Cornering the Market On Zero-Day Exploits

Nicola Hahn (1482985) writes Kim Zetter of Wired Magazine has recently covered Dan Greer's keynote speech at Black Hat USA. In his lengthy address Greer, representing the CIA's venture funding arm, suggested that one way that the United States government could improve cyber security would be to use its unparalleled budget to buy up all the underground's zero-day vulnerabilities.

While this would no doubt make zero-day vendors like VUPEN and middlemen like the Grugq very wealthy, is this strategy really a good idea? Can the public really trust the NSA to do the right thing with all those zero-day exploits? Furthermore, recall the financial meltdown of 2008 where the public paid the bill for Wall Street's greed. If the government pays for information on all these unpatched bugs would society simply be socializing the cost of hi-tech's sloppy engineering? Whose interests does this "corner-the-market" approach actually serve?

The answer is to lessen the bugs at the source

[Taco Cowboy]

The zero-day bugs are bugs, while we know bugs are inevitable (nobody is perfect), it does not mean that we should just throw up our hands and say "Oh, there is nothing we can do"

We can !

We can do something at the source level - at the very least we should be able to, after so many years of programming culture, to inculcate the correct way to future crops of programmer so that they produce stuffs that contain less bugs

Some of those bugs were actually added when the original program gone through an update, with extra bells and whistles - and if we can stick to the original Unix principle, in which, one utility does one thing, and one thing only, and does it very efficiently, the chances of "introducing added bugs" would be drastically lessen

More money just increases the price

[petes_PoV]

If a new buyer comes into the market - a buyer with lots of money, then all that happens is that the price goes up. It's simple economics and we see this happening in every market: from commodities to TV programmes.

If the price becomes high enough, new exploiters will enter the market and start discovering exploits, in competition with the original suppliers. Then the NSA would have to start dealing with those guys, too. And so the circle would keep going round: more money, new exploit finders, asking higher prices.

If the NSA wants to improve security, they would set up their own zero-day exploiters to not only find, but to fix security holes and then issue those fixes for free (or use the exploits to force fixes on the exploited software. They might also ask for new laws that would require software vendors to pay them for fixing these problems. However, it's by no means certain that this would be their intention. They may simply be collecting hacks for their own nefarious purposes.

After all, we haven't seen a government agency buying up all the drugs, in order to stop them being supplied to the population - so why would they use that tactic here?

Re:More money just increases the price

[Geoffrey.landis]

If a new buyer comes into the market - a buyer with lots of money, then all that happens is that the price goes up. It's simple economics

Well, yes, but that's exactly what was desired:
You want the price to go up, so that it's more valuable to disclose the bug than it is for some thief exploit it.

If the price becomes high enough, new exploiters will enter the market and start discovering exploits

Exactly. You mine out the easy-to-find exploits until they are depleted, and start in on the harder-to-find bugs, so that you get to the point where amateur hackers simply aren't sophisticated enough to find them.

... After all, we haven't seen a government agency buying up all the drugs, in order to stop them being supplied to the population

Well, of course you can always manufacture more drugs; you don't "find" them. They don't get harder to make as the market increases.

If the objection here is "software companies will start deliberately introducing vulnerabilities, so that they can make money by selling the vulnerabilities to the government"-- yes, that might be an objection.

The Fundamental Flaw

[Anonymous Coward]

The fundamental flaw with this idea is that it assumes there is a finite supply of these 0 day exploits. Even if you think that you can trust who ever we would be buying it from to not sell it to anyone else and that no one else would discover the same exploit you still don't gain anything because you can never buy up all the exploits possible. Creating a stronger market for those exploits will just ensure that more people are looking for and finding them and you have to continue buying them or they'll hit the open market.

? Plenty of competition when I looked

[raymorris]

> can't help but think "bug bounties" aren't proper capitalism since there's little competition.

I'm not sure quite what you mean here. Just the other day I looked over a list of bug bounty programs to see if it might mange sense for me to analyze some of the software specifically for the purpose of collecting bounties. There were quite a few companies offering bounties, competing for my services analyzing their software. Based on what I saw, there is a reasonable amount if competition on that side, many buyers of bugs.

One company I saw has a bug bounty program sells software that I use on a daily basis and occasionally debug. I've sent them patches and suggestions before, outside of any bug-bounty program. Looking at the rewards offered, it seemed to me that it _might_ make sense for me to analyze certain software for security bugs. The price offered, based on the number of other programmers competing for the money, seemed just about right, maybe slightly low. On the other hand, the rewards are enough that it DEFINITELY makes sense for me to spend the time and hassle reporting bugs that I happen to notice while I'm using and configuring the software. So based on what I saw, there is enough competition on both sides to have prices tend toward reasonable numbers.

I noticed that a lot of companies don't have bug-bounty programs yet, though many do. It reminds me of 15 years ago when a lot of sites had referral programs, but most did not. That changed when third parties including CCBill made it easy to add a referral program. I suspect many more companies will add bug-bounty programs when they don't have to develop and manage the system themselves. If they can just buy or subscribe to an easy-to-use software package for running it, and maybe let the third party vendor handle payments, it will become much more common.

"Once you pay the Dane-geld, you never get rid ...

[davidwr]

... of the Dane." -Rudyard Kipling

Rudyard Kipling, Dane-Geld, A.D. 980-1016 [poetryloverspage.com]

It is always a temptation to an armed and agile nation
    To call upon a neighbour and to say: --
"We invaded you last night--we are quite prepared to fight,
    Unless you pay us cash to go away."

And that is called asking for Dane-geld,
    And the people who ask it explain
That you've only to pay 'em the Dane-geld
    And then you'll get rid of the Dane!

It is always a temptation for a rich and lazy nation,
    To puff and look important and to say: --
"Though we know we should defeat you, we have not the time to meet you.
    We will therefore pay you cash to go away."

And that is called paying the Dane-geld;
    But we've proved it again and again,
That if once you have paid him the Dane-geld
    You never get rid of the Dane.

It is wrong to put temptation in the path of any nation,
    For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
    You will find it better policy to say: --

"We never pay any-one Dane-geld,
    No matter how trifling the cost;
For the end of that game is oppression and shame,
    And the nation that pays it is lost!"