Zero-Day Vulnerabilities On the Market 94
An anonymous reader writes "Zero-day vulnerabilities have become prized possessions to attackers and defenders alike. As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days. There is an underground market growing around these vulnerabilities, but there are also 'white markets' — set up by VeriSign, TippingPoint, Google — where they buy zero-day flaws and alert the companies so that they can patch their products before the vulnerabilities can be taken advantage of."
Re: (Score:2, Interesting)
The 0day black market has been thriving for over a decade; I remember being 13-14 years old, spent every day and night reading and learning about computer security. It was a different world in hacking back then; the reason was because the lines between a secure system and an insecure system were more blurred. Most machines/network one would target had a vulnerability that was exploitable, it was just a matter of spending enough days reading to discover it. It was an incredible time i
Re: (Score:1)
maybe I can get you a job (Score:1)
I remember being 13-14 years old, spent every day and night reading and learning about computer security.
Nice.
The line in the sand is so broad and sharp; you're either an advanced black hat, an advanced white hat, script kiddie, or nothing.
Really? What if you pwn an evildoer? Send a resume to doubleplusgoodalbert@gmail.com if that sounds really cool.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
The word news didn't have anything to do with new. It stood, at least originally, for North East West and South.
Re: (Score:1)
This is why we need... (Score:4, Funny)
someone to invent time travel. Then someone could go into the future, get all the patches and fixes to various popular software, come back in time, and give it to us. Problem solved.
Re:This is why we need... (Score:4, Funny)
But the evil hackers with time travel will then go to the future to find out exploits before they've been found in the past.
Re:This is why we need... (Score:5, Funny)
But the evil hackers with time travel will then go to the future to find out exploits before they've been found in the past.
...and that's exactly why need regulation with regards to time travel and access to time travel machinery, now. You there, drop that screwdriver!
Re: (Score:3, Funny)
Don't worry, almost all classic DeLorean's have rotted away and we're still waiting on non-Newtonian Physicists to invent a Flux Capacitor.
Re:Terminator revisited (Score:1)
But the white hatters being able to time travel send a robot back in time far enough to look up all the evil hacker's mom's and kill them all before any of this has started.
I just wonder if evil hackers that did make it into the future before they got diced, were able to find a way to look up those white hackers grandparents and send a robot back then , ...or wait a minute...
Re: (Score:2)
Machines? Who needs machines? [imdb.com]
Buy them (Score:2)
Re: (Score:3, Interesting)
Be careful. (Score:4, Interesting)
> Besides companies potentially paying better, there's the added bonus of not
> having to do something illegal, harmful and immoral...
Be careful. If the company learns your identity during negotiations they might have you arrested for extortion.
Re:Be careful. (Score:4, Insightful)
Re: (Score:2)
"Dude. As soon as Bill stops screwing around with card games, we're going to be set!"
"Why?"
"I just got a whole bunch of neg 7300 day exploits for Win95, dude. We're gonna be set."
"Cool. Hey.... have you even been born yet?"
"Awww crap..." (poof)
Good to know (Score:1, Insightful)
I always appreciate the clarification that a growing market is growing.
I'm surprised white markets aren't more common (Score:5, Interesting)
...especially when the market is fairly inelastic.
The best "white market" tale I've ever heard is the militias that ran the "Golden Triangle" in the Southeast Asian highlands offering to sell the US the entire opium crop.
I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market. They could even use the opium for the production of painkillers for the legitimate market, which I understand is actually constrained sometimes by strict production limitations.
You would think that white marketing the supply of illicit drugs would make a lot of sense -- by buying up supplies at the volume end of the market and denying it to the market, you would drive street prices through the roof and have far more impact on the consumers, pricing many out of the market. Cocaine supply diversity may make this difficult, but if pursued quietly it might actually be effective there too.
Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals. It'd be great to see a cost analysis to see if it would actually be cheaper to just buy up the drugs at the point of production versus the drug war, which doesn't work.
Re: (Score:3, Insightful)
Exactly. (Score:3, Interesting)
Remember, we're not talking about the farmers being the equal of the distributors.
If you start taking away a source of revenue, you had better be able to defend that with violence of your own.
And anyway, if the farmers are growing dope, they're not growing food. How about offer to buy the food that the farmers grow at a higher rate than the processors pay for the dope?
Re: (Score:2)
And anyway, if the farmers are growing dope, they're not growing food. How about offer to buy the food that the farmers grow at a higher rate than the processors pay for the dope?
Then farmers get killed for growing food instead of drugs. The best solution (for the farmers) is for there to be no demand for the drugs or no profit in providing them. Given that will never happen, the farmers are sooo screwed.
Re: (Score:2)
Have you compared the cost of a pound of corn (an ear or two) compared to the cost of a pond of opium? A pound of flour compared to the cost of a pound of heroin?
Are you willing to pay $100 for a loaf of bread and seventy five follars for a beer?
... you are sadly mistaken (Score:5, Insightful)
It's a great idea though, and I bet it will in fact work *and* be cheaper.
Re:I'm surprised white markets aren't more common (Score:4, Informative)
I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market.
This would probably cause a knock-on effect of increasing production in the area, due to the fact that you will be increasing the profits for the poppy growers, and perhaps also encouraging people to start poppy farming; selling to US troops is probably a hell of a lot less scary than selling to the Taliban.
Re: (Score:2)
That is unlikely from the farmer's perspective -- who may fear violent reprisals from the Taliban, and don't trust the christian infidels (US troops) anyway.
Re: (Score:1, Insightful)
I know you are being flippant but your average Afgani (or any muslim) doesn't think in terms of "christian infidels", that is the kind of talk you get from radical mullahs, talk show hosts, or rednecks. Depending on their education they are more likely to think "here are non-muslems who are going to try to take over and get us to convert like they did during the crusades, or the British...". Most people are just like you and me, they just want to be left alone, be relatively comfortable, not be afraid all
Re:I'm surprised white markets aren't more common (Score:5, Insightful)
On another point, don't you think the Taliban might be a little irritated by this and, ooooh I don't know, cut off some farmers heads? I hear they've been known to do that to make a point.
Re:I'm surprised white markets aren't more common (Score:4, Informative)
Re:I'm surprised white markets aren't more common (Score:4, Insightful)
We can incentivize the growing of other crops, too, but we should also be prepared to buy up the opium crop.
The alternative is destroying the opium crop; this impoverishes the farmer further, destroys his livelihood and causes him to not just grow opium, but join the Taliban.
Re:I'm surprised white markets aren't more common (Score:5, Insightful)
Re: (Score:3, Insightful)
The taliban are actually opposed to drugs production. While they were in power, the area of opium cultures fell down incredibely quick. It came back thanks to the war. The drugs lords are a faction different from the talibans.
Which is all nice and fine as long as the Taliban remains in control. But what happened after?
There are reports that the Taliban are now involved in the drug trade again. Despite the use of this as obvious propaganda, it isn't that far fetched as the Taliban initially hadn't had a problem with opium since it was a drug for foreigners (hashish was another matter). Of course, it's also very likely that the Taliban is only one of many players in the increased trade. Narcotics is a major industry and quickl
Re: (Score:1)
Buying products other than opium, i.e. incentives to plant other crops would be better.
Like industrial strength hemp?
They grow drugs because it is more profitable than food crops. They probably get 10 times the earnings per acre for opium than they would get for any food crop. If the US bought up all the opium one year, the farmers would just convert more of their fields over to opium. After one year, there would me more than enough opium for the US and the Taliban, and anyone else who wants it.
If you went to California, and put up an ad specifying that the government would pay $1000/pound fo
Re: (Score:2)
Re: (Score:2, Insightful)
I bet the Opium would still reach the consumer at comparable prices.
The Opiate trade does not exist because of Afghanistan farmers or the Taliban, it exists because consumers really want Opiates.
Re:I'm surprised white markets aren't more common (Score:5, Interesting)
Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals.
And where, in regions that routinely grow opium, would this be an 'option?' The criminals will show up at the farmer's doorstep, take the money, then butcher both the farmer and his family to make an example.
I saw the same sort of thing happen in S.A., where this one campesino decided he wasn't going to grow coca anymore: the local enforcers promptly showed-up, dragged him and his family out and forced them to kneel in front of their house, then went right down the row, from youngest to oldest. Pop, pop, pop, pop, pop.
The term 'naive' doesn't even begin to describe your idea.
Re: (Score:2)
Except that we didn't have 50,000 troops in South America.
Re: (Score:3, Insightful)
The Taliban sells heroin?
Um... no. In July 2000, Mullah Omar ordered a ban on poppy cultivation. As far as I know, this hasn't been lifted. Other members of the Northern Alliance are responsible.
I presume you are a US citizen; please know your enemy. The Taliban may be at war with the US, but they are even harder on drugs. It is about as conceivable as Pat Robertson selling heroin to fund Christian Outreach.
Re: (Score:3, Informative)
Taliban suspected of stockpiling 12,000 tons of poppies [cnn.com]?
What passes for Insightful... (Score:3, Informative)
Re: (Score:2)
Two things your logic misses. First you've completely ignored the fact that the profits from drugs are used to finance the war. It isn't just the Taliban who are trading dope for military hardware. The drug trade is a perfect way for the government and companies to launder money. Here is a link to a PBS article that details a small, ACKNOWLEDGED portion of the process.
http://www.pbs.org/wgbh/pages/frontline/shows/drugs/special/us.html [pbs.org]
The PBS article talks about legit goods like appliances and automobile
Re: (Score:1)
Re: (Score:1)
Since these "farmers" will know that the drugs they produce will never be used, what's to stop them from selling fake drugs which have fixed to make the tests turn out right to the US government, and selling the real ones to the Taliban? All you need is some cheap chemical that makes the test kit change color, and I'm sure that there are things other than opium that can fake out the tests. Maybe just some food coloring mixed in.
Re: (Score:1)
Re: (Score:2)
It's a great idea in the term, but I think it might have problems long-term. Vastly increasing the demand for heroin (exactly what buying all production at the best price possible is!) would encourage more people to enter heroin production. Maybe convert farmland from food production to "cash crops."
However, unlike the "war" on drugs, I'm convinced your idea has a least a snowball's chance of working. The DEA's budget should be transferred immediately to you, our new Drug Czar.
Re: (Score:1)
If you propose the enforcement of the control in the limits of the production (to assure the constant offer) you
Re: (Score:1)
I'd complain more that driving the street price up would also drive up the drug related street crime here close to home. Providing incentive for more local growers and strain the local enforcements.
"Zero-day" is just noise (Score:2, Insightful)
Re:"Zero-day" is just noise (Score:4, Informative)
0-day means there is no patch available, as opposed to vulns that come out after patches are issued and you could possibly upgrade your system to being secure.
Anything that is patched, but you haven't bothered to update your system and are thus vulnerable to, isn't a 0-day.
Re: (Score:3, Insightful)
Re: (Score:1)
I agree with this definition (i.e., "A patch has been available for 0 days" being the basis of the phrase), but I predict people are going to argue with you. A lot.
Re: (Score:2)
So, every vulnerability is zero-day, then? Sounds redundant.
Re: (Score:1)
Sure, because there are no systems out there that are not up to date with patches.
I can also see the case for 0 day meaning vulnerabilities that the vendor has not been notified of yet.
Re: (Score:2)
Re: (Score:2)
Its meaning has been lately bastardized
So zero-day has joined the rather exclusive League of Semiotic Hyperlatives, along with other misused terms such as Robot, Virtual Reality, 3D, and Artificial Intelligence.
Re: (Score:2)
poor grammar (Score:2)
"...can be taken advantage of."
should be something like,
"can be exploited."
How does the purchaser of an exploit... (Score:5, Interesting)
...know that it has not also been sold to someone else? And who brokers these deals? I can't imagine the parties trusting each other.
Does it matter? (Score:3, Informative)
If you are the company who wrote the software, you now know where the flaw is and can fix it.
If you release a patch, that could be reverse engineered and the bad guys would find the flaw anyway.
Re: (Score:3, Informative)
> If you are the company who wrote the software, you now know where the flaw
> is and can fix it.
But if you are a black hat (or a government: same thing) you want exclusive ownership. Even if you are the company that wrote the software you don't want the exploit sold to black hats who will exploit it between now and the time you deploy your fix (or afterward against the many customers who won't upgrade).
Bad guys don't trust bad guys. :) (Score:3, Interesting)
:) And that is part of the problem when you choose to be one of the bad guys. You cannot trust the other bad guys to be honest in their deals.
And that doesn't bother me. If anything, it should drive down the prices as none of the bad guys are going to invest a lot of money on something that they cannot be sure they have an exclusive option on.
Link? (Score:2)
How do you evaluate an open market item? (Score:2)
When will companies be held liable for bugs? (Score:3, Interesting)
Toyota's gonna catch holy hell for the whole "car randomly becomes kamikaze" bug with the accelerator. There are regulations and laws about this sort of thing. If I run a slaughterhouse and knowingly ship bad meat, I could go to jail. This isn't home hobbyist shit anymore, computers are serious business and Microsoft is wearing the big boy pants. Lives are at stake over this sort of thing. Dissidents can be targeted and killed. And even if it's not political but just plain' ol' computer crime, the losses can really add up.
I'm not a fan of bogging the industry down with so much regulation that nobody can get anything done but it's clear that businesses are, generally, not self-policing and concern for public welfare is not on the agenda. They will not consider it until compelled to by force of law. And to all the business apologists complaining about the stifling hand of government laying heavily upon the necks of business, just remember that there wouldn't be a call for regulation if there wasn't a need for regulation. If slaughterhouse owners applied the same standard to meat intended for public consumption that they would apply for meat intended for their own tables, Upton Sinclair wouldn't have had a novel and we wouldn't have had an FDA.
Re: (Score:1)
Question: Are there no laws on the merchantability of a product where you live?
Re: (Score:2)
Question: Are there no laws on the merchantability of a product where you live?
Not for software. The EULA's seem to indemnify software companies of all liability. You don't like it, don't use computers.
Re: (Score:2)
Obviously the software industry is too large to allow legislation to be forced upon it.
And the comments the other day from the Microsoft CTO indicate no willingness to acccept any responsibility.
My best guess is that locked-down devices like the iPad could be seen in the marketplace as much more secure and therefore a better choice for most people. Whether this will actually come to pass I doubt though, as other manufacturers w
Not a trend. (Score:2, Informative)
The vulnerability contributor program @ Verisign and TippingPoint were setup by the same person. I know this because that person used to work for me. Google is buying simply as a reaction to the China stuff. This isn't a trend...though on the surface, it appears that way.
Hard decision (Score:1)
"Charlie Miller ... who sold a bug he discovered in the Linux OS to a government contractor for $50,000 dollars, said that choosing whether to sell such an item or give it away for free to Microsoft is a hard decision to make"
Hmm, doesn't sound that hard to me.
Just wondering, what exactly did the government contractor do with the vunerability afterwards?
Most of the successful attacks? (Score:2)
As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days.
I highly doubt that. I think that, compared to social engineering, zero-day attacks are pretty much an insignificant slice of the cake.
I mean, it’s much easier to hack a PEBKAC. And as the biggest ranks usually also are the biggest PEBKACs, it’s a clear winner. ^^