Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Businesses Security IT

Zero-Day Vulnerabilities On the Market 94

An anonymous reader writes "Zero-day vulnerabilities have become prized possessions to attackers and defenders alike. As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days. There is an underground market growing around these vulnerabilities, but there are also 'white markets' — set up by VeriSign, TippingPoint, Google — where they buy zero-day flaws and alert the companies so that they can patch their products before the vulnerabilities can be taken advantage of."
This discussion has been archived. No new comments can be posted.

Zero-Day Vulnerabilities On the Market

Comments Filter:
  • by Anonymous Coward on Monday February 08, 2010 @10:52AM (#31060988)

    someone to invent time travel. Then someone could go into the future, get all the patches and fixes to various popular software, come back in time, and give it to us. Problem solved.

    • by Anonymous Coward on Monday February 08, 2010 @11:01AM (#31061096)

      But the evil hackers with time travel will then go to the future to find out exploits before they've been found in the past.

    • Surely companies could just buy the zero-day exploits, study them, and patch their software. Turn the black market to your own end. Then the problem is solved without time travel.
      • Re: (Score:3, Interesting)

        by SeePage87 ( 923251 )
        Wow, I know /.ers rarely read TFA, but did you even read the summary? They explicitly mention "white markets" where companies can do just that. If the white markets are well known about, learning of an exploit is often likely to be more valuable to the company than a hacker. A company can suffer liability for damages, lose clients, suffer hits to their company's good will, and, depending on the nature of the software and what it's used for, and the exploit and how it works, any number of other things. T
        • Be careful. (Score:4, Interesting)

          by John Hasler ( 414242 ) on Monday February 08, 2010 @11:54AM (#31061824) Homepage

          > Besides companies potentially paying better, there's the added bonus of not
          > having to do something illegal, harmful and immoral...

          Be careful. If the company learns your identity during negotiations they might have you arrested for extortion.

          • Re:Be careful. (Score:4, Insightful)

            by SeePage87 ( 923251 ) on Monday February 08, 2010 @12:16PM (#31062062)
            Maybe. The interesting thing is that the exploit is both the attack also what is needed to fix it. There's a credible threat that others may use the same exploit, not just the one who found it. A company who did this openly, whose founding documents declare they only sell software vulnerability information with the software's creator, whose NDAs included clauses that they will never share this information with others in to perpetuity regardless of the potential client's decision on whether to buy the information... I think they could develop a defensible case and eventually a trusted brand image. Just because a company sells fire insurance doesn't mean they're really threatening to commit arson.
    • "Dude. As soon as Bill stops screwing around with card games, we're going to be set!"

      "Why?"

      "I just got a whole bunch of neg 7300 day exploits for Win95, dude. We're gonna be set."

      "Cool. Hey.... have you even been born yet?"

      "Awww crap..." (poof)

  • Good to know (Score:1, Insightful)

    by Anonymous Coward

    I always appreciate the clarification that a growing market is growing.

  • by swb ( 14022 ) on Monday February 08, 2010 @10:59AM (#31061074)

    ...especially when the market is fairly inelastic.

    The best "white market" tale I've ever heard is the militias that ran the "Golden Triangle" in the Southeast Asian highlands offering to sell the US the entire opium crop.

    I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market. They could even use the opium for the production of painkillers for the legitimate market, which I understand is actually constrained sometimes by strict production limitations.

    You would think that white marketing the supply of illicit drugs would make a lot of sense -- by buying up supplies at the volume end of the market and denying it to the market, you would drive street prices through the roof and have far more impact on the consumers, pricing many out of the market. Cocaine supply diversity may make this difficult, but if pursued quietly it might actually be effective there too.

    Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals. It'd be great to see a cost analysis to see if it would actually be cheaper to just buy up the drugs at the point of production versus the drug war, which doesn't work.

    • Re: (Score:3, Insightful)

      by adonoman ( 624929 )
      It'd work great until a few farmers, who sold to the government instead of the local underground, wind up dead.
      • Exactly. (Score:3, Interesting)

        by khasim ( 1285 )

        Remember, we're not talking about the farmers being the equal of the distributors.

        If you start taking away a source of revenue, you had better be able to defend that with violence of your own.

        And anyway, if the farmers are growing dope, they're not growing food. How about offer to buy the food that the farmers grow at a higher rate than the processors pay for the dope?

        • by hduff ( 570443 )

          And anyway, if the farmers are growing dope, they're not growing food. How about offer to buy the food that the farmers grow at a higher rate than the processors pay for the dope?

          Then farmers get killed for growing food instead of drugs. The best solution (for the farmers) is for there to be no demand for the drugs or no profit in providing them. Given that will never happen, the farmers are sooo screwed.

        • by mcgrew ( 92797 ) *

          Have you compared the cost of a pound of corn (an ear or two) compared to the cost of a pond of opium? A pound of flour compared to the cost of a pound of heroin?

          Are you willing to pay $100 for a loaf of bread and seventy five follars for a beer?

    • by thijsh ( 910751 ) on Monday February 08, 2010 @11:06AM (#31061178) Journal
      You seem to be under the impression that the war (on drugs) has anything to do with logical reasoning...
      It's a great idea though, and I bet it will in fact work *and* be cheaper.
    • by bluesatin ( 1350681 ) on Monday February 08, 2010 @11:06AM (#31061184)

      I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market.

      This would probably cause a knock-on effect of increasing production in the area, due to the fact that you will be increasing the profits for the poppy growers, and perhaps also encouraging people to start poppy farming; selling to US troops is probably a hell of a lot less scary than selling to the Taliban.

      • Selling to US troops is probably a hell of a lot less scary than selling to the Taliban.

        That is unlikely from the farmer's perspective -- who may fear violent reprisals from the Taliban, and don't trust the christian infidels (US troops) anyway.
        • Re: (Score:1, Insightful)

          by Anonymous Coward

          I know you are being flippant but your average Afgani (or any muslim) doesn't think in terms of "christian infidels", that is the kind of talk you get from radical mullahs, talk show hosts, or rednecks. Depending on their education they are more likely to think "here are non-muslems who are going to try to take over and get us to convert like they did during the crusades, or the British...". Most people are just like you and me, they just want to be left alone, be relatively comfortable, not be afraid all

    • by L4t3r4lu5 ( 1216702 ) on Monday February 08, 2010 @11:07AM (#31061186)
      Buying products other than opium, i.e. incentives to plant other crops would be better.

      On another point, don't you think the Taliban might be a little irritated by this and, ooooh I don't know, cut off some farmers heads? I hear they've been known to do that to make a point.
      • by Ltap ( 1572175 ) on Monday February 08, 2010 @11:14AM (#31061264) Homepage
        You're right. The drug-growing problem in Afghanistan is two-fold: very little will grow there other than desert plants. Opium grows there and is extremely profitable to grow, so if they were to try and grow other crops, they would probably not be sustainable without more infrastructure (such as an irrigation network to grow crops that need more ground water). There have been attempts to cultivate some local plants to extract oils for use in beauty products, but it's a niche market and only a small amount of farmers can do it without over-saturating the market. A crop that would grow in Afghanistan, is in demand, and is rare enough to warrant transportation costs to the rest of the world is the ideal crop, and right now that is opium. Until there is a viable alternative, that is what farmers will grow.
      • by swb ( 14022 ) on Monday February 08, 2010 @11:19AM (#31061326)

        We can incentivize the growing of other crops, too, but we should also be prepared to buy up the opium crop.

        The alternative is destroying the opium crop; this impoverishes the farmer further, destroys his livelihood and causes him to not just grow opium, but join the Taliban.

      • by Yvanhoe ( 564877 ) on Monday February 08, 2010 @11:34AM (#31061530) Journal
        The taliban are actually opposed to drugs production. While they were in power, the area of opium cultures fell down incredibely quick. It came back thanks to the war. The drugs lords are a faction different from the talibans.
        • Re: (Score:3, Insightful)

          by _Sprocket_ ( 42527 )

          The taliban are actually opposed to drugs production. While they were in power, the area of opium cultures fell down incredibely quick. It came back thanks to the war. The drugs lords are a faction different from the talibans.

          Which is all nice and fine as long as the Taliban remains in control. But what happened after?

          There are reports that the Taliban are now involved in the drug trade again. Despite the use of this as obvious propaganda, it isn't that far fetched as the Taliban initially hadn't had a problem with opium since it was a drug for foreigners (hashish was another matter). Of course, it's also very likely that the Taliban is only one of many players in the increased trade. Narcotics is a major industry and quickl

      • Buying products other than opium, i.e. incentives to plant other crops would be better.

        Like industrial strength hemp?

        They grow drugs because it is more profitable than food crops. They probably get 10 times the earnings per acre for opium than they would get for any food crop. If the US bought up all the opium one year, the farmers would just convert more of their fields over to opium. After one year, there would me more than enough opium for the US and the Taliban, and anyone else who wants it.

        If you went to California, and put up an ad specifying that the government would pay $1000/pound fo

    • Another problem with the strategy is that more drugs will be produces. If you buy up all the drugs at high prices, you'll have artificially injected a huge amount of demand into the market, as well as effectively condoned drug production. The existing producers will produce much more, since they can move it, and other's will flock to the drug trade, knowing that the U.S. government will buy it. If we don't, they'll just sell it to the Taliban again and, since we never put it on the streets, they'll still
    • Re: (Score:2, Insightful)

      by Jenming ( 37265 )

      I bet the Opium would still reach the consumer at comparable prices.

      The Opiate trade does not exist because of Afghanistan farmers or the Taliban, it exists because consumers really want Opiates.

    • by Hasai ( 131313 ) on Monday February 08, 2010 @11:45AM (#31061684)

      Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals.

      And where, in regions that routinely grow opium, would this be an 'option?' The criminals will show up at the farmer's doorstep, take the money, then butcher both the farmer and his family to make an example.

      I saw the same sort of thing happen in S.A., where this one campesino decided he wasn't going to grow coca anymore: the local enforcers promptly showed-up, dragged him and his family out and forced them to kneel in front of their house, then went right down the row, from youngest to oldest. Pop, pop, pop, pop, pop.

      The term 'naive' doesn't even begin to describe your idea.

    • Re: (Score:3, Insightful)

      by ratboy666 ( 104074 )

      The Taliban sells heroin?

      Um... no. In July 2000, Mullah Omar ordered a ban on poppy cultivation. As far as I know, this hasn't been lifted. Other members of the Northern Alliance are responsible.

      I presume you are a US citizen; please know your enemy. The Taliban may be at war with the US, but they are even harder on drugs. It is about as conceivable as Pat Robertson selling heroin to fund Christian Outreach.

    • by dave562 ( 969951 )

      Two things your logic misses. First you've completely ignored the fact that the profits from drugs are used to finance the war. It isn't just the Taliban who are trading dope for military hardware. The drug trade is a perfect way for the government and companies to launder money. Here is a link to a PBS article that details a small, ACKNOWLEDGED portion of the process.

      http://www.pbs.org/wgbh/pages/frontline/shows/drugs/special/us.html [pbs.org]

      The PBS article talks about legit goods like appliances and automobile

    • I remember the Karzai's government trying to do just what you're suggesting here, and the Bush Administration refuting it. Most of our current legal opium supply comes from Turkey, which houses several US Military bases. Ultimately, purchasing opium for use in purposely restricted legal markets would flood those markets, driving down prices and alienating our allies. That said, I would be willing to bet that purchasing opium from farmers and storing it would be cheaper than prosecuting the war against th
    • Since these "farmers" will know that the drugs they produce will never be used, what's to stop them from selling fake drugs which have fixed to make the tests turn out right to the US government, and selling the real ones to the Taliban? All you need is some cheap chemical that makes the test kit change color, and I'm sure that there are things other than opium that can fake out the tests. Maybe just some food coloring mixed in.

      • I'm sure that this is as much a possibility as reporting a bogus security flaw to a software company. It wouldn't take long for a proper chemist to determine that what they were testing wasn't the real thing. On the up side, it could mean more science jobs and thus more of a push for better geeky ed in public schools.
    • by Z34107 ( 925136 )

      It's a great idea in the term, but I think it might have problems long-term. Vastly increasing the demand for heroin (exactly what buying all production at the best price possible is!) would encourage more people to enter heroin production. Maybe convert farmland from food production to "cash crops."

      However, unlike the "war" on drugs, I'm convinced your idea has a least a snowball's chance of working. The DEA's budget should be transferred immediately to you, our new Drug Czar.

    • You assume that the offer will be constant but is not. Each farmer would have the possibility to plant opium or coca with a sure mark, do you think that all the farmers will be happy to plant anything else... in the long term, the farmer will loss because of the mono plantation, but that will be not the only problem, in short term the government will be broke for buyout the special plantations.

      If you propose the enforcement of the control in the limits of the production (to assure the constant offer) you
    • I'd complain more that driving the street price up would also drive up the drug related street crime here close to home. Providing incentive for more local growers and strain the local enforcements.

  • OK, this is a pet peeve of mine, but why the heck do these get called "Zero-day vulnerabilities". Yes, I understand that the definition is that the zero-day refers to the time between the vulnerability is made public and the time that an exploit is made available. However, I don't get why this needs an additional moniker on top of being a vulnerability in the first place. Don't most of the vulnerabilities have an exploit the same day that the vulerability is published (wouldn't you want to have a proof o
    • by chill ( 34294 ) on Monday February 08, 2010 @11:22AM (#31061368) Journal

      0-day means there is no patch available, as opposed to vulns that come out after patches are issued and you could possibly upgrade your system to being secure.

      Anything that is patched, but you haven't bothered to update your system and are thus vulnerable to, isn't a 0-day.

      • Re: (Score:3, Insightful)

        by bsDaemon ( 87307 )
        I always thought 0-day should refer to time between the software itself is releasedand an exploit is found. Frankly, that would make more sense and that's the type of vulnerability that would actually be somewhat impressive as well as potentially devastating. If a piece of software has been floating around for a few months and then an attack against it is announced, I assume that the vector has been exploited already without an announcement and am hardly surprised that a vulnerability has been found by th
      • by maxume ( 22995 )

        I agree with this definition (i.e., "A patch has been available for 0 days" being the basis of the phrase), but I predict people are going to argue with you. A lot.

        • So, every vulnerability is zero-day, then? Sounds redundant.

          • by maxume ( 22995 )

            Sure, because there are no systems out there that are not up to date with patches.

            I can also see the case for 0 day meaning vulnerabilities that the vendor has not been notified of yet.

    • by jofny ( 540291 )
      0day implies that there is a --non public-- vulnerability and/or exploit out in the wild that has not yet been disclosed outside of relatively small private circles (nothing to do with the time between vuln and exploit). Its meaning has been lately bastardized to include "things for which we dont have a patch yet" - and it's that bastardization which creates scenarios that don't make "sense".
      • Its meaning has been lately bastardized

        So zero-day has joined the rather exclusive League of Semiotic Hyperlatives, along with other misused terms such as Robot, Virtual Reality, 3D, and Artificial Intelligence.

  • "...can be taken advantage of."

    should be something like,

    "can be exploited."

  • by John Hasler ( 414242 ) on Monday February 08, 2010 @11:23AM (#31061386) Homepage

    ...know that it has not also been sold to someone else? And who brokers these deals? I can't imagine the parties trusting each other.

    • Does it matter? (Score:3, Informative)

      by khasim ( 1285 )

      If you are the company who wrote the software, you now know where the flaw is and can fix it.

      If you release a patch, that could be reverse engineered and the bad guys would find the flaw anyway.

      • Re: (Score:3, Informative)

        by John Hasler ( 414242 )

        > If you are the company who wrote the software, you now know where the flaw
        > is and can fix it.

        But if you are a black hat (or a government: same thing) you want exclusive ownership. Even if you are the company that wrote the software you don't want the exploit sold to black hats who will exploit it between now and the time you deploy your fix (or afterward against the many customers who won't upgrade).

        • But if you are a black hat (or a government: same thing) you want exclusive ownership.

          :) And that is part of the problem when you choose to be one of the bad guys. You cannot trust the other bad guys to be honest in their deals.

          And that doesn't bother me. If anything, it should drive down the prices as none of the bad guys are going to invest a lot of money on something that they cannot be sure they have an exclusive option on.

  • I like the link to the black markets but not to the white markets. Hackers would probably benefit from these new "white-markets" you speak of.
  • Though I'm not surprised that this exists, I wonder how one prices a zero-day exploit. Do you get a return on investment? Number of PC's infected? Number of bank accounts stolen?
  • by jollyreaper ( 513215 ) on Monday February 08, 2010 @12:25PM (#31062174)

    Toyota's gonna catch holy hell for the whole "car randomly becomes kamikaze" bug with the accelerator. There are regulations and laws about this sort of thing. If I run a slaughterhouse and knowingly ship bad meat, I could go to jail. This isn't home hobbyist shit anymore, computers are serious business and Microsoft is wearing the big boy pants. Lives are at stake over this sort of thing. Dissidents can be targeted and killed. And even if it's not political but just plain' ol' computer crime, the losses can really add up.

    I'm not a fan of bogging the industry down with so much regulation that nobody can get anything done but it's clear that businesses are, generally, not self-policing and concern for public welfare is not on the agenda. They will not consider it until compelled to by force of law. And to all the business apologists complaining about the stifling hand of government laying heavily upon the necks of business, just remember that there wouldn't be a call for regulation if there wasn't a need for regulation. If slaughterhouse owners applied the same standard to meat intended for public consumption that they would apply for meat intended for their own tables, Upton Sinclair wouldn't have had a novel and we wouldn't have had an FDA.

    • by GNious ( 953874 )

      Question: Are there no laws on the merchantability of a product where you live?

      • Question: Are there no laws on the merchantability of a product where you live?

        Not for software. The EULA's seem to indemnify software companies of all liability. You don't like it, don't use computers.

        • It is interesting to speculate upon how we could possibly get there from here.
          Obviously the software industry is too large to allow legislation to be forced upon it.
          And the comments the other day from the Microsoft CTO indicate no willingness to acccept any responsibility.
          My best guess is that locked-down devices like the iPad could be seen in the marketplace as much more secure and therefore a better choice for most people. Whether this will actually come to pass I doubt though, as other manufacturers w
  • Not a trend. (Score:2, Informative)

    by yoda ( 79150 )

    The vulnerability contributor program @ Verisign and TippingPoint were setup by the same person. I know this because that person used to work for me. Google is buying simply as a reaction to the China stuff. This isn't a trend...though on the surface, it appears that way.

  • "Charlie Miller ... who sold a bug he discovered in the Linux OS to a government contractor for $50,000 dollars, said that choosing whether to sell such an item or give it away for free to Microsoft is a hard decision to make"

    Hmm, doesn't sound that hard to me.

    Just wondering, what exactly did the government contractor do with the vunerability afterwards?

  • As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days.

    I highly doubt that. I think that, compared to social engineering, zero-day attacks are pretty much an insignificant slice of the cake.

    I mean, it’s much easier to hack a PEBKAC. And as the biggest ranks usually also are the biggest PEBKACs, it’s a clear winner. ^^

If you have a procedure with 10 parameters, you probably missed some.

Working...