (Score:5, Insightful)
This is a typical great government idea. The really great thing about the idea is that once you deal with a zero-day vendor and buy a vulnerability, giving them a lot of money in the process, you can rest assured that they would never sell the same vulnerability to anyone else. 'cause that would be wrong.
Re: (Score:2)
Re: (Score:2)
How about instead of paying them to turn the exploits over to the CIA, we pay them to publish them publicly? Then the developers can see them and patch the vulnerability.
Re: (Score:2)
Typical CIA Front story. This isn't something they *could* do, its something they don't need to do because they've already gained access to the servers distributing the zero days. But by announcing a plan to go through the front door, they're hoping the miscreants wont realize they already broke in through the window out back.
Re: (Score:1)
Or redouble their efforts to find/create as many more exploits as possible to capitalize on the guaranteed market created by the government......
NOPE (Score:1)
Wouldn't be so bad if the US gov wasn't just trying to HOARD all the zero-day exploits. This is an issue, because instead of figuring the exploits and then making the systems *more secure* from those kinds of unknown vulnerabilities, we've seen how the NSA actively goes out and EXPLOITS these vulnerabilities regardless of whether they are a foreign agent or a citizen of the US..
More money just increases the price (Score:4, Interesting)
If the price becomes high enough, new exploiters will enter the market and start discovering exploits, in competition with the original suppliers. Then the NSA would have to start dealing with those guys, too. And so the circle would keep going round: more money, new exploit finders, asking higher prices.
If the NSA wants to improve security, they would set up their own zero-day exploiters to not only find, but to fix security holes and then issue those fixes for free (or use the exploits to force fixes on the exploited software. They might also ask for new laws that would require software vendors to pay them for fixing these problems. However, it's by no means certain that this would be their intention. They may simply be collecting hacks for their own nefarious purposes.
After all, we haven't seen a government agency buying up all the drugs, in order to stop them being supplied to the population - so why would they use that tactic here?
Re:More money just increases the price (Score:4, Interesting)
If a new buyer comes into the market - a buyer with lots of money, then all that happens is that the price goes up. It's simple economics
Well, yes, but that's exactly what was desired:
You want the price to go up, so that it's more valuable to disclose the bug than it is for some thief exploit it.
If the price becomes high enough, new exploiters will enter the market and start discovering exploits
Exactly. You mine out the easy-to-find exploits until they are depleted, and start in on the harder-to-find bugs, so that you get to the point where amateur hackers simply aren't sophisticated enough to find them.
... After all, we haven't seen a government agency buying up all the drugs, in order to stop them being supplied to the population
Well, of course you can always manufacture more drugs; you don't "find" them. They don't get harder to make as the market increases.
If the objection here is "software companies will start deliberately introducing vulnerabilities, so that they can make money by selling the vulnerabilities to the government"-- yes, that might be an objection.
Re: (Score:2)
Exactly. You mine out the easy-to-find exploits until they are depleted
Which assumes there are a finite (and small) number of bugs - even zero-day exploits. I think we can safely say that's not the case.
As the "incentives" for finding new 0-day exploits grows, then more people will have a reason to start looking for them. If the government then buys up the "popular" ones, everyone who's running non-mainstream software will suddenly find they are being hacked. Whereas previously the 0-day exploiters would just have gone for the low-hanging fruit, now they'll be going higher up
Re: (Score:2)
If the objection here is "software companies will start deliberately introducing vulnerabilities, so that they can make money by selling the vulnerabilities to the government"-- yes, that might be an objection.
Fraud is a felony and you don't want to end up in federal PMITA prison. The only real kernel of objection here is that it produces a new means for pork production.
Re: (Score:2)
People buying them to weaponize them have a fairly straightforward set of incentives(which may vary depending on what they are looking to access, whether they are after money or information, and so on). People looking to b
So many problems (Score:5, Insightful)
2. This will inflate the sale price and create perverse incentives to inject defects to "discover" and sell them later.
3. The government is really bad at pretty much everything it does. Some of it is necessary stuff so we tolerate it, but c'mon, this isn't!
4. Everybody is mad at the NSA for its misbehavior and spying on Americans/the world right now -- is this really the best time to remind people that the US government wants to collect tools to hack everybody?
Re: (Score:2)
Re:They'll do the right thing (Score:4, Insightful)
Nah. The CIA spies overseas. The FBI spies domestically. The NSA does both. Then they all hand their analyses to DHS overlords to put us on watch lists for further Fourth Amendment violations with no actual evidence of anything.
Re: (Score:2)
That was a specific case in which the CIA was trying to protect itself from a specific investigation into their other illegal activities. In general the CIA does not spy on US citizens because there are other agencies already doing that.
The NSA etc. already are buying exploits (Score:3)
NSA already buys everything ! (Score:3)
One way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities.
In my opinion, NSA already buys all existing exploits (as all other secret services), because these are military weapons for the Cyberwar.
An expensive exploit is nothing for their budget.
Why would they be required to share these exploits ?
Any weapon that the enemy doesn't have is a strategic advantage !
Re: (Score:2)
Not just your opinion, and everyone can calm down, they've been doing it for a while -> http://www.scmagazine.com/nsa-... [scmagazine.com]
The Fundamental Flaw (Score:2, Interesting)
The fundamental flaw with this idea is that it assumes there is a finite supply of these 0 day exploits. Even if you think that you can trust who ever we would be buying it from to not sell it to anyone else and that no one else would discover the same exploit you still don't gain anything because you can never buy up all the exploits possible. Creating a stronger market for those exploits will just ensure that more people are looking for and finding them and you have to continue buying them or they'll hit
"Once you pay the Dane-geld, you never get rid ... (Score:3, Interesting)
... of the Dane." -Rudyard Kipling
Rudyard Kipling, Dane-Geld, A.D. 980-1016 [poetryloverspage.com]
It is always a temptation to an armed and agile nation
To call upon a neighbour and to say: --
"We invaded you last night--we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
It is always a temptation for a rich and lazy nation,
To puff and look important and to say: --
"Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away."
And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
You will find it better policy to say: --
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that pays it is lost!"
Let's create bugs and get paid for fixing them (Score:2)
How about instead (Score:2, Insightful)
How about instead governments issuing fines to software companies for every security vulnerability found. Perhaps the fines might be calculated based on the amount of copies of the software sold with a set minimum amount. Fines could increase the longer the vulnerability remains unpatched. The revenue raised by these fines could then pay for more education and tools for ensuring better software security and security researchers.
code myself a minivan (Score:1)
Already being done I suspect... (Score:2)
Re: (Score:2)
I don't suspect. I know. [theatlantic.com]
This is because: I read.
Inflating the Exploit marketplace hurts us all. (Score:2)
Re: (Score:2)
If you have a hole in the side of your bank, you don't fight the theves forever, you fix the fucking hole in your bank.
You've made some terrible assesments of reality. You can't even see the holes anymore. [bell-labs.com]
"Fight this", "fight that", you're a shadowboxing fool.
Dan Geer is a founder of computer security. (Score:2)
First: In-Q-Tel is the venture capital arm of all of the U.S. intelligence services, including DHS, FBI, etc; not just CIA. DHS, for example, will be blamed for any big security disaster; you should not presume that the motives of the agencies are uniform. Nor is all of what those agencies do bad.... It's the pervasive surveillance we *must* stop, and compromising our security standards. See: https://www.iqt.org/about-iqt/ for In-Q-Tel rather than the Wikipedia entry for Dan.
Second: Dan has never taken a
Re: (Score:2)
"One of us"
Speak for your self. I haven't been compromised.