Netragard Ends Exploit Acquisition Program After Hacking Team Breach

Trailrunner7 writes: After the fallout from the HackingTeam breach, Netragard, a company that buys and sells exploits, has decided to shut down its exploit acquisition program. Leaked documents show that Natragard was selling exploits to the Italian maker of intrusion and surveillance software. In addition, documents further showed that the company sold its products to a variety of oppressive regimes, including Egypt and Ethiopia. A company statement reads in part: "We’ve decided to terminate our Exploit Acquisition Program (again). Our motivation for termination revolves around ethics, politics, and our primary business focus. The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers. HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations. While it is not a vendors responsibility to control what a buyer does with the acquired product, HackingTeam’s exposed customer list is unacceptable to us. The ethics of that are appalling and we want nothing to do with it."

Re:

[Chris Mattern]

Why in the name of hell would we want a replacement for the Golden Girls cosmonaut, if it comes to that?

Motivation

[Anonymous Coward]

Our motivation for termination revolves around ethics, politics, and our primary business focus.

My sides! My sides! Look out Major Tom!

Re:

[Anonymous Coward]

More like "all the zero days we were selling, HackingTeam had bought and they got leaked. Now we might as well go out of business."

Re:

[arglebargle_xiv]

Our motivation for termination revolves around ethics, politics, and our primary business focus.

I am shocked, shocked to discover that our hacking exploits were being sold to totalitarian governments!

NSA

[hjf]

Translation: CIA and NSA are pressuring us for exclusivity.

Seriously, who would believe a sleazy company that makes money off exploits is worried about "human rights violations".

Re:

[Anonymous Coward]

Well the old 'Dot refused to post my comment, so I'll just ramble it here. agree 100%. Who the hell did this company think it's end users were, security researchers?

Exploits being sold are being sold for 1 single reason, to be used. Nice way to try to save face, but sorry, the intertubes never forget.

Re:

[shaitand]

Yes but rebel exploit sellers want rebels to buy exploits to use against oppressive regimes like... essentially everyone who used Hacking Team. Pretty much everyone on their client list qualifies as an oppressive regime. Including the government in control of the servers I'm posting on.

Re:

[tomhath]

Or any of dozens of other agencies all around the world who might have made them an offer they couldn't refuse. NSA probably has better stuff than this place anyway.

Re:

[hjf]

Sure, let the enemy get weapons. Ours are better anyway.

LOL.

Re:

[swillden]

Translation: CIA and NSA are pressuring us for exclusivity.

Seriously, who would believe a sleazy company that makes money off exploits is worried about "human rights violations".

That's a bit too broad. Would a company that makes money by finding exploits and selling them to the makers of the relevant products (via Vulnerability Rewards Programs, or similar), also be sleazy and unworried about human rights violations? There are a lot of highly ethical researchers who make their livings in exactly this way.

Note that I'm not claiming Netragard is among them.

Re:

[hjf]

The "researchers" you mention are able to get into the cesspools of the internet as easily as this company does.

Re:

[swillden]

The "researchers" you mention are able to get into the cesspools of the internet as easily as this company does.

Why would they risk that?

Ethics shmetics

[Anonymous Coward]

They went in and full well knew or should have known what they got into. So no, I'm not buying this in the least. It just means they're spineless cowards.

If they had any ethics, they either wouldn't haven gotten into this obviously immoral or at least amoral game in the first place, or, going in knowing full well what they got into and why, they'd have the balls to see this through now. So I call them cowards. Spineless cowards. Contemtible wretches.

Pretty much no better than the rest of the s'kiddie scum i

Re:

[AqD]

Why should they care? It's the same business as making weapons, things we do everyday.

Re:

[BVis]

If they had any ethics, they either wouldn't haven gotten into this obviously immoral or at least amoral game in the first place, or, going in knowing full well what they got into and why, they'd have the balls to see this through now. So I call them cowards. Spineless cowards. Contemtible wretches.

It's ok, though. They made money.

How convincing!

[Anonymous Coward]

So, these fine and respectable folks are shocked, shocked that dodgy reselling of exploits might be going on. Really. How utterly plausible.

Unless you are selling to an end user who does their own development, what other possible outcome could you expect? They only want to purchase the exploit from you because they think that they can package it up and sell it on to enough of their own customers to come out in the black. That is a situation where all the incentives push toward transactions being largely sec

Re:

[shaitand]

There are different flavors of troubling. Many of the hacking groups out there are effectively digital rebel warriors trying to fight oppressive regimes like Egypt and the US. Their actions may be criminal and in some cases immoral but they are fighting greater evils perpetrated by the powers we've failed to resist by conventional means. That is civil disobedience. Perhaps they considered that getting tools to these elements was worth the risk of simple profiteers getting some exploits but did not consider

Meanwhile...

[Anonymous Coward]

Meanwhile, Intertrode (who just happens to have the same owners) have now covertly begun an open exploit acquisition program.

Re:

[shaitand]

They are probably actually working as a front for the western repressive regimes.

Vendor's responsibiity over buyer's actions

[mi]

While it is not a vendor's responsibility to control what a buyer does with the acquired product

Anti [npr.org] 2nd-Amendment zealots [nbcphiladelphia.com] would [chicagotribune.com] disagree [washingtonpost.com].

And, although the above lists mere tort-claims, there are movements afoot towards criminal liabilities for gun-sellers as well. For the Greater Good.

Re:

[BVis]

Dammit, /r/ammosexuals is leaking again.

Go grind your axe somewhere else.

Re:

[shaitand]

Consider this, there would be no democracy in the world if the powers at be did not have to fear the mob which is why we have a 2nd amendment. Now that every nation in the world including ours has disarmed the people to the point the powers-at-be no longer have to fear the mob... what happens to democracy and do you honestly think it hasn't happened already?

Re:

[BVis]

Time to change the tinfoil in your hat, Sparky.

who again?

[TheCarp]

HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations."

So would that include the US government and its allies? The Washington gang certainly falls under "parties known for human rights violations" (including torture)

Re:

[alvinrod]

Almost certainly, though it would be rather stupid of them not to make the purchase through some kind of shell organization. The simple fact that a government agency is acquiring information about a specific exploit is itself valuable information. At the same time, you'd almost think that the government would try to do a lot of this work in-house.

Re:

[drinkypoo]

At the same time, you'd almost think that the government would try to do a lot of this work in-house.

As bad as the economy is, they're still having trouble attracting the kind of people who do this work. Their general hiring policies are a big part of the problem, obviously. A lot of the qualified candidates aren't interested in pissing in a cup, and wouldn't pass if they did

Re:

[shaitand]

What on earth makes you think that Netragard and the same people's instant new exploit selling system to replace it after this announcement Intertrode aren't shell organizations for the western regimes?

Re:

[TheCarp]

I was actually thinking the holding a cloth over a persons face and restraining him upside down while pouring water over the cloth, and hitting him in the diaphram if he tries to not breathe.

Nobody seems to want to take me up on my sincere offer to listen to their arguments about why it is certainly not torture, as long as they are willing to demonstrate by being waterboarded until I believe them.

Re:

[shaitand]

That's not torture it's just good fun.

Re:

[TheCarp]

So are you volunteering to explain then?

Let me grab my bucket and we can get started. :)

Re:

[bluefoxlucid]

Honestly, this whole stance is stupid. You can't control that kind of information in any meaningful way. It's like deciding only the Shepherds of the Righteous will have weapons: you're just creating an imbalance.

The more access dangerous criminals have to dangerous toys, the more society moves to control them. When society gives up hope on controlling their access to dangerous toys, it finds other ways to control criminals. In the most extreme, the criminals become so dangerous as to create a faili

to whom?

[DriveDog]

"selling their technology to questionable parties" as if there were any other kind of customer paying for such.

Hypocrisy in action

[Virtucon]

Our motivation for termination revolves around ethics, politics, and our primary business focus. The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers. HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations.

So you were selling these hoping that it would save the whales or make the bunnies happy? You're selling vulnerabilities that you acquire. Specifically weapons and like all weapons, it's a commodity based business and you took the money. The remorse is a bit late and a bit shallow because a weapons manufacturer doesn't feign surprise when somebody gets killed with their product.

Well, DUH! What did YOU think your customers do?

[Opportunist]

What did you expect your customers to do with the knowledge about unpatched, unknown 0day exploits? Make a funny little collection to show around to their friends?

"Hey, Fred, look what I got! It's a genuine 0day that MS doesn't know about yet. Ain't it cool? Huh? No, why would I use it?"

Seriously, what did you expect?

Re:

[Opportunist]

Of course. Sure. Absolutely.

When you sell weapons, you accept that there is a pretty good chance that they will be used for something a normal person would consider "evil". Claiming it ain't so either means you're lying or that you should not do business. Like, ever. And hand your effects over to a custodian. Because you're very blatantly unfit to understand how the world works.

Re:

[shaitand]

When you sell weapons to civilians you expect nothing of the sort. Civilians using weapons to do something normal people would consider evil is exceeding rare. In the US for instance there are millions of guns in civilian hands but civilians kill people with guns very very rarely. Gun death statistics for a year are well below automobile death statistics in a day and almost in almost all cases the shooter is an agent of government (usually police domestically).

Re:

[shaitand]

They expected the digital rebel good guys to use them against the guys do the gathering, warranting, lobbying, etc the real bad guys. And spammers and malware people of course but that's just collateral damage.