the underground software vulnerability marketplace and its hazards (fwd)

Thu Aug 22 06:48:22 PDT 2002

On Thu, 22 Aug 2002, Eugen Leitl wrote:

> If this kind of secret traffic is allowed to continue, it will pose a
> very serious threat to our computer communications infrastructure.

Sure looks like it.

> iDEFENSE is offering a new alternative that appears far more dangerous
> than either of the two previous paradigms.  They want to be a buyer in
> a marketplace for secret software vulnerability information, rewarding
> discoverers of vulnerabilities with cash.

Not that much cash.  It's only $125 for an exploit.  that's not
much in $/hr of effort.

> First, secret software vulnerability information will be available to
> the highest bidder, and to nobody else.  For reasons explained later,
> I think the highest bidders will generally be organized crime
> syndicates, although that will not be obvious to the sellers.

governments have more cash.  the highest bidders could use it as a
way to keep track of who is doing what, since the web site says
people who find exploits are given full credit.  The mafiosi seem
like the least of our problems with this.

If I got paid, I wouldn't want anyone to have the ability to come find me!

> Second, finding software vulnerabilities and keeping them secret will
> become lucrative for many more talented people.  The result will be
> --- just as in the "responsible disclosure" days --- that the good
> guys will remain vulnerable for months and years, while the majority
> of current vulnerabilities are kept secret.

Not at that rate of pay.  Might be a good way to find talent tho.

> I think the highest bidders will be those for whom early vulnerability
> information is most lucrative --- the thieves who can use it to
> execute the largest heists without getting caught.  Inevitably, that
> means organized crime syndicates, although the particular gangs who
> are good at networked theft may not yet exist.

Yes they exist, and most have 3 letter acronyms.  Well, a few have
numbers in there :-)  A lot of government agencies need cash that
their handlers won't give, so they go steal it.  Since their jobs
are breaking laws, nobody notices.

> Right now, people who know how to find security exploits are either
> motivated by personal interest in the subject, motivated by the public
> interest, motivated by a desire for individual recognition, or
> personally know criminals that benefit from their exploits.  Creating
> a marketplace in secret vulnerability information would vastly
> increase the availability of that information to the people who can
> afford to pay the most for it: spies, terrorists, and organized crime.
>
> Let's not let that happen.

How?  iDEFENSE isn't really breaking any laws, they are just
immoral scum bags.  Maybe the publication of the first person
hunted down and executed by an angry government will slow down
contributors?

thanks for posting this, the net is getting more and more interesting
:-)

Patience, persistence, truth,
Dr. mike