Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Bug Businesses Security IT

New Site Aims To Be iTunes For Exploits 55

Trailrunner7 writes "It's been tried before, but NSS Labs founder Rick Moy says his company's new Exploit Hub — a store front for exploit code — can work. In an interview, he explains why the current market for exploits doesn't work for the good guys, and why zero-day exploits don't help anyone. Above-board markets for software vulnerabilities have been around for close to a decade, but previous efforts to market exploits have had mixed results. The business of selling exploits versus vulnerabilities is fraught with danger, and organizations like WabiSabiLabi have operated eBay-style marketplaces for zero-day exploits for years, but haven't seen exploit writers beating a path to their door. The need for an above-board marketplace that can compete with the black market surely exists, but getting it to work is another matter entirely."
This discussion has been archived. No new comments can be posted.

New Site Aims To Be iTunes For Exploits

Comments Filter:
  • by BadAnalogyGuy ( 945258 ) <> on Friday October 15, 2010 @01:44PM (#33910362)

    He compared his company to "Craigslist", not "iTunes".

    I'm not sure that's the image you'd want to project for your company, but I'm not that guy.

  • An "above-board" market for exploits?

    Who exactly is planning on buying these things and NOT planning to do something illegal with them?

    • Re:What the hell (Score:5, Interesting)

      by mea37 ( 1201159 ) on Friday October 15, 2010 @01:52PM (#33910442)

      RTFA. Or educate yourself generally on how the IT security industry operates. Either way works.

    • Re:What the hell (Score:5, Interesting)

      by clone53421 ( 1310749 ) on Friday October 15, 2010 @01:57PM (#33910504) Journal

      The people who wrote the software in the first place. They want to produce software that isn’t buggy and exploitable, and the only way to find exploitable bugs is to be actively looking for them and to be good at exploiting them.

      They need good software crackers (in both senses of the word: skilled and working for them) working on betas to find vulnerabilities in the software so that the vulnerabilities can be fixed before the alpha of the software is released.

      Note that it specifically says that they won’t be dealing with 0-day exploits (critical exploits in existing, already-released software products). They want to find these before they release, and to do that, they have to hire crackers.

      • How is that you get guys working on Beta software before the Alpha is released? :)
      • Nonsense. It's ethically the same as paying a blackmailer.

        Oh, right - silly me, ethics no longer has anything to do with business decisions.

        -- Barbie

        • Well... that depends on what the guy who found the exploitable bug is planning on doing with it if you don’t buy it...

          (and if he’s threatening to sell it to highest bidder if you won’t buy it, that is blackmail/extortion, and quite illegal)

    • Companies who want to patch the holes in their software...but charging a company money for information you have on security holes in their software doesn't sound "above board" to me in the least.

      • Re:What the hell (Score:5, Insightful)

        by WCguru42 ( 1268530 ) on Friday October 15, 2010 @02:14PM (#33910710)

        charging a company money for information you have on security holes in their software doesn't sound "above board" to me in the least.

        And not earning anything for your work does? If I help you fix your broken program I'm within my rights to ask for compensation. Now, threatening to release and abuse it if you don't pay isn't so ethical.

        • So charging companies for security exploits found with your own labor is ok with Slashdot. Charging money for software you created 'with your own labor' is generally bad.

          It seems that some ideals in the OSS community tend to be a bit conflicting/self-contradictory.

          (note: I don't know what you personally think, I'm just using your post as a springboard :) )

        • Re: (Score:3, Interesting)

          by GameboyRMH ( 1153867 )

          Here's how I see it, it's like inspecting a dam (on your own time) and finding a crack. Now you could charge the dam company (haha) for the information you found - even though they didn't ask for it. If they were nice, fair people and you ask a fair price, they'd pay you, but they may decide not to (or you could be an asshole and ask way too much), they may say go screw yourself and not fix the crack. What then? Now you can either:

          1. Give up the information anyways - the dam company will never pay you for a

          • That's kinda dumb.

            For one thing, options 1 is no worse than if you had just given up the info in the first place, for free, and option 3 is only slightly worse in the short term and possibly better in the long term (it might teach them to pay up next time).

            For another, you're ignoring the 4th option: tell everyone who will listen that you've found a crack in the dam, and would LOVE to show the dam engineers how to fix the dam thing, only they won't give you the dam money that you worked dam hard for. Publ

            • I dunno your option 3 and 4 both sound rather extortion-ey...

              • If I tell you that the brakes on your car are failing and it'll cost $300 to replace them, and you refuse to get the work done .... is it extortion when I go and tell other people that you're an idiot who is not only risking his own life, but also endangering others?

                I know it's not a perfect analogy, but I really don't see why you'd consider one scenario to be extortion, and not the other.

                • The problem is that it's not like saying that the brakes on the car are failing and it'll cost $300 to replace them, it's like saying that something is wrong with your car and it'll cost $300 to tell you what it is and get it fixed.

                  • Re: (Score:3, Interesting)

                    by c6gunner ( 950153 )

                    *shrug* I would have no problem with that. I don't see why you should get a free diagnostic out of the deal. Hell, unless you have your own ODBC reader, most mechanics will charge you $50 just for a basic readout. I bought the code reader because it pays for itself in the long run, but I see nothing wrong with mechanics wanting to get paid for the work they do.

          • by Draek ( 916851 )

            You're forgetting that the "innocent third parties" aren't at risk from the information on the crack but rather from the crack itself being there in the first place, and you not knowing about it won't make the crack on the dam magically dissapear.

      • I can kind of see the justification. They're basically providing a service and charging a fee for it after the fact, a fee that you can even choose to ignore. "Hi, I made this suit specially tailored for you. If you don't want it, that's fine. If you want it, well here you go!"

        However it does lay a pressure on the buyer to buy it, since otherwise others can choose to buy it and exploit it without the programmers knowing exactly what the exploit entails. That's somewhat alike to extortion.

        I can see both side

        • Re: (Score:2, Interesting)

          by Dishevel ( 1105119 )
          No. If you say I have found an exploit for your software. If you want it it will cost you X. If not, have a nice day. I hope no one else can find the same type of exploit. There is nothing wrong with that.

          If on the other hand you you tell the company that wither they buy it or you will sell it to others then that is extortion and is illegal. You do one or the other. There is now other side to the coin.

          They are separate coins altogether.

      • Really? Do you refuse to pay doctors and nurses, too?
      • True, but the white hats gotta make their money some how.
    • (I didn't RTFA, but in this case, that probably helped.) I interpret "iTunes for exploits" as meaning that you go to the trouble to load up your computer with exploits, then you do a sync, and suddenly all of the exploits which you had loaded, but which didn't come from their "iTunes for exploits" are inexplicably missing. So as long as you install this "iTunes for exploits" software but don't ever use it for installing your malware, then occasional syncs can function as malware disinfectant. That doesn't

  • by Anonymous Coward

    I'm not all that familiar with the MetaSploit Framework (which has been bought out) but don't things like this already exist...except they'!

    • And that's the problem. If an unscrupulous hacker finds a 0-day exploit, are they really more likely to give it away for free than to sell it to the highest bidder?

      Similarly, even knowing that companies are willing to pay (rather than sue/prosecute/harass/whatever) may lead to more exploration of vulnerabilities, and that means more secure programs overall.

      Sure, I'd love to see more hackers meeting the minimum ethical requirements to follow responsible disclosure, but there's still a black market for exploi

      • by jandrese ( 485 )
        As I understand it, organized crime is willing to pay for exploits because they don't have direct access to real hackers but still want to set up bot nets for various purposes. If someone is willing to pay for something you made (well discovered), then why give it away for free? Especially if you're some anonymous teenager still living at home.
      • The problem is that there are so many companies who sue/prosecute/harass/discredit and with law as it is... a hacker is liable to lose their life to such things. Not literally but going to jail or having lost your job and all your money to protect yourself from a large corporation with bored lawyers/PR on staff is awful. In addition many companies dont offer $$$ for exploits; they expect to get them for free. Sooooo many factors all forcing hackers to go to the black market.
  • Ebay for exploits (Score:2, Interesting)

    by munky99999 ( 781012 )
    We need an auction site where vendors, bad guys, and good guys all bid on 0days.
  • I'm sure most of this will come from metasploit, packetstorm, and exploit-db. Directly selling exploits is shady, no matter what company is backing it.
  • by slapout ( 93640 ) on Friday October 15, 2010 @04:28PM (#33912416)

    So you're going to start out selling exploits for 99 cents? And then create a(n expensive) portable device that people can buy to run your exploits on? And then become the market leader? And then introduce new models of your hardware? And then create an "exploit" store sdk so people can sell there own exploits? And them submit to exploit creators demands that the price be raised to $1.29? And then remove color from the user interface?

  • Seems like a nice easy way to make a bit of cash in your spare time without any particularly rare skills needed. Just find a vulnerability from CVE that doesn't have a corresponding Metasploit module, write a Metasploit module and put it up in Exploit Hub.

    Since it's not a 0-day, there's nothing to be gained by getting an exclusive purchase so the prices will be reasonable. There's less risk of being sued too because it's not a 0-day; just a bit of code that you can use to test for an already disclosed vul

To do two things at once is to do neither. -- Publilius Syrus