Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Security

Cornering the Market On Zero-Day Exploits 118

Posted by Unknown Lamer
from the sell-out-or-get-the-hammer dept.
Nicola Hahn (1482985) writes Kim Zetter of Wired Magazine has recently covered Dan Greer's keynote speech at Black Hat USA. In his lengthy address Greer, representing the CIA's venture funding arm, suggested that one way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities.

While this would no doubt make zero-day vendors like VUPEN and middlemen like the Grugq very wealthy, is this strategy really a good idea? Can the public really trust the NSA to do the right thing with all those zero-day exploits? Furthermore, recall the financial meltdown of 2008 where the public paid the bill for Wall Street's greed. If the government pays for information on all these unpatched bugs would society simply be socializing the cost of hi-tech's sloppy engineering? Whose interests does this "corner-the-market" approach actually serve?
This discussion has been archived. No new comments can be posted.

Cornering the Market On Zero-Day Exploits

Comments Filter:
  • Really? (Score:5, Insightful)

    by meerling (1487879) on Friday August 08, 2014 @11:42AM (#47631071)
    The answer is NO,
    If you don't know the question, it was, "Can the public really trust the NSA to do the right thing with all those zero-day exploits?"

    That's not speculation, that's based on what they are already known to have done with exploits they've discovered or otherwise obtained already.
    • by Taco Cowboy (5327) on Friday August 08, 2014 @11:48AM (#47631119) Journal

      The zero-day bugs are bugs, while we know bugs are inevitable (nobody is perfect), it does not mean that we should just throw up our hands and say "Oh, there is nothing we can do"

      We can !

      We can do something at the source level - at the very least we should be able to, after so many years of programming culture, to inculcate the correct way to future crops of programmer so that they produce stuffs that contain less bugs

      Some of those bugs were actually added when the original program gone through an update, with extra bells and whistles - and if we can stick to the original Unix principle, in which, one utility does one thing, and one thing only, and does it very efficiently, the chances of "introducing added bugs" would be drastically lessen

      • You'll have to start at the language level. Trigraphs? WTF? En\
        d of line continuations absolutely anywhere?

        Protip: Languages that are a nightmare to lex parse and implement have terrible security. You made your own bed, now die in it.

    • Re:Really? (Score:4, Insightful)

      by Mr D from 63 (3395377) on Friday August 08, 2014 @11:59AM (#47631243)
      The government would get screwed in the deal. The most effective exploits would somehow be left out of the deal.
    • Can you trust anyone with a zero-day exploit?

      If you just tell the company and not anyone else, chances are they will thank you, or arrest you, then not put the time or money into fixing the problem.

      If you tell the public, or any other group, they will be some bad apples who will use the information for their own misdeeds.

      If you tell the government, they will use it to their advantage as well.

      • >If you just tell the company and not anyone else, chances are they will thank you, or arrest you, then not put the time or money into fixing the problem.

        If you're fearful, and maybe it this case you're right to be, you can always anonymously report exploits to the company that released the software.
    • Just NO? I would have said HELL TO THE FUCK NO to that!

      Furthermore to the problems pointed out in TFS, they would quickly drive up the price of vulnerabilities until the US government can't justify the cost, leaving them priced out of the means of garden-variety crooks but conveniently reserved for other very dangerous, high-profile buyers who may be interested.

    • Re:Really? (Score:4, Insightful)

      by GuB-42 (2483988) on Friday August 08, 2014 @12:29PM (#47631507)

      What's the difference between the NSA having 10 ways to hack into your computer vs having 100 ways ?
      The NSA can do whatever it wants in both cases. Except in the second case, there'll be less exloits available to the much more dangerous blackhats.

      Why are blackhats more dangerous ? Because the NSA will "just" invade your privacy. Blackhats will steal your identity, ransom you hard drive, use your computer as a spambot and turn over your private data to anyone with money (this includes the NSA).

      • by Anonymous Coward

        What the hell? I know no one reads the linked article, but doesn't the *submitter*, let alone anyone else, even read the *title* of the linked piece? I'll give you a hint:

        CIA Insider: U.S. Should Buy All Security Exploits, Then Disclose Them

        Also, for the record, his name is Dan Geer, not "Greer". Jeez, people.

      • by drinkypoo (153816)

        Why are blackhats more dangerous ? Because the NSA will "just" invade your privacy. Blackhats will steal your identity, ransom you hard drive, use your computer as a spambot and turn over your private data to anyone with money (this includes the NSA).

        hahaha. You haven't been paying attention to the FBI creating terrorists or the various things the CIA has done over its lifetime at all, have you? Government agencies have done all kinds of fun things like that to people for all kinds of reasons.

    • by suutar (1860506)

      sadly true. Sadly because helping fix vulnerabilities is part of the NSA's job, and this would directly contribute to it. But they're in "best defense is a good offense" mode, so they'll sacrifice the defenses of their allies to keep from strengthening the defenses of their opponents.

    • We have a well-funded government agency, tasked with securing its country, actively sabotaging the security frameworks of the nation it has been tasked with protecting, in the name of "security". Never mind that any back door left open to the NSA is also left open to other parties. (EG: China) And now we're supposed to *trust* this agency with even more unfettered access to 0-day exploits?

      If the NSA was really about securing the United States, it would be auditing commercial security products to ensure the

    • That is sitting in the halls of Congress. [nytimes.com]

      The Secret Police don't need this kind of help.

  • by gstoddart (321705) on Friday August 08, 2014 @11:45AM (#47631101) Homepage

    Greer, representing the CIA's venture funding arm, suggested that one way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities

    This doesn't improve cyber security, it just guarantees the CIA et al have access to everything on the planet.

    This enhances their job security, and extends their ways and means ... but in no way does it make anybody else more secure.

    The venture funding arm of the CIA presenting at a black hat conference ... capitalism has truly met the surveillance state, and it isn't going to end well.

    • by Anonymous Coward

      Exactly, that's defining "security" as "pwning all computer based systems on the planet, all at once"

    • by dasacc22 (1830082)
      This is bullshit but I can't help but think "bug bounties" aren't proper capitalism since there's little competition. What if zero day exploits were part of an actual legit market? Google or Mozilla or Microsoft could go there and haggle and possibly drive initially high prices down, etc. Disclosure is considered a responsibility, and I'm all for that, but if there's going to be an underground market for it, then why not just legitimize and potentially mitigate risks instead of these pat-on-the-head-and-her
      • by raymorris (2726007) on Friday August 08, 2014 @12:52PM (#47631701)

        > can't help but think "bug bounties" aren't proper capitalism since there's little competition.

        I'm not sure quite what you mean here. Just the other day I looked over a list of bug bounty programs to see if it might mange sense for me to analyze some of the software specifically for the purpose of collecting bounties. There were quite a few companies offering bounties, competing for my services analyzing their software. Based on what I saw, there is a reasonable amount if competition on that side, many buyers of bugs.

        One company I saw has a bug bounty program sells software that I use on a daily basis and occasionally debug. I've sent them patches and suggestions before, outside of any bug-bounty program. Looking at the rewards offered, it seemed to me that it _might_ make sense for me to analyze certain software for security bugs. The price offered, based on the number of other programmers competing for the money, seemed just about right, maybe slightly low. On the other hand, the rewards are enough that it DEFINITELY makes sense for me to spend the time and hassle reporting bugs that I happen to notice while I'm using and configuring the software. So based on what I saw, there is enough competition on both sides to have prices tend toward reasonable numbers.

        I noticed that a lot of companies don't have bug-bounty programs yet, though many do. It reminds me of 15 years ago when a lot of sites had referral programs, but most did not. That changed when third parties including CCBill made it easy to add a referral program. I suspect many more companies will add bug-bounty programs when they don't have to develop and manage the system themselves. If they can just buy or subscribe to an easy-to-use software package for running it, and maybe let the third party vendor handle payments, it will become much more common.

  • by frovingslosh (582462) on Friday August 08, 2014 @11:46AM (#47631107)

    This is a typical great government idea. The really great thing about the idea is that once you deal with a zero-day vendor and buy a vulnerability, giving them a lot of money in the process, you can rest assured that they would never sell the same vulnerability to anyone else. 'cause that would be wrong.

    • paraphrase: they will sell us the exploits we use to spy on them.
    • How about instead of paying them to turn the exploits over to the CIA, we pay them to publish them publicly? Then the developers can see them and patch the vulnerability.

    • Typical CIA Front story. This isn't something they *could* do, its something they don't need to do because they've already gained access to the servers distributing the zero days. But by announcing a plan to go through the front door, they're hoping the miscreants wont realize they already broke in through the window out back.

    • Or redouble their efforts to find/create as many more exploits as possible to capitalize on the guaranteed market created by the government......

  • by Anonymous Coward

    Wouldn't be so bad if the US gov wasn't just trying to HOARD all the zero-day exploits. This is an issue, because instead of figuring the exploits and then making the systems *more secure* from those kinds of unknown vulnerabilities, we've seen how the NSA actively goes out and EXPLOITS these vulnerabilities regardless of whether they are a foreign agent or a citizen of the US..

  • by petes_PoV (912422) on Friday August 08, 2014 @11:58AM (#47631235)
    If a new buyer comes into the market - a buyer with lots of money, then all that happens is that the price goes up. It's simple economics and we see this happening in every market: from commodities to TV programmes.

    If the price becomes high enough, new exploiters will enter the market and start discovering exploits, in competition with the original suppliers. Then the NSA would have to start dealing with those guys, too. And so the circle would keep going round: more money, new exploit finders, asking higher prices.

    If the NSA wants to improve security, they would set up their own zero-day exploiters to not only find, but to fix security holes and then issue those fixes for free (or use the exploits to force fixes on the exploited software. They might also ask for new laws that would require software vendors to pay them for fixing these problems. However, it's by no means certain that this would be their intention. They may simply be collecting hacks for their own nefarious purposes.

    After all, we haven't seen a government agency buying up all the drugs, in order to stop them being supplied to the population - so why would they use that tactic here?

    • by Geoffrey.landis (926948) on Friday August 08, 2014 @12:17PM (#47631417) Homepage

      If a new buyer comes into the market - a buyer with lots of money, then all that happens is that the price goes up. It's simple economics

      Well, yes, but that's exactly what was desired:
      You want the price to go up, so that it's more valuable to disclose the bug than it is for some thief exploit it.

      If the price becomes high enough, new exploiters will enter the market and start discovering exploits

      Exactly. You mine out the easy-to-find exploits until they are depleted, and start in on the harder-to-find bugs, so that you get to the point where amateur hackers simply aren't sophisticated enough to find them.

      ... After all, we haven't seen a government agency buying up all the drugs, in order to stop them being supplied to the population

      Well, of course you can always manufacture more drugs; you don't "find" them. They don't get harder to make as the market increases.

      If the objection here is "software companies will start deliberately introducing vulnerabilities, so that they can make money by selling the vulnerabilities to the government"-- yes, that might be an objection.

      • by petes_PoV (912422)

        Exactly. You mine out the easy-to-find exploits until they are depleted

        Which assumes there are a finite (and small) number of bugs - even zero-day exploits. I think we can safely say that's not the case.

        As the "incentives" for finding new 0-day exploits grows, then more people will have a reason to start looking for them. If the government then buys up the "popular" ones, everyone who's running non-mainstream software will suddenly find they are being hacked. Whereas previously the 0-day exploiters would just have gone for the low-hanging fruit, now they'll be going higher up

      • by drinkypoo (153816)

        If the objection here is "software companies will start deliberately introducing vulnerabilities, so that they can make money by selling the vulnerabilities to the government"-- yes, that might be an objection.

        Fraud is a felony and you don't want to end up in federal PMITA prison. The only real kernel of objection here is that it produces a new means for pork production.

    • There's also the difficulty of what counts as 'a zero day' for purchasing purposes. An unpatched exploit in any software? Do I need X thousand installs? Are just five enough, if they are paying a lot for it? How do we tally users of other things that are indirectly related to the issue?

      People buying them to weaponize them have a fairly straightforward set of incentives(which may vary depending on what they are looking to access, whether they are after money or information, and so on). People looking to b
  • So many problems (Score:5, Insightful)

    by sideslash (1865434) on Friday August 08, 2014 @12:10PM (#47631345)
    1. Exploit sellers will turn around and secretly sell the same goods to other parties regardless of any agreement they signed with the US government.

    2. This will inflate the sale price and create perverse incentives to inject defects to "discover" and sell them later.

    3. The government is really bad at pretty much everything it does. Some of it is necessary stuff so we tolerate it, but c'mon, this isn't!

    4. Everybody is mad at the NSA for its misbehavior and spying on Americans/the world right now -- is this really the best time to remind people that the US government wants to collect tools to hack everybody?
  • by sasparillascott (1267058) on Friday August 08, 2014 @12:18PM (#47631423)
    I think the point of the speaker was to create a silo-ed verifiable way to do this (so things couldn't be siphoned off to the NSA like they currently are as those costs are a rounding error for the NSA). I like the idea if its implemented properly, currently we have the NSA & foreign intelligence agencies being the big buyers, keepers and exploiters. JMHO...
  • by eulernet (1132389) on Friday August 08, 2014 @12:31PM (#47631521)

    One way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities.

    In my opinion, NSA already buys all existing exploits (as all other secret services), because these are military weapons for the Cyberwar.
    An expensive exploit is nothing for their budget.

    Why would they be required to share these exploits ?
    Any weapon that the enemy doesn't have is a strategic advantage !

  • The Fundamental Flaw (Score:2, Interesting)

    by Anonymous Coward

    The fundamental flaw with this idea is that it assumes there is a finite supply of these 0 day exploits. Even if you think that you can trust who ever we would be buying it from to not sell it to anyone else and that no one else would discover the same exploit you still don't gain anything because you can never buy up all the exploits possible. Creating a stronger market for those exploits will just ensure that more people are looking for and finding them and you have to continue buying them or they'll hit

  • by davidwr (791652) on Friday August 08, 2014 @01:03PM (#47631815) Homepage Journal

    ... of the Dane." -Rudyard Kipling

    Rudyard Kipling, Dane-Geld, A.D. 980-1016 [poetryloverspage.com]

    It is always a temptation to an armed and agile nation
        To call upon a neighbour and to say: --
    "We invaded you last night--we are quite prepared to fight,
        Unless you pay us cash to go away."

    And that is called asking for Dane-geld,
        And the people who ask it explain
    That you've only to pay 'em the Dane-geld
        And then you'll get rid of the Dane!

    It is always a temptation for a rich and lazy nation,
        To puff and look important and to say: --
    "Though we know we should defeat you, we have not the time to meet you.
        We will therefore pay you cash to go away."

    And that is called paying the Dane-geld;
        But we've proved it again and again,
    That if once you have paid him the Dane-geld
        You never get rid of the Dane.

    It is wrong to put temptation in the path of any nation,
        For fear they should succumb and go astray;
    So when you are requested to pay up or be molested,
        You will find it better policy to say: --

    "We never pay any-one Dane-geld,
        No matter how trifling the cost;
    For the end of that game is oppression and shame,
        And the nation that pays it is lost!"

  • How about instead (Score:2, Insightful)

    by Anonymous Coward

    How about instead governments issuing fines to software companies for every security vulnerability found. Perhaps the fines might be calculated based on the amount of copies of the software sold with a set minimum amount. Fines could increase the longer the vulnerability remains unpatched. The revenue raised by these fines could then pay for more education and tools for ensuring better software security and security researchers.

  • I hope this is implemented. Then I'll just code mysefl up a minivan: http://dilbert.com/strips/comi... [dilbert.com]
  • Do you really think the CIA (or some other group) doesn't already do this? $10000 for an exploit to use against an enemy (or friend?) of the government... I doubt they even flinch when making a decision to buy something like that (disguising their identity of course). They wouldn't advertise such behavior and surely it would be protected from most of the government knowing about it because of the sensitive nature of it. We just wouldn't ever know such things.
  • Anything that inflates the Exploit/Vul marketplace just hurts us all. We can fight hackers. We can even fight governments. But, we can't fight economics. If economics strongly encourage the discovery and secret utilization of exploit, we are all doomed. A few may experience a short-term benefit from a booming market in exploit and vulnerability, but the consequences of that marketplace will harm all the rest of us. The only sane behavior is to do everything we can to depress the market for vulnerability and
  • First: In-Q-Tel is the venture capital arm of all of the U.S. intelligence services, including DHS, FBI, etc; not just CIA. DHS, for example, will be blamed for any big security disaster; you should not presume that the motives of the agencies are uniform. Nor is all of what those agencies do bad.... It's the pervasive surveillance we *must* stop, and compromising our security standards. See: https://www.iqt.org/about-iqt/ for In-Q-Tel rather than the Wikipedia entry for Dan.

    Second: Dan has never taken a

When you don't know what you are doing, do it neatly.

Working...