Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How To Go Broke Selling Zero-Day Exploits

Soulskill posted more than 3 years ago | from the supply-and-demand dept.

Security 66

Trailrunner7 writes "Despite all of the hand-wringing and moral posturing about the public sale of security vulnerabilities, it turns out that not many people are buying or selling vulns, and the ones who are aren't making much money at it. A new survey of security researchers who sell vulnerabilities either publicly or in private, directed sales found that the vast majority of the flaws sell for less than $5,000. Almost none of them sell for much more than $10,000. At those prices, there's little chance that this is going to turn into the chaotic Wild West marketplace that some people predicted. It's a small, mostly controlled market that isn't making anyone rich."

cancel ×

66 comments

Sorry! There are no comments related to the filter you selected.

Not such good news, really (3, Insightful)

5pp000 (873881) | more than 3 years ago | (#32299928)

It means that supply is keeping up with demand.

Re:Not such good news, really (1)

5pp000 (873881) | more than 3 years ago | (#32299964)

Whoops, never mind... didn't RTFA...

Don't worry (3, Funny)

Anonymous Coward | more than 4 years ago | (#32301080)

Neither did the mods. :)

Re:Not such good news, really (2, Interesting)

zephvark (1812804) | more than 4 years ago | (#32301834)

$5,000-$10,000 per exploit, tax-free? This seems like nothing to you? Man... I think you need to get out of your parents' basement more often. Start slowly, or you're going to wind up with an ear-to-ear grin in an alleyway, minus your iPhone and Nikes.

Re:Not such good news, really (2, Interesting)

buchner.johannes (1139593) | more than 4 years ago | (#32302520)

$5,000-$10,000 per exploit, tax-free? This seems like nothing to you?

Depends how much work and time you had to put into it. You won't come up with a new 0-day every day ...

Re:Not such good news, really (2, Insightful)

insufflate10mg (1711356) | more than 4 years ago | (#32302622)

LOL@"ZOMG BUT U WONT MAKE 5K PER DAY!"

Spend two months per 0-day and you are mediocre. Spend a month and you're pretty comfortable.

Re:Not such good news, really (1)

wanax (46819) | more than 4 years ago | (#32303288)

No, it means that in one of the few examples of a laissez-faire market in the modern world, Veblen [wikipedia.org] was right. No matter what the economic system, the main engine of expanding commerce, inventors, get fucked.

(For those interested in original text, I would note that all his major works were published in the late period of the public domain, including The Theory of the Leisure class (pdf). [psu.edu]

Re:Not such good news, really (1)

randyleepublic (1286320) | more than 4 years ago | (#32320758)

Veblen knew about social credit. I think that he would have agreed that social credit would do a better job than capitalism of rewarding inventors.

Survey participation (4, Insightful)

Dan East (318230) | more than 3 years ago | (#32299936)

I would think that the "companies" doing lucrative business selling exploits would not be voluntarily participating in a survey of this sort.

Re:Survey participation (2, Insightful)

michaelhood (667393) | more than 4 years ago | (#32302022)

I would think that the "companies" doing lucrative business selling exploits would not be voluntarily participating in a survey of this sort.

This "journalist" has never heard of selection bias, obviously.

"You're doing it wrong." (4, Insightful)

palegray.net (1195047) | more than 3 years ago | (#32299980)

Selling vulnerabilities == little money
Selling fully functional botnet time == probably a lot more

It's unfortunate, but I don't see it changing in the near future.

Re:"You're doing it wrong." (5, Funny)

Yuan-Lung (582630) | more than 3 years ago | (#32300206)

"Selling vulnerabilities == little money"

Are you sure about that?

I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.

Re:"You're doing it wrong." (5, Funny)

_Sprocket_ (42527) | more than 3 years ago | (#32300470)

I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.

They didn't sell vulnerabilities. Those were features - added at no additional cost. Loss-leaders, if you will.

Re:"You're doing it wrong." (1)

The Grim Reefer2 (1195989) | more than 4 years ago | (#32302092)

I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.

They didn't sell vulnerabilities. Those were features - added at no additional cost. Loss-leaders, if you will.

They're not features until they get documented.

Re:"You're doing it wrong." (3, Funny)

_Sprocket_ (42527) | more than 4 years ago | (#32302376)

They're not features until they get documented.

Wait... they're easter eggs?

Re:"You're doing it wrong." (2, Funny)

The Grim Reefer2 (1195989) | more than 4 years ago | (#32302608)

They're not features until they get documented.

Wait... they're easter eggs?

Exactly.

Re:"You're doing it wrong." (2, Insightful)

RichM (754883) | more than 3 years ago | (#32300638)

This should be marked as Insightful.

Dammit mods (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32301152)

This should be marked as Insightful.

(Currently marked as 3, Insightful)

You took that too literally. I think that the parent was talking about grandparent, not his post, even though he said this...

Re:Dammit mods (0)

Anonymous Coward | more than 4 years ago | (#32307404)

But noting that a post should be marked insightful, is in itself insightful.

Re:"You're doing it wrong." (1, Funny)

Anonymous Coward | more than 3 years ago | (#32300344)

That's why they have to start selling exploits for MacOS. Most likely, those will be also overpriced, and with limited functionality that will require to spend more in libraries or "apps".

Maybe they will come up with the idea of the "Exploit Store" and a similar business model :)

Re:"You're doing it wrong." (1)

TheRaven64 (641858) | more than 4 years ago | (#32301216)

Exploits for the smartphones probably have the potential to be quite lucrative. According to a previous Slashdot article, botnets only sell for about five cents per node. You can make a lot more than that from a compromised phone. Set up a few hundred shell companies, and have each one set up a few premium rate telephone lines. Have each compromised iPhone call one of the lines for five seconds every few months. The phone company will round it up to the nearest minute for billing. Most people won't check their bills carefully enough to spot the extra fifty cents (smartphones tend to go along with more expensive contracts, so a small variation is less likely to be noticed), and most of the ones that do will write it off as a wrong number that they forgot about. For those that do bother complaining, the phone company will simply reverse the transaction - as long as you don't make a fuss, it doesn't cost them anything, and you don't make a fuss because you're a criminal. With around a hundred million smartphones sold so far this year, even if you only get a small player, like Windows Mobile, that's enough to get a few million from a single call per phone - especially if you do it every six months. If you hit Symbian users, then you could easily get 100 million. Set up the companies in the USA from somewhere without an extradition treaty and make sure that the funds are transferred to an off shore account as soon as they're available, and you can keep running the scam until someone finds and disassembles your code. If you remember to give the IRS their cut and don't try for too much, this may take several years.

Monetization / Productization. (4, Insightful)

khasim (1285) | more than 3 years ago | (#32300534)

Turn the idea into a product, turn the product into money.

Sell a service providing the customer with the FINAL (or as close to the final) product as possible.

Use your zero-day exploit to build a zombie army and sell spam services.
Or collected credit card info.
Or bank account info.
Or access to corporate networks.

The do-it-yourself customer isn't going to spend a lot of money for something that he might not be able to verify.

$5000 not much money...HERE. (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32301762)

Maybe in the US it's not much money, but in eastern Europe and most of Southeast Asia, $5000 is a shitload of money. Some places, that's more than people make in a year.

Maybe you think it's small change, but if you're living in some parts of southeast Asia, $5000 every 3-4 months feeds, clothes and houses your entire family.

Missing component: trust in the seller (5, Insightful)

Anonymous Coward | more than 3 years ago | (#32299982)

Right now there's no way to have much confidence that you're actually getting what you're paying for. If the exploit doesn't work, what recourse do you have? This is a pretty common element in any underworld economy, but is exacerbated by the Internet's anonymity and the newness/smallness of this particular market.

The bad news is, other underworld markets eventually overcame this problem.

Trust problem solved: want a job? (0)

Anonymous Coward | more than 4 years ago | (#32302348)

You get a nice salary, unusually bright coworkers,
your choice of desktop OS, and extreme flex time.
It's a fun place to work.

The main location is 30 miles south of Cape
Canaveral and, oddly, right across the road
from the beach. We're also in Maryland and
Virginia.

People who are suitable tend to have experience
working on embedded systems, drivers, emulators,
compilers, or OSes.

There is a background check, and you must be
a US citizen.

itisme_meitis@yahoo.com

Re:Trust problem solved: want a job? (1)

Securityemo (1407943) | more than 4 years ago | (#32305640)

Is this a joke, or are you actually serious?

Developers (3, Insightful)

Threni (635302) | more than 3 years ago | (#32299990)

Probably companies buying exploits on their own apps - cheaper and more reliable than whatever pidgin-English speaking offshore muppets currently do QA/testing for them.

Re:Developers (0, Flamebait)

sakdoctor (1087155) | more than 3 years ago | (#32300162)

I duel licence my vulnerabilities; GPL and Microsoft Open License.

Re:Developers (0)

Anonymous Coward | more than 4 years ago | (#32308076)

So... which licence typically wins the duel?

(shrug) My computer is disposable. (1, Insightful)

commodore64_love (1445365) | more than 3 years ago | (#32299992)

In the unlikely event I get a computer-killing virus, trojan, or exploit (hasn't happened since 1985), I figure I'll just trash the thing and buy another one for $300-400. Computers have become disposable just like other appliances.

Re:(shrug) My computer is disposable. (5, Insightful)

SomeJoel (1061138) | more than 3 years ago | (#32300026)

In the unlikely event I get a computer-killing virus, trojan, or exploit (hasn't happened since 1985), I figure I'll just trash the thing and buy another one for $300-400. Computers have become disposable just like other appliances.

It's not the computer that has value, it's your data.

Re:(shrug) My computer is disposable. (0)

Anonymous Coward | more than 3 years ago | (#32300182)

But your data lives in the cloud -- GMail, Flickr, Facebook, etc. have all the content you've generated, and thepiratebay et al. have all the pr0n that was clogging your hard drive. Browser bookmarks are really all you need, and there's plugins to make those live in the cloud, too.

Re:(shrug) My computer is disposable. (0)

Anonymous Coward | more than 3 years ago | (#32300330)

Well I don't know how much pr0n you've got clogging your hard drive, but I've only got a 15MB pipe to download it from. That's not even close to real-time speeds !

Re:(shrug) My computer is disposable. (0)

Anonymous Coward | more than 4 years ago | (#32303392)

15MB??? That's fast as shit. 15Mb on the other hand is only kind of fast.

Re:(shrug) My computer is disposable. (1)

_Sprocket_ (42527) | more than 3 years ago | (#32300486)

But your data lives in the cloud -- GMail, Flickr, Facebook, etc. have all the content you've generated, and thepiratebay et al. have all the pr0n that was clogging your hard drive.

The cloud is not a truck.

Re:(shrug) My computer is disposable. (1)

Sulphur (1548251) | more than 4 years ago | (#32302458)

Just so the cloud is not a brick.

Re:(shrug) My computer is disposable. (0)

Anonymous Coward | more than 3 years ago | (#32300502)

Oh, just wait 'til you get a virus that wipes your gmail account the next time you log on...

Re:(shrug) My computer is disposable. (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32300678)

Faggot.

Re:(shrug) My computer is disposable. (1)

maxwell demon (590494) | more than 4 years ago | (#32303998)

Even for those where this is true (most of my data still lives on my hard disk, and I like it that way), there's still a bit of personal data criminals are very interested in. Like your online banking password.

Re:(shrug) My computer is disposable. (4, Insightful)

DerekLyons (302214) | more than 3 years ago | (#32300370)

I figure I'll just trash the thing and buy another one for $300-400. Computers have become disposable just like other appliances.

Must be nice to have that kind of money to burn. For many of the rest of us, neither computers nor other appliances are disposable.

Re:(shrug) My computer is disposable. (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32300434)

You're right; he sounds like a first-rate faggot.

Re:(shrug) My computer is disposable. (1)

w0mprat (1317953) | more than 3 years ago | (#32300524)

Why not just erase the HDD and buy another ? $50

"...it's a small, mostly controlled market..." (1, Funny)

John Hasler (414242) | more than 3 years ago | (#32300014)

But, but, it's an unregulated market!!! Evil, evil, evil!!! Soon there will be derivatives!!! And speculators!!! And high-frequency trading!!! The economies of nations will destroyed if this is not brought under government control now!!! (and taxed, of course)

Re:"...it's a small, mostly controlled market..." (3, Funny)

Mindcontrolled (1388007) | more than 3 years ago | (#32300210)

"I am a teabagging moron" would have been shorter. Why waste your energy on typing all that exclamation marks?

Re:"...it's a small, mostly controlled market..." (1)

ErikZ (55491) | more than 3 years ago | (#32300778)

Teabaggers want more regulation?

No they don't. Perhaps you mistyped and meant "I am a big government moron."

Also known as a Democrat.

Re:"...it's a small, mostly controlled market..." (0)

Anonymous Coward | more than 3 years ago | (#32300842)

Perhaps you mistyped "I love cock" and "I am a retard".

He was not saying that OP was for regulation. You're just such an IDIOT that you imagined it that way.

Please, go find a knife and cut off your balls before you reproduce. It's for the good of humankind, trust me.

Re:"...it's a small, mostly controlled market..." (1)

bertoelcon (1557907) | more than 4 years ago | (#32301408)

"I don't notice humor." would have been shorter. Why waste your energy on typing all that question?

(I copy pasted most of my question.)

Re:"...it's a small, mostly controlled market..." (1)

Mindcontrolled (1388007) | more than 4 years ago | (#32303104)

Well he is burning a rather complex meta-strawman there. I am still not sure what he really means, so I did a best guess.

mindcontroller, quit sucking on scrotums (0)

Anonymous Coward | more than 4 years ago | (#32305040)

And you're obviously nothing more than some "massive 2 shits" new englander with his stupid "tea bagger" slang (and you obviously practice 'tea bagging' yourself, regularly), mindcontroller. He may have posted a great deal of exclamation points wasting his energy in that manner as you stated, but why on earth do you waste energy sucking on another mans scrotum?

only two words ... (1)

freaker_TuC (7632) | more than 4 years ago | (#32308566)

become politician

The ones getting rich... (5, Interesting)

ShaunC (203807) | more than 3 years ago | (#32300060)

...are the ones who aren't selling the exploits they find.

Re:The ones getting rich... (1)

Kingrames (858416) | more than 4 years ago | (#32301328)

No, that's just what they want you to think.

Not much market, if others know you have it (3, Interesting)

hAckz0r (989977) | more than 3 years ago | (#32300088)

All the agencies/Governments that want that kind of information invest far more time, money, and energy doing the same thing, and they have all their own experts. In fact, the 'sellers' of this kind of information may be 'giving it away for free' and not even know they have been 'visited'. Why pay for what you can get for free?

Re:Not much market, if others know you have it (0)

Anonymous Coward | more than 4 years ago | (#32301478)

Multiple CERT agencies have seen really, really good come brilliant prototypes, that are tested - then disappear .The baddies know flight /packet recorders are out there.

There is a shitload of unsold bad stuff being 'banked' - and it was not 'unloaded' when windows7 came out.

One concludes private sovereign buyers are not participating in the survey.

Well, duh. (5, Funny)

selven (1556643) | more than 3 years ago | (#32300108)

Guy: Hi, I have a security vulnerability, I'll tell you the details for $10k.

Software Company: Ok, show us the vulnerability.

Guy: Ok, I'll come over and demonstrate on my computer.

Software Company: Oh no, not on your computer, you could have set your computer up to be vulnerable. Do it to our computer, so we know you're not tricking us.

Guy: Ok, fine (launches attack on company computer)

Security Researcher A: Ok, the attack's coming in. Let's see what it's doing.

Security Researcher B: Ok, looks like a buffer overflow in the third step of the authentication process. Let's go tell our developers.

Guy: Guess what, it worked. Looks like I'm not tricking you after all. So, will you buy the vulnerability from me for the $10k we agreed on now?

Guy: ...

Guy: Guys?

Re:Well, duh. (3, Insightful)

Vellmont (569020) | more than 3 years ago | (#32300472)

I might not be the best idea to stiff someone who's highly skilled at finding security vulnerabilities in software. Especially if you ARE a software company.

Re:Well, duh. (0)

Anonymous Coward | more than 4 years ago | (#32301322)

You are wrong. it is extremely smart to take advantage of people that dumb, for the sake of profit. In fact, it's driven the free market for thousands of years. You're not scaring anyone.

Re:Well, duh. (0)

Anonymous Coward | more than 3 years ago | (#32300532)

Developer A: Hey, the security guys are moaning about another buffer overflow.

  Developer B: Well, grade the severity, then add it to the pile with the other umptillion exploits. If we get to it before the next product release, great. Otherwise I guess it'll just stay unpatched forever

Re:Well, duh. (1)

1000101 (584896) | more than 4 years ago | (#32301334)

This post is a perfect example why many developers who start their own businesses fail: The developer wants to prove, outright, that their work is valid. The businessman (whom the developer should have partnered with) will make the customer-to-be sign a contract before the tests were run prior to demonstrating to said customer.

Re:Well, duh. (1)

Vellmont (569020) | more than 4 years ago | (#32301606)

You're assuming that people willing to buy and sell exploits, something at the very edge of legality and ethics, is going to obey a contract?

These kind of relationships are enforced through fear, and the desire to maintain the relationship. Do you think drug dealers try to sue someone when a drug deal goes bad?

$10,000 ain't chump change (4, Insightful)

ralphdaugherty (225648) | more than 3 years ago | (#32301016)

$10,000 is a chunk of change in former Soviet Union. For that matter, it's a chunk of change for me too even being in the States but not as enriching as former USSR.

In any event my understanding from info I read (mostly here on /.) is that the big money is made from herding botnets to sell time on for spam, phishing, etc. activities. The same people who put together these exploits in packages to sell are already using them to build gigantic botnets.

I would not be surprised if they are able to tap into the botnets built with exploit packages they sell.

FWIW, the range of IP addresses my web site has been targeted from for phpBB spamming is truly awesome, I haven't seen anything like it before in the eight years I've had the site up. Also the amount of money reported in news as stolen from bank accounts is staggering.

I don't know what kind of happy talk article this is, but botnets are alive and well and thriving, and someone is getting rich at the expense of lots of victims who also unknowingly supply bots for the net. Whether $10,000 from an exploit package sale, or for a multi-billion spam run, or transferred out of a bank account, it adds up.

  rd

Only 5-10k? (0)

Anonymous Coward | more than 4 years ago | (#32301672)

The author appears to be talking out of his ass, 5-10k is a lot of money in many areas. Heck, when I was in college I lived off less than 10k a year. A couple of exploits at that price would allow me to live fairly comfortable, if spent carefully.

the truth (0)

Anonymous Coward | more than 4 years ago | (#32303180)

zalewski is right, but it doesn't change anything.
it's look like he is trying to do a pathetic buzz around himself to sell a book (probably very boring this time).

Good for the goose is good for the gander (1)

Zaphod-AVA (471116) | more than 4 years ago | (#32304238)

If the black hats share resources by selling one another exploits, or cloaking packages it just takes less work for the the white hats to patch the problem or break the cloak.

the geniuses get peanuts, as usual (1)

drdrgivemethenews (1525877) | more than 4 years ago | (#32307014)

$10K might not be chump change, but it won't make anyone rich. Putting together botnets using said attacks and selling time on them is a much easier way to good money and requires less genius time And buying time on the botnets and using them for decent spam attacks probably makes the most money of all, for the least amount of genius time.

I heard IBM is giving them away free with a USB ke (1)

kschua (1817688) | more than 4 years ago | (#32312530)

I heard IBM is giving them away free with a USB key in Australia
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?