Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Zero-Day Vulnerabilities On the Market

CmdrTaco posted more than 4 years ago | from the not-as-good-as-my-negative-four-day dept.

Businesses 94

An anonymous reader writes "Zero-day vulnerabilities have become prized possessions to attackers and defenders alike. As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days. There is an underground market growing around these vulnerabilities, but there are also 'white markets' — set up by VeriSign, TippingPoint, Google — where they buy zero-day flaws and alert the companies so that they can patch their products before the vulnerabilities can be taken advantage of."

cancel ×

94 comments

Sorry! There are no comments related to the filter you selected.

Sure is... (0)

Anonymous Coward | more than 4 years ago | (#31060970)

...1998 in here.

Re:Sure is... (2, Interesting)

insufflate10mg (1711356) | more than 4 years ago | (#31061748)

Damn straight it is.

The 0day black market has been thriving for over a decade; I remember being 13-14 years old, spent every day and night reading and learning about computer security. It was a different world in hacking back then; the reason was because the lines between a secure system and an insecure system were more blurred. Most machines/network one would target had a vulnerability that was exploitable, it was just a matter of spending enough days reading to discover it. It was an incredible time in the Internet's young life, but it is long gone. By the time I was 16 years old, I had joined my mentors in writing white papers relating to security, pen-testing, and trying to maintain integrity within the game. Technology moved faster than any of us had imagined, and we all moved on to our own specializations in computer science. Hacking was so open, so possible: it just took the right amount of knowledge to do it, and everyone who would do anything to not be a skiddie was busting their ass every day.

We have moved on to different times. The line in the sand is so broad and sharp; you're either an advanced black hat, an advanced white hat, script kiddie, or nothing. Although I miss the old days, it is nice to see how far computer security has come. I'm proud to say that I am an "newer old school" hacker because with that area-of-specialization comes a unique set of skills that new-age "hackers" don't have. There are still the real old school hackers though, and I could only imagine the nostalgia they feel everyday and have been feeling for decades.

Hacking is just not what it used to be, but this article (and the post I'm replying to) echo the faint sounds of the old days when we used to discover 0days, share them with our friends, protect them honorably, use them when necessary, and end up selling them out to their victim's companies to make the internet just a little bit safer.

need a job? (0)

Anonymous Coward | more than 4 years ago | (#31065678)

If you think you can actually find holes or build tools to find them, post some contact info. Also good would be writing proof-of-concept exploits.

Re:need a job? (1)

insufflate10mg (1711356) | more than 4 years ago | (#31072218)

You just proved my point PERFECTLY. I said that today "you're either an advanced black hat, an advanced white hat, script kiddie, or nothing." I am none of those. I considered myself a hacker at one time, after being mentored for years by a white-hat working in the Italian government and a black-hat creating/selling neural-network software for hospital uses in Nashville. It was a different time back then, I guess that's all I can say.

maybe I can get you a job (1)

poppopret (1740742) | more than 4 years ago | (#31067354)

I remember being 13-14 years old, spent every day and night reading and learning about computer security.

Nice.

The line in the sand is so broad and sharp; you're either an advanced black hat, an advanced white hat, script kiddie, or nothing.

Really? What if you pwn an evildoer? Send a resume to doubleplusgoodalbert@gmail.com if that sounds really cool.

Re:maybe I can get you a job (1)

poppopret (1740742) | more than 4 years ago | (#31067408)

BTW, an informal "resume" beats nothing. Say a bit about when/where are you willing to move, how broad/deep your hacking experience is, etc.

Re:maybe I can get you a job (1)

insufflate10mg (1711356) | more than 4 years ago | (#31072252)

If we were moving back in time to 1999, I'd be a hell of a candidate. For now, hit me up if you need someone to write your thesis paper or ghost-write a book for you.

Re:Sure is... (1)

insufflate10mg (1711356) | more than 4 years ago | (#31061788)

I just realized the parent was trying to make a joke about how 0days have been on the black market since the 90's. When I read it the first time I thought it was a nostalgic reference, not a reference to the fact that the news contained in this story is far from news. Maybe olds, but not news.

Re:Sure is... (1)

AG the other (1169501) | more than 4 years ago | (#31071746)

The word news didn't have anything to do with new. It stood, at least originally, for North East West and South.

Re:Sure is... (1)

insufflate10mg (1711356) | more than 4 years ago | (#31072588)

No shit? The fact that the point of news is to spread new information had nothing to do with it?

This is why we need... (4, Funny)

Anonymous Coward | more than 4 years ago | (#31060988)

someone to invent time travel. Then someone could go into the future, get all the patches and fixes to various popular software, come back in time, and give it to us. Problem solved.

Re:This is why we need... (4, Funny)

Anonymous Coward | more than 4 years ago | (#31061096)

But the evil hackers with time travel will then go to the future to find out exploits before they've been found in the past.

Re:This is why we need... (5, Funny)

BartholomewBernsteyn (1720348) | more than 4 years ago | (#31061158)

But the evil hackers with time travel will then go to the future to find out exploits before they've been found in the past.

...and that's exactly why need regulation with regards to time travel and access to time travel machinery, now. You there, drop that screwdriver!

Re:This is why we need... (0)

Anonymous Coward | more than 4 years ago | (#31061934)

Accidentally the subject!

Re:This is why we need... (2, Funny)

guruevi (827432) | more than 4 years ago | (#31063618)

Don't worry, almost all classic DeLorean's have rotted away and we're still waiting on non-Newtonian Physicists to invent a Flux Capacitor.

Re:This is why we need... (0)

Anonymous Coward | more than 4 years ago | (#31062660)

Or even perhaps posters who regret posting anonymously, could go back in time and tell themselves that they're going to get a high funny moderation. Oh well, sigh.

Re:Terminator revisited (1)

hesaigo999ca (786966) | more than 4 years ago | (#31065718)

But the white hatters being able to time travel send a robot back in time far enough to look up all the evil hacker's mom's and kill them all before any of this has started.

I just wonder if evil hackers that did make it into the future before they got diced, were able to find a way to look up those white hackers grandparents and send a robot back then , ...or wait a minute...

Buy them (1)

microbox (704317) | more than 4 years ago | (#31061248)

Surely companies could just buy the zero-day exploits, study them, and patch their software. Turn the black market to your own end. Then the problem is solved without time travel.

Re:Buy them (2, Interesting)

SeePage87 (923251) | more than 4 years ago | (#31061470)

Wow, I know /.ers rarely read TFA, but did you even read the summary? They explicitly mention "white markets" where companies can do just that. If the white markets are well known about, learning of an exploit is often likely to be more valuable to the company than a hacker. A company can suffer liability for damages, lose clients, suffer hits to their company's good will, and, depending on the nature of the software and what it's used for, and the exploit and how it works, any number of other things. Those buying the exploits can't know how long it will be effective, or how profitable it will be. My guess is, the more profitable it could be, the quicker it will get fixed, so how much can the black market pay? Besides companies potentially paying better, there's the added bonus of not having to do something illegal, harmful and immoral, though I know that doesn't matter to some. And there might be the appeal of being on the side of preventing malicious attacks. Think about it, all the CS nerds will be able to effectively become digital Jack Bauers, and that's bound to get chicks.

Be careful. (3, Interesting)

John Hasler (414242) | more than 4 years ago | (#31061824)

> Besides companies potentially paying better, there's the added bonus of not
> having to do something illegal, harmful and immoral...

Be careful. If the company learns your identity during negotiations they might have you arrested for extortion.

Re:Be careful. (3, Insightful)

SeePage87 (923251) | more than 4 years ago | (#31062062)

Maybe. The interesting thing is that the exploit is both the attack also what is needed to fix it. There's a credible threat that others may use the same exploit, not just the one who found it. A company who did this openly, whose founding documents declare they only sell software vulnerability information with the software's creator, whose NDAs included clauses that they will never share this information with others in to perpetuity regardless of the potential client's decision on whether to buy the information... I think they could develop a defensible case and eventually a trusted brand image. Just because a company sells fire insurance doesn't mean they're really threatening to commit arson.

Re:Buy them (0)

Anonymous Coward | more than 4 years ago | (#31062240)

Wow, I know /.ers rarely read TFA, but did you even read the summary?

Come off it, we don't come to /. for facts! What on earth are you thinking?

Re:This is why we need... (0)

Anonymous Coward | more than 4 years ago | (#31061344)

someone to invent time travel. Then someone could go into the future, get all the patches and fixes to various popular software, come back in time, and sell it to us. Problem solved.

Meh, I see what you did there. Fixed that for you, mmmkay?

Re:This is why we need... (1)

_Sprocket_ (42527) | more than 4 years ago | (#31062248)

"Dude. As soon as Bill stops screwing around with card games, we're going to be set!"

"Why?"

"I just got a whole bunch of neg 7300 day exploits for Win95, dude. We're gonna be set."

"Cool. Hey.... have you even been born yet?"

"Awww crap..." (poof)

Good to know (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31061022)

I always appreciate the clarification that a growing market is growing.

Help me get free! (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31061060)

"I hereby sentence you to a term of no less than 6 years and not exceeding 12 years" bellowed the Judge at my court case. You could tell in the sterness of his voice and his general demeanor that he took delight in sending scum like me up the river. A fucking DUI that ended up killing some black kid in Detroit was all it took to sealed my fate for the next decade. I had thoughts of appeal but I figured it wouldn't be worth the little savings I had left and my sentence would probably stand. To this day I still believe had the kid been white, my life would have been much easier, inside and outside of prison.

Now, don't believe what you see on Televison about prison, it is a far worse place than any 32" screen could every conjure up. Imagine watching an MSNBC special on jail or an episode of OZ and take that experience and double it. That's about the wretched hell I have come to know for the past 3 1/2 years. Sometimes I don't know who is worse and my already fazed and battered mind, the prison guards or the inmates. It really takes a certain type of psychopath to want to work around this place, 8 hours a day or longer and that's exactly the type of labor pool this place picks from.

I can't say my first week was the worst week of my life, but I can certainly say it was the scariest, most horrifying change change in lifestyle I can remember. The dynamic between my old life as a software developer with a modest 1 bedroom downtime, to sharing a tiny cell with a sexual deviant is enough to make anyone go insane. But anyway let me talk about my first day of 12 long years here.

As I was escorted on to the prison bound bus with the day's newly convicted felons, it was already starting. I was chained next to this black man named Napps. I am sure this wasn't his real name but you can't tell these days with the way these people are named. Now Napps was a pretty built man, and I could tell by the excess amount of tattos and his attitude, that this wasn't the first time he was getting bussed off to a stint in the State Penetentary. Napps upon being forced to sit next to me had given me a look that you would imagine a wolf would give towards their defenseless prey. That was what I officially was now, defensless prey for Napps and God knows who else now. Napps, with a smug and deviously look in his eye asked me "What's a white boy like yourself doing going to the shit?". "Pardon?", I said uneasily almost choking on my words. "This white boy dinks we at da country club.", he said to the rest of the bus, while the bus started roaring in laughter. Now all eyes and ears on the bus were tuned in to me. "I says, wat a tender cracka like you doing here wit the rest of us?", he said in a more pointed fashion. "I'm here...for drunk driving. I killed someone in Brightmore", I shamefully admitted. "So you the motherfucka who killed dat black kid!", now furious with me. The rest of the bus, still focused on me began roaring again loudly as if my crime is more terrible than raping and killing a white woman in the suburbs (I eventually find this out later on). "You lucky da guards are here bitch, you hear me? When we get down to the shit, your ass belongs to the blacks, you got it cracker?". My heart jumped, not even in prison yet, and I am already targeted for what I am sure is to be a stabbing. Shit.

The bus finally turned into the outer gate, which seemed to stretch on for ever, Napps was still from time to time threatening me. I didn't think I would even make it into prison alive. "So you kill one of ours, huh?", he uttered with extreme hatred. "Well, I took one of yours too bitch ass. 4 of my boys went to your white part of town and and took a bitch. We ran a train on dat fo 8 hours, den we pours acid on that cunt", he must have enjoyed the thought as he laughed sadisticly while telling me his crime. As we got manhandled off of the bus one by one, Napps turned around and said "watch yo ass, lit'ry!", before being forced face first by the guard.

By now I was too much in shock from being scared to even be scared. I went through the motions of "processing" before I was escorted to my cell. The bunk was already occupied with an inmate, reading some sort of hip-hop magazine. I was pushed into my cell, and my new roommate eyed me and said "So you the nigga killer?". "It's gonna be you and me tonight", he threatened as I already had my fill of being threatened by prison niggers. It was already about 8:30 and since our bus got delayed coming in, and I knew that in a half an hour it was going to be 'me and him'.

"Lights out! Lights fucking out!" Yelled from the distance as the boom of the dimming lights started my first night. "You and me time, cracker" the hulking voice from the top of the bunk whispered. He came down from his bunk getting about 6 inches away from me and must have been 6 foot five. I started panicking, believing he had a shank or was going to choke me to death but it was too dark to tell. He moved his hands down around his crotch and made several 'manuveurs'. Before I knew it, still being dark, he had his cock out in front of me, which must have been at least 8 inches but probably 10 if I could see. "Yo want to ack like a bitch, you gonna suck like one too". His giant hands pushed me into my knees while he began putting his already erect cock up towards my face. By now his throbbing cock was hitting me on the side of my ear as he kept commanding me to open my mouth. "Put this shit down yo throat bitch", he commanded again while I still resisted. "Boy, I will cut yo throat if I gots to say it another time", he responded to my reluctance.

I finally gave in, thinking that this was probably still better than death. I opened my mouth and began feeding his nigger cock into my mouth. This was not enough for him and he grabbed my hair while he forced the rest of what was probably 5 inches more down my throat. I almost gagged but maintained composure, while he started skull fucking me more and more. I figured this would soon be over and I would be able to go cry myself to sleep very soon. He then pulled out and I thought the worst was over. "Bitches need a good fuck now too", he said while he threw me in my bunk and made me get on my hands and knees. He forced my pants down and kept me in place even while I tried my best to squirm out of there and go...nowhere. His cock still hard and wet with my mouth, he pushed his cock into my virgin asshole. I swear, between his cock size and my clenching reaction, this was the most painful experience I have can remember. The car accident that brought me here didn't even hurt half as bad. He kept going at it while he pulled my hair and pinned me down with his giant body. I tried to scream for help but nothing would even coming out. The only sounds now coming out of my cell was the cyclic screeching of springs and the "Hmm! Hmm! Hmm!" of my new found rapist. When it was finally over, he had deposited a gigantic load of semen on my ass, and with his cock still in my ass whispered in my ear "Wait till the rest of the niggers break you in tomorrow". He kissed me on the cheek and left my limp body in my own bed as he climbed back up to his bunk.

3 spinchter surgeries and an HIV positive diagnosis later, I am 3 year into my prison sentence, and worth about a pack of Pall Malls. I constantly think of killing myself but I know I don't have the guts to do so. Napps, Tbone, and Shades are back and I have little time now before I get traded on the nigger exchange. I thought I would share my experiences on Slashdot and let people know how prison reall
asfd
sf
dfasd

Re:Help me get free! (0)

Anonymous Coward | more than 4 years ago | (#31062214)

I hope this is just another troll, because if you actually killed a person and you're bitching about anything less than life behind bars, you need to just shut up right now. You've ended another person's life through your own stupidity and actions, now shut up and reap what you sowed.

I'm surprised white markets aren't more common (4, Interesting)

swb (14022) | more than 4 years ago | (#31061074)

...especially when the market is fairly inelastic.

The best "white market" tale I've ever heard is the militias that ran the "Golden Triangle" in the Southeast Asian highlands offering to sell the US the entire opium crop.

I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market. They could even use the opium for the production of painkillers for the legitimate market, which I understand is actually constrained sometimes by strict production limitations.

You would think that white marketing the supply of illicit drugs would make a lot of sense -- by buying up supplies at the volume end of the market and denying it to the market, you would drive street prices through the roof and have far more impact on the consumers, pricing many out of the market. Cocaine supply diversity may make this difficult, but if pursued quietly it might actually be effective there too.

Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals. It'd be great to see a cost analysis to see if it would actually be cheaper to just buy up the drugs at the point of production versus the drug war, which doesn't work.

Re:I'm surprised white markets aren't more common (2, Insightful)

adonoman (624929) | more than 4 years ago | (#31061152)

It'd work great until a few farmers, who sold to the government instead of the local underground, wind up dead.

Exactly. (2, Interesting)

khasim (1285) | more than 4 years ago | (#31061220)

Remember, we're not talking about the farmers being the equal of the distributors.

If you start taking away a source of revenue, you had better be able to defend that with violence of your own.

And anyway, if the farmers are growing dope, they're not growing food. How about offer to buy the food that the farmers grow at a higher rate than the processors pay for the dope?

Re:Exactly. (1)

hduff (570443) | more than 4 years ago | (#31062252)

And anyway, if the farmers are growing dope, they're not growing food. How about offer to buy the food that the farmers grow at a higher rate than the processors pay for the dope?

Then farmers get killed for growing food instead of drugs. The best solution (for the farmers) is for there to be no demand for the drugs or no profit in providing them. Given that will never happen, the farmers are sooo screwed.

Re:Exactly. (1)

mcgrew (92797) | more than 4 years ago | (#31063856)

Have you compared the cost of a pound of corn (an ear or two) compared to the cost of a pond of opium? A pound of flour compared to the cost of a pound of heroin?

Are you willing to pay $100 for a loaf of bread and seventy five follars for a beer?

... you are sadly mistaken (4, Insightful)

thijsh (910751) | more than 4 years ago | (#31061178)

You seem to be under the impression that the war (on drugs) has anything to do with logical reasoning...
It's a great idea though, and I bet it will in fact work *and* be cheaper.

Re:... you are sadly mistaken (0)

Anonymous Coward | more than 4 years ago | (#31074082)

You know what work best? If YOU stop blowing anything that pass under your nostrils, dopeheads.

Re:I'm surprised white markets aren't more common (3, Informative)

bluesatin (1350681) | more than 4 years ago | (#31061184)

I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market.

This would probably cause a knock-on effect of increasing production in the area, due to the fact that you will be increasing the profits for the poppy growers, and perhaps also encouraging people to start poppy farming; selling to US troops is probably a hell of a lot less scary than selling to the Taliban.

Re:I'm surprised white markets aren't more common (1)

microbox (704317) | more than 4 years ago | (#31061296)

Selling to US troops is probably a hell of a lot less scary than selling to the Taliban.

That is unlikely from the farmer's perspective -- who may fear violent reprisals from the Taliban, and don't trust the christian infidels (US troops) anyway.

Re:I'm surprised white markets aren't more common (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31061460)

I know you are being flippant but your average Afgani (or any muslim) doesn't think in terms of "christian infidels", that is the kind of talk you get from radical mullahs, talk show hosts, or rednecks. Depending on their education they are more likely to think "here are non-muslems who are going to try to take over and get us to convert like they did during the crusades, or the British...". Most people are just like you and me, they just want to be left alone, be relatively comfortable, not be afraid all the time, and be with family and friends.

Re:I'm surprised white markets aren't more common (4, Insightful)

L4t3r4lu5 (1216702) | more than 4 years ago | (#31061186)

Buying products other than opium, i.e. incentives to plant other crops would be better.

On another point, don't you think the Taliban might be a little irritated by this and, ooooh I don't know, cut off some farmers heads? I hear they've been known to do that to make a point.

Re:I'm surprised white markets aren't more common (4, Informative)

Ltap (1572175) | more than 4 years ago | (#31061264)

You're right. The drug-growing problem in Afghanistan is two-fold: very little will grow there other than desert plants. Opium grows there and is extremely profitable to grow, so if they were to try and grow other crops, they would probably not be sustainable without more infrastructure (such as an irrigation network to grow crops that need more ground water). There have been attempts to cultivate some local plants to extract oils for use in beauty products, but it's a niche market and only a small amount of farmers can do it without over-saturating the market. A crop that would grow in Afghanistan, is in demand, and is rare enough to warrant transportation costs to the rest of the world is the ideal crop, and right now that is opium. Until there is a viable alternative, that is what farmers will grow.

Re:I'm surprised white markets aren't more common (3, Insightful)

swb (14022) | more than 4 years ago | (#31061326)

We can incentivize the growing of other crops, too, but we should also be prepared to buy up the opium crop.

The alternative is destroying the opium crop; this impoverishes the farmer further, destroys his livelihood and causes him to not just grow opium, but join the Taliban.

Re:I'm surprised white markets aren't more common (4, Insightful)

Yvanhoe (564877) | more than 4 years ago | (#31061530)

The taliban are actually opposed to drugs production. While they were in power, the area of opium cultures fell down incredibely quick. It came back thanks to the war. The drugs lords are a faction different from the talibans.

Re:I'm surprised white markets aren't more common (2, Insightful)

_Sprocket_ (42527) | more than 4 years ago | (#31062528)

The taliban are actually opposed to drugs production. While they were in power, the area of opium cultures fell down incredibely quick. It came back thanks to the war. The drugs lords are a faction different from the talibans.

Which is all nice and fine as long as the Taliban remains in control. But what happened after?

There are reports that the Taliban are now involved in the drug trade again. Despite the use of this as obvious propaganda, it isn't that far fetched as the Taliban initially hadn't had a problem with opium since it was a drug for foreigners (hashish was another matter). Of course, it's also very likely that the Taliban is only one of many players in the increased trade. Narcotics is a major industry and quickly becomes prominent in any unstable environment. It becomes a vehicle for not only criminals and warlords but other traders in power to include intelligence agencies and legitimate businesses.

Re:I'm surprised white markets aren't more common (1)

SnarfQuest (469614) | more than 4 years ago | (#31062410)

Buying products other than opium, i.e. incentives to plant other crops would be better.

Like industrial strength hemp?

They grow drugs because it is more profitable than food crops. They probably get 10 times the earnings per acre for opium than they would get for any food crop. If the US bought up all the opium one year, the farmers would just convert more of their fields over to opium. After one year, there would me more than enough opium for the US and the Taliban, and anyone else who wants it.

If you went to California, and put up an ad specifying that the government would pay $1000/pound for marajuana, with no legal problems, would you expect the quantity grown in that state to decrease?

Re:I'm surprised white markets aren't more common (0)

Anonymous Coward | more than 4 years ago | (#31066400)

I hear the yanks have been known to do equally nasty things too.
At this point, the Taliban is less of a threat to me than the USA.

Re:I'm surprised white markets aren't more common (0)

Anonymous Coward | more than 4 years ago | (#31061218)

You do realize that the Taliban is the reason that there was no opium in Afghanistan up until we showed up, right? They used to destroy the fields the first time they caught you growing opium, and shoot your ass if they had to come back. Karzai's brother is the big opium dealer in the country, and he isn't on the Taliban's side he is on the corrupt politicians side.

Re:I'm surprised white markets aren't more common (0)

Anonymous Coward | more than 4 years ago | (#31061306)

I had that idea for a long, long time.

Even go one step further: Buy not from the cartels but directly from the farmers.

The drug cartels in Mexico (and their wars with 20.000 dead per year!) would be ended tomorrow.

But I guess we cannot do that. Giving our money to poor countries it not what we want to do with it. We rather spend it on... the War on Terror or other useless shit.

Re:I'm surprised white markets aren't more common (1)

SeePage87 (923251) | more than 4 years ago | (#31061564)

Another problem with the strategy is that more drugs will be produces. If you buy up all the drugs at high prices, you'll have artificially injected a huge amount of demand into the market, as well as effectively condoned drug production. The existing producers will produce much more, since they can move it, and other's will flock to the drug trade, knowing that the U.S. government will buy it. If we don't, they'll just sell it to the Taliban again and, since we never put it on the streets, they'll still receive good prices and have no problems moving it. Always remember to apply the game theoretical implications of any can of economic policy (which I've found very few in Congress do.

Re:I'm surprised white markets aren't more common (2, Insightful)

Jenming (37265) | more than 4 years ago | (#31061648)

I bet the Opium would still reach the consumer at comparable prices.

The Opiate trade does not exist because of Afghanistan farmers or the Taliban, it exists because consumers really want Opiates.

Re:I'm surprised white markets aren't more common (4, Interesting)

Hasai (131313) | more than 4 years ago | (#31061684)

Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals.

And where, in regions that routinely grow opium, would this be an 'option?' The criminals will show up at the farmer's doorstep, take the money, then butcher both the farmer and his family to make an example.

I saw the same sort of thing happen in S.A., where this one campesino decided he wasn't going to grow coca anymore: the local enforcers promptly showed-up, dragged him and his family out and forced them to kneel in front of their house, then went right down the row, from youngest to oldest. Pop, pop, pop, pop, pop.

The term 'naive' doesn't even begin to describe your idea.

Re:I'm surprised white markets aren't more common (1)

swb (14022) | more than 4 years ago | (#31063478)

Except that we didn't have 50,000 troops in South America.

Re:I'm surprised white markets aren't more common (2, Insightful)

ratboy666 (104074) | more than 4 years ago | (#31061910)

The Taliban sells heroin?

Um... no. In July 2000, Mullah Omar ordered a ban on poppy cultivation. As far as I know, this hasn't been lifted. Other members of the Northern Alliance are responsible.

I presume you are a US citizen; please know your enemy. The Taliban may be at war with the US, but they are even harder on drugs. It is about as conceivable as Pat Robertson selling heroin to fund Christian Outreach.

What passes for Insightful... (2, Informative)

Gary W. Longsine (124661) | more than 4 years ago | (#31064214)

Taliban and the Drug Trade [state.gov]
Some members of the U.S. drug enforcement community suggest that a new strategy may have been adopted by the Taliban in the wake of their July 27, 2000 announced ban on cultivation. This strategy would reflect a desire by the Taliban to use their “monopoly” position to maximize profits, i.e. restrict supply by restricting cultivation; drive prices up dramatically; and sell from an extensive supply of stockpiled opium. According to the United Nations Drug Control Program (UNDCP) personnel, in the past, up to 60% of opium stock has been stored for sale in future years."

Uhm, no. What nut jobs like Mullah Omar say, and what they actually do, might overlap, but may not be entirely equivalent.

Re:I'm surprised white markets aren't more common (1)

dave562 (969951) | more than 4 years ago | (#31061980)

Two things your logic misses. First you've completely ignored the fact that the profits from drugs are used to finance the war. It isn't just the Taliban who are trading dope for military hardware. The drug trade is a perfect way for the government and companies to launder money. Here is a link to a PBS article that details a small, ACKNOWLEDGED portion of the process.

http://www.pbs.org/wgbh/pages/frontline/shows/drugs/special/us.html [pbs.org]

The PBS article talks about legit goods like appliances and automobiles. The arms market is a whole other beast. The CIA and other agencies use drugs to fund operations that they can't go to Congress for.

Here's an article about how the CIA was involved in running drugs through Arkansas.

http://www.serendipity.li/cia/hayes2.html [serendipity.li]

The other thing that I think you should consider is that the farmers need an alternate crop. As others have stated, there isn't much that will grown in Afghanistan. They could grow hemp though. In my mind, and I've said it before, it would be great to switch them from opium to hemp. Opium has one use. It is a pain killer. Hemp has multiple uses. The way I conceived of it working, the UN or US or whoever would buy the opium for a few years while the transition takes place. Once the farmers start growing hemp, they could sell to local markets in the provincial capitols. The capitols could start to build infrastructure to use the hemp. Hemp can be turned into cloth for clothing. The oil can be used for cooking and heating. The farmers could be allowed to grow marijuana too. It's about time that people pull their heads of their asses regarding marijuana prohibition. It isn't the best substance in world for your body, but it isn't any worse than cigarettes or alcohol. The added benefit of hemp is that it encourages companion industries like textiles.

Re:I'm surprised white markets aren't more common (1)

wintercolby (1117427) | more than 4 years ago | (#31062136)

I remember the Karzai's government trying to do just what you're suggesting here, and the Bush Administration refuting it. Most of our current legal opium supply comes from Turkey, which houses several US Military bases. Ultimately, purchasing opium for use in purposely restricted legal markets would flood those markets, driving down prices and alienating our allies. That said, I would be willing to bet that purchasing opium from farmers and storing it would be cheaper than prosecuting the war against the Taliban as well as the expensive war on drugs.

Re:I'm surprised white markets aren't more common (1)

SnarfQuest (469614) | more than 4 years ago | (#31062290)

Since these "farmers" will know that the drugs they produce will never be used, what's to stop them from selling fake drugs which have fixed to make the tests turn out right to the US government, and selling the real ones to the Taliban? All you need is some cheap chemical that makes the test kit change color, and I'm sure that there are things other than opium that can fake out the tests. Maybe just some food coloring mixed in.

Re:I'm surprised white markets aren't more common (1)

wintercolby (1117427) | more than 4 years ago | (#31063538)

I'm sure that this is as much a possibility as reporting a bogus security flaw to a software company. It wouldn't take long for a proper chemist to determine that what they were testing wasn't the real thing. On the up side, it could mean more science jobs and thus more of a push for better geeky ed in public schools.

Re:I'm surprised white markets aren't more common (0)

Anonymous Coward | more than 4 years ago | (#31062646)

...especially when the market is fairly inelastic.

The best "white market" tale I've ever heard is the militias that ran the "Golden Triangle" in the Southeast Asian highlands offering to sell the US the entire opium crop.

I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market. They could even use the opium for the production of painkillers for the legitimate market, which I understand is actually constrained sometimes by strict production limitations.

You would think that white marketing the supply of illicit drugs would make a lot of sense -- by buying up supplies at the volume end of the market and denying it to the market, you would drive street prices through the roof and have far more impact on the consumers, pricing many out of the market. Cocaine supply diversity may make this difficult, but if pursued quietly it might actually be effective there too.

Critics would decry giving money to criminals, but the "buy" could actually take place at the farming level where that's an option, thus totally undercutting the criminals. It'd be great to see a cost analysis to see if it would actually be cheaper to just buy up the drugs at the point of production versus the drug war, which doesn't work.

As the black market prices go up.. the white market has to follow. So where would this price war end?

Paying for doing illegal stuff can never work in the long run.

What next? Pay all the hit men? thieves? ....

Re:I'm surprised white markets aren't more common (0)

Anonymous Coward | more than 4 years ago | (#31063070)

Wow ... "Let's pay them for their crops so they'll stop growing them!" The idea of a 'white market' is a scary thing. It is a 'cheat' to begin with (as much as domestic farm subsidies) and encourages cheating the system, and making 'the problem' worse.

In the case of the 'War on Drugs' the answer is obvious: legalize them across the board. This may be a less comfortable argument for 'hard' drugs, but the effect is all the more important. The only reason there's enough profit to be made in illicit drugs to interest major criminal cartels and the like is because they are illegal. We (the US) fund both sides of the 'War', at great expense and for no good reason. You can't buy up all the poppies in the world, or all the coca, or all the liquor, or anything else. If we would just legalize drugs, there would be no profit in trafficking. Imagine the effect on all the parts of the world where 'drug money' funds violence, oppression, and instability.

The problem is, this is where your analogy becomes less apt. I mean, we can't really 'legalize' hacks and security breaches, can we? Drugs are not illegal for any inherent reason, but computer security is a practical need. So, maybe 'white markets' are a good solution, but they still present significant risks.

Re:I'm surprised white markets aren't more common (0)

Anonymous Coward | more than 4 years ago | (#31063952)

Except that the black market for recreational drugs only exists because of government. If recreational drugs were legal, the bad guys would be straight out of business, and the price of recreational drugs would drop like a rock. Exactly the same as alcohol prohibition in the 1920s.

What you're suggesting is merely a band-aid, and rests on the assumption that prohibition is normal, moral, and just -- when in reality it is abnormal, immoral, and unjust.

The real solution is to abolish prohibition.

Re:I'm surprised white markets aren't more common (1)

Z34107 (925136) | more than 4 years ago | (#31064658)

It's a great idea in the term, but I think it might have problems long-term. Vastly increasing the demand for heroin (exactly what buying all production at the best price possible is!) would encourage more people to enter heroin production. Maybe convert farmland from food production to "cash crops."

However, unlike the "war" on drugs, I'm convinced your idea has a least a snowball's chance of working. The DEA's budget should be transferred immediately to you, our new Drug Czar.

Re:I'm surprised white markets aren't more common (0)

Anonymous Coward | more than 4 years ago | (#31064664)

Or instead of your retarded apporach we could just pay them a large subsidy to plant wheat or something useful.

Re:I'm surprised white markets aren't more common (1)

aurumdib (1146733) | more than 4 years ago | (#31064832)

You assume that the offer will be constant but is not. Each farmer would have the possibility to plant opium or coca with a sure mark, do you think that all the farmers will be happy to plant anything else... in the long term, the farmer will loss because of the mono plantation, but that will be not the only problem, in short term the government will be broke for buyout the special plantations.

If you propose the enforcement of the control in the limits of the production (to assure the constant offer) you will generate what already are in Peru or Columbia or Bolivia (black mark), Here again with the same problem of the start.

Re:I'm surprised white markets aren't more common (1)

ArsonSmith (13997) | more than 4 years ago | (#31066040)

I'd complain more that driving the street price up would also drive up the drug related street crime here close to home. Providing incentive for more local growers and strain the local enforcements.

"Zero-day" is just noise (1, Insightful)

Imagix (695350) | more than 4 years ago | (#31061160)

OK, this is a pet peeve of mine, but why the heck do these get called "Zero-day vulnerabilities". Yes, I understand that the definition is that the zero-day refers to the time between the vulnerability is made public and the time that an exploit is made available. However, I don't get why this needs an additional moniker on top of being a vulnerability in the first place. Don't most of the vulnerabilities have an exploit the same day that the vulerability is published (wouldn't you want to have a proof of concept that the vulnerability exists, I'd assume one was created.)? I haven't heard of many "7-day vulnerabilities". So why isn't the "zero-day" thing implied? If a vulnerability is exposed and there is no exploit available, the vendors already make statements such as "there are no known exploits for this". Where I would think that the "zero-day" moniker would actually add some information is if the vulnerability is exposed on the zeroith day of release of the product in question. _That_ would be something to give a special name to. That would mean that the developer has botched it so badly that it didn't even take 24 hours before someone found a hole. As it is now (IMHO) the "zero-day" moniker is simply being alarmist and only trying to add sparkle to the term, and carries no significant information.

Re:"Zero-day" is just noise (3, Informative)

chill (34294) | more than 4 years ago | (#31061368)

0-day means there is no patch available, as opposed to vulns that come out after patches are issued and you could possibly upgrade your system to being secure.

Anything that is patched, but you haven't bothered to update your system and are thus vulnerable to, isn't a 0-day.

Re:"Zero-day" is just noise (2, Insightful)

bsDaemon (87307) | more than 4 years ago | (#31061458)

I always thought 0-day should refer to time between the software itself is releasedand an exploit is found. Frankly, that would make more sense and that's the type of vulnerability that would actually be somewhat impressive as well as potentially devastating. If a piece of software has been floating around for a few months and then an attack against it is announced, I assume that the vector has been exploited already without an announcement and am hardly surprised that a vulnerability has been found by that point in time.

Re:"Zero-day" is just noise (1)

maxume (22995) | more than 4 years ago | (#31061484)

I agree with this definition (i.e., "A patch has been available for 0 days" being the basis of the phrase), but I predict people are going to argue with you. A lot.

Re:"Zero-day" is just noise (1)

zippthorne (748122) | more than 4 years ago | (#31062250)

So, every vulnerability is zero-day, then? Sounds redundant.

Re:"Zero-day" is just noise (1)

maxume (22995) | more than 4 years ago | (#31062310)

Sure, because there are no systems out there that are not up to date with patches.

I can also see the case for 0 day meaning vulnerabilities that the vendor has not been notified of yet.

Re:"Zero-day" is just noise (0)

Anonymous Coward | more than 4 years ago | (#31062666)

The way I see it is that zero-day once had a meaning, but it was a cool term and everyone wanted to use it and now everything is zero-day and it means nothing, literally.

Re:"Zero-day" is just noise (1)

jofny (540291) | more than 4 years ago | (#31065768)

0day implies that there is a --non public-- vulnerability and/or exploit out in the wild that has not yet been disclosed outside of relatively small private circles (nothing to do with the time between vuln and exploit). Its meaning has been lately bastardized to include "things for which we dont have a patch yet" - and it's that bastardization which creates scenarios that don't make "sense".

Re:"Zero-day" is just noise (1)

bughunter (10093) | more than 4 years ago | (#31067358)

Its meaning has been lately bastardized

So zero-day has joined the rather exclusive League of Semiotic Hyperlatives, along with other misused terms such as Robot, Virtual Reality, 3D, and Artificial Intelligence.

white market in zero-day vulnerabilities (0)

Anonymous Coward | more than 4 years ago | (#31061164)

Does anyone have a breakdown as to the number of zero-day vulnerabilities per platform and Operating System ?

Re:white market in zero-day vulnerabilities (1)

spydabyte (1032538) | more than 4 years ago | (#31061900)

my guess is Microsoft... purchased... that report.

poor grammar (1)

FredThompson (183335) | more than 4 years ago | (#31061304)

"...can be taken advantage of."

should be something like,

"can be exploited."

How does the purchaser of an exploit... (4, Interesting)

John Hasler (414242) | more than 4 years ago | (#31061386)

...know that it has not also been sold to someone else? And who brokers these deals? I can't imagine the parties trusting each other.

Does it matter? (2, Informative)

khasim (1285) | more than 4 years ago | (#31061466)

If you are the company who wrote the software, you now know where the flaw is and can fix it.

If you release a patch, that could be reverse engineered and the bad guys would find the flaw anyway.

Re:Does it matter? (2, Informative)

John Hasler (414242) | more than 4 years ago | (#31061688)

> If you are the company who wrote the software, you now know where the flaw
> is and can fix it.

But if you are a black hat (or a government: same thing) you want exclusive ownership. Even if you are the company that wrote the software you don't want the exploit sold to black hats who will exploit it between now and the time you deploy your fix (or afterward against the many customers who won't upgrade).

Bad guys don't trust bad guys. :) (2, Interesting)

khasim (1285) | more than 4 years ago | (#31061888)

But if you are a black hat (or a government: same thing) you want exclusive ownership.

:) And that is part of the problem when you choose to be one of the bad guys. You cannot trust the other bad guys to be honest in their deals.

And that doesn't bother me. If anything, it should drive down the prices as none of the bad guys are going to invest a lot of money on something that they cannot be sure they have an exclusive option on.

Link? (1)

spydabyte (1032538) | more than 4 years ago | (#31061892)

I like the link to the black markets but not to the white markets. Hackers would probably benefit from these new "white-markets" you speak of.

How do you evaluate an open market item? (1)

filesiteguy (695431) | more than 4 years ago | (#31062030)

Though I'm not surprised that this exists, I wonder how one prices a zero-day exploit. Do you get a return on investment? Number of PC's infected? Number of bank accounts stolen?

When will companies be held liable for bugs? (2, Interesting)

jollyreaper (513215) | more than 4 years ago | (#31062174)

Toyota's gonna catch holy hell for the whole "car randomly becomes kamikaze" bug with the accelerator. There are regulations and laws about this sort of thing. If I run a slaughterhouse and knowingly ship bad meat, I could go to jail. This isn't home hobbyist shit anymore, computers are serious business and Microsoft is wearing the big boy pants. Lives are at stake over this sort of thing. Dissidents can be targeted and killed. And even if it's not political but just plain' ol' computer crime, the losses can really add up.

I'm not a fan of bogging the industry down with so much regulation that nobody can get anything done but it's clear that businesses are, generally, not self-policing and concern for public welfare is not on the agenda. They will not consider it until compelled to by force of law. And to all the business apologists complaining about the stifling hand of government laying heavily upon the necks of business, just remember that there wouldn't be a call for regulation if there wasn't a need for regulation. If slaughterhouse owners applied the same standard to meat intended for public consumption that they would apply for meat intended for their own tables, Upton Sinclair wouldn't have had a novel and we wouldn't have had an FDA.

Re:When will companies be held liable for bugs? (1)

GNious (953874) | more than 4 years ago | (#31065084)

Question: Are there no laws on the merchantability of a product where you live?

Re:When will companies be held liable for bugs? (1)

jollyreaper (513215) | more than 4 years ago | (#31065976)

Question: Are there no laws on the merchantability of a product where you live?

Not for software. The EULA's seem to indemnify software companies of all liability. You don't like it, don't use computers.

Re:When will companies be held liable for bugs? (1)

sincewhen (640526) | more than 4 years ago | (#31068244)

It is interesting to speculate upon how we could possibly get there from here.
Obviously the software industry is too large to allow legislation to be forced upon it.
And the comments the other day from the Microsoft CTO indicate no willingness to acccept any responsibility.
My best guess is that locked-down devices like the iPad could be seen in the marketplace as much more secure and therefore a better choice for most people. Whether this will actually come to pass I doubt though, as other manufacturers will cloud the market with similar products making similar claims, which will tarnish the reputation of all such devices when they do fall prey to exploits.
Can anyone else see any other path by which we can move beyond our hobbyist past with it's "build now fix problems later" attitude?

Inside exploitation of these systems? (0)

Anonymous Coward | more than 4 years ago | (#31062202)

Is it possible that a developer or contractor close to a product preparing to launch could engineer a vulnerability in to the software and then conspire with a free-lance hacker working these sorts of projects to snatch up the payout? This is especially worrisome for government software, especially if they are paying out 5-6 figures for an identified vulnerability.

Not a trend. (2, Informative)

yoda (79150) | more than 4 years ago | (#31062408)

The vulnerability contributor program @ Verisign and TippingPoint were setup by the same person. I know this because that person used to work for me. Google is buying simply as a reaction to the China stuff. This isn't a trend...though on the surface, it appears that way.

Smart idea (0)

Anonymous Coward | more than 4 years ago | (#31063222)

"White marketing" this makes perfect sense to me. After all, if you spend your time productively searching for flaws in products, this benefits the company thus exposed.
This "involuntary outsourcing" deserves compensation, and at the same time keeps these flaws away from those who would exploit them.

Hard decision (1)

edxwelch (600979) | more than 4 years ago | (#31063960)

"Charlie Miller ... who sold a bug he discovered in the Linux OS to a government contractor for $50,000 dollars, said that choosing whether to sell such an item or give it away for free to Microsoft is a hard decision to make"

Hmm, doesn't sound that hard to me.

Just wondering, what exactly did the government contractor do with the vunerability afterwards?

Some groups won't give up exploits (0)

Anonymous Coward | more than 4 years ago | (#31066730)

Unfortunately it all comes down to greed. Why would someone who finds an exploit report it to Microsoft for free or give it to Google for $500, when they can sell it and make $50,000 or more on the "black" market. Also, their are many groups out there that are looking for exploits that have no desire to report them to anyone. Chinese and Russian government hacker groups prize these back doors...

cyberarms.wordpress.com

Most of the successful attacks? (1)

Hurricane78 (562437) | more than 4 years ago | (#31068748)

As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days.

I highly doubt that. I think that, compared to social engineering, zero-day attacks are pretty much an insignificant slice of the cake.

I mean, it’s much easier to hack a PEBKAC. And as the biggest ranks usually also are the biggest PEBKACs, it’s a clear winner. ^^

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>