An eBay For Hackers

cyberdelicat writes to let us know about a Swiss security firm called WabiSabiLabi that is causing waves with its open auction for zero-day security vulnerabilities. While WSLabi claims they will thoroughly vet both buyers and sellers of vulnerabilities, many researchers are skeptical about how effectively they can do this. The Washington Post article mentions the guy who almost opened a similar auction site several years back, to be called Zero-Bay, but pulled the plug at the last minute. SearchSecutiry notes that some security researchers are now referring to WSLabi as "zerobay" as they undermine the auction site by reproducing and publishing vulnerabilities as soon as they appear for sale.

How about an Ebay for Dupes?

[Anonymous Coward]

http://it.slashdot.org/article.pl?sid=07/07/06/014 4234 [slashdot.org]

Re:

[x_MeRLiN_x]

The last time this was posted the site actually worked. Now when you click on an auction you get a 404.

Re:

[Meski]

Should have read "Site withdrawn by ZeroBay"

Re:

[billcopc]

Hey there sonny, when you're as old as I am (27), and you find that your brain forgets stuff because it's so full of techno bullshit, you too will appreciate the weekly re-runs :)

Re:

[larry bagina]

as if the fact that it's a dupe wasn't proof enough.

Re:

[tutwabee]

No, that just means it's either Slashdot or Digg.

All kinds of new auction sites

[Anonymous Coward]

What do you guys think of this one http://www.swarmbuy.com/ [swarmbuy.com]

Re:

[Deathanatos]

And I thought that "WabiSabiLabi" was a fairly memorable name. Oh well.

YAD

[m0nkyman]

Yet Another Dupe.

Re:

[Frosty Piss]

It's a Slashdot vulnerability. Wonder what it's worth?

WAD

[Zedrick]

Working As Designed. This is Slashdot.

So what happens when...

[Mr EdgEy]

A sold vulnerability ends up being used against the site?

Hmm

[UncleWilly]

Only 4 Items for sale...and 550 euro for the Linux Kernel memory leak sounds fishy with only 1 bid

What's next?

[Citius]

If they're auctioning off vulnerabilities... and someone that we'd prefer to not know about them knows... who's at fault?

Re:

[Antique Geekmeister]

While that's a concern, there is a fairly serious underground already in selling such vulnerabilities. Both script kiddies exchanging cheap tools, and serious crackers using, selling, and giving away tools to "trusted friends" have been in play for decades. And far, far too many vulnerabilities are unpublished by security groups, "because the vendor hasn't given permission an not yet provided a fix".

CERT is sitting on at least a few vulnerabilities, and has been doing so for at least 5 years on some of them

Re:

[Citius]

Point taken. However, correct me if I'm wrong - script kiddies and their cheap tools tend to be more obsolete than the serious crackers...

Isn't part of computer security security through obscurity?

Re:

[Antique Geekmeister]

Well, yes. "Tend to be more obsolete" is reassuring, until you realize that these crackers don't much recognize verbal agreements not to publish to other crackers, and both share with each other and steal from each other on a regular basis. So the rawest script kiddies receive infusions of the latest tools on a surprisingly frequent basis. The result is that the security through obscurity of keeping things unpublished becomes insecurity for most casual users.

Re:

[Lars T.]

http://www.networkworld.com/news/2007/070907-aver a ge-zero-day-bug-has-348-day.html [networkworld.com]

Immunity, which buys but does not disclose zero-day bugs, keeps tabs on how long the bugs it buys last before they are made public or patched. While the average bug has a lifespan of 348 days, the shortest-lived bugs are made public in 99 days. Those with the longest lifespan remain undetected for 1,080 days, or nearly three years, Aitel said.

Wow.

[spazmonkey]

This whole idea is wrapped in so many layers of stupid I can't wrap my brain around it.

  Problem is, like many functional solutions in this world, it may be just stupid enough actually work.

Re:

[null.account]

This whole idea is wrapped in so many layers of stupid I can't wrap my brain around it.

I guess that makes you pretty stupid, then, eh ?

Sounds dumb

[cdrguru]

How does someone selling something illegal get paid? If I open an auction site for heroin it would be greeted with great fanfare, even by the law enforcement community. Because they could just arrest the "winners" (actually losers). Sounds like a real money-maker for about 30 seconds.

OK, so there is an open auction for a remote exploit for Yahoo Messenger. So if I wanted to steal bank account information from lots of Yahoo Messenger users, this would be a good start. The minimum bid is 2000 Euro, which

Re:Sounds dumb

[Nazlfrag]

There is nothing I can think of that is illegal about not immediately disclosing any security vulnerability a professional researcher or basement dwelling hacker stumbles across. There is also nothing illegal about providing exploit riddled software according to licenses I've read. What is illegal is robbing peoples bank accounts. I'm fairly sure that these guys aren't planning to keep the best hacks undisclosed while they rob banks (though it would be an interesting twist). I'm fairly sure they will be able to track the dissemination of these exploits far better than the existing markets.

Researching security holes should be a legitimate and profitable R&D investment, and should be done in an up front manner such as this rather than via the black market where your dire vision already thrives.

Well it depends

[Sycraft-fu]

Quite often, it is illegal to sell someone something if you should reasonably know they are planning on using it for an illegal purpose. As a simple example, a gun dealer in in a world of shit if someone comes in and says "I need a gun so I can go kill my wife, what do you have for me?" Basically, you are an accessory to a crime if you have or should reasonably have knowledge that a crime is going to be committed and you provide support, material or otherwise, for the commission of the crime. So while not disclosing a venerability is legal, selling it to someone that you have a good idea is going to use it for criminal means is illegal. The ignorance defense only goes so far, while being an accessory requires knowledge of the crime (you can't be charges for letting someone in a house if you legitimately believed they should be there, for example) it doesn't require that it was spelled out for you. If there was enough evidence that you should have known what was happening and were just being willfully ignorant, that doesn't cut it, especially if there was profit involved.

There are additional problem when you start dealing with certain classes of items. If something has substantial legal uses you are on much more solid ground. To use the gun example again, guns are widely used for hunting, target shooting, personal and home defense, all perfectly legal uses. Thus it isn't a stretch to assume someone has a legal use for it, unless there's specific reason to believe otherwise. However if the item in question has little to no legal use, then there can be problems. I see exploits as being mostly in this category. Other than the companies, who really has a legit use for the details behind an exploit? Now this isn't a challenge to try and come up with obscure reasons someone might want it, it is something to think about in general. What would people by and large want to buy these for? If the majority of realistic answers are illegal ones, then you can have a real problem when you sell it if you aren't real careful.

Re:

[lordkuri]

Other than the companies, who really has a legit use for the details behind an exploit?

Any user of that software that won't/can't/doesn't want to wait for the company to get off of their lazy asses and fix it, so they need a workaround.

Re:

[Nazlfrag]

Security affects users far more than it affects the company providing the tools. From this perspective, there are far more legitimate users trying to secure their systems from attack than there are than illegitimate ones trying to exploit them. If bank robbers want to get exploits from this site, they will need credentials far exceeding what the black market requires. Face it, the bank robbers laugh at these 'zero day' vulnerabilities, they are last weeks or last months vulnerabilities. An open and forthrig

Vulnerability Info Exchange is Good

[this great guy]

Selling information about security vulnerabilities may be considered unethical by some, but it is perfectly legal in almost all countries (notable exception: France). Don't forget that a vuln is just a bug, they are selling information about how to trigger a bug. Why would that be illegal ? If a buyer exploit the bug for nefarious purposes, then the buyer is doing something illegal, not the seller. There are plenty of legitimate cases where a market for selling vulnerabilities is a good thing:

• The devel

Amen!

[Weezul]

Or the most basic: A sold vulnerability market also supports honest scurity researchers financially. Security will become a higher priority for venders if they must bid against black hats. etc.

Big security problems currently come from people not installing patches. You can't fix this since you can't write perfect code. But you can help by writing better code. So we must make venders see the real costs.

Don't let stupidity fool you

[packetmon]

I saw via a security mailing list ridicule at "Who the hell would buy a Yahoo messenger exploit. har har". So let's think about this for a minute... Done, how many people do you know that use Yahoo messenger at their corporate office? As obscure as some may think the site will be, all you need is some hardcore "pwning" going on, and some government will treat the site as they did Pirate Bay and shut it down quickly

Re:

[Loucks]

That's a good point, given that The Pirate Bay is no longer online and all.

Re:

[karnal]

I missed the sarcasm in your post. I checked the site and thought "Damn, he got me."

Good show!

Dude, this sucks

[TheModelEskimo]

I posted this awesome cultural comment the last time this story was posted and nobody even replied. Now the dupe is just plowing up all those bad memories again. http://it.slashdot.org/comments.pl?sid=246095&cid= 19763499 [slashdot.org]

Good idea, actually...

[stevejsmith]

Of course it sounds ridiculous, but if you think about it, it's actually not a bad idea. For one, if there are these critical bugs being published all the time and big companies are taking the heat for these vulnerabilities, you can bet the companies would either a) pay top dollar to buy the exploit themselves and hopefully patch the hole, or b) encourage them to be more proactive. Rewards for finding holes would mean a reliable stream of money for those who find them, ensuring that there would be plenty

whoa!

[dexomn]

Oh man, I wonder if I could get five bucks for a rickroll! I mean.. that shit has to be worth five bucks. =)

Auctioning known defects

[TheCybernator]

Thats a good idea. From now on, I'll sell the defective products and then later auction the known defects :)
???
Profit!!

the idea has merit

[v1]

If something is a problem for you but the people that could fix it don't care, then naturally no one is in a hurry to fix it. MAKE it an immediate problem and you will get a faster fix. There will be more collateral damage of course, but the unfortunate part is not the collateral damage, it's that we have to HAVE it to motivate the people to fix their crap. This whole concept of blaming, attacking, and trying to silence the whistleblowers has got to stop. It's not their fault. Are they making the probl

What happens when this site gets cracked?

[r_jensen11]

The whole thing just seems stupid. Sell information about a vulnerability, then wonder why your website is down 5 minutes later...

I think you mean an eBay for crackers.

[that this is not und]

The eBay we already have is the 'for hackers' one.

I use it regularly to buy PIC controllers, semi-exotic silicon, and weird computer hardware (i.e. anything 'the natives' can't Install Windoze on here in tardo flyoverlandia). I also sell a lot of cool stuff, like PDP-11 hardware, etc. Without eBay or at the least the Web and mail order, a person such as myself couldn't live in this godforsaken (actually, god-addled) part of the country.