Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Site Aims To Be iTunes For Exploits

Soulskill posted about 4 years ago | from the bet-they-won't-cost-99-cents dept.

Bug 55

Trailrunner7 writes "It's been tried before, but NSS Labs founder Rick Moy says his company's new Exploit Hub — a store front for exploit code — can work. In an interview, he explains why the current market for exploits doesn't work for the good guys, and why zero-day exploits don't help anyone. Above-board markets for software vulnerabilities have been around for close to a decade, but previous efforts to market exploits have had mixed results. The business of selling exploits versus vulnerabilities is fraught with danger, and organizations like WabiSabiLabi have operated eBay-style marketplaces for zero-day exploits for years, but haven't seen exploit writers beating a path to their door. The need for an above-board marketplace that can compete with the black market surely exists, but getting it to work is another matter entirely."

cancel ×

55 comments

Sorry! There are no comments related to the filter you selected.

Crispy Fried Goat Balls (-1, Troll)

Anonymous Coward | about 4 years ago | (#33910344)

Lame lame lame...slashdong, where did you go wrong?

Re:Crispy Fried Goat Balls (-1, Troll)

Desler (1608317) | about 4 years ago | (#33910652)

I heard that CmdrTaco and kdawson have tiny (think smaller than a newborn) penises. Is this true?

Moy didn't say "iTunes" (5, Informative)

BadAnalogyGuy (945258) | about 4 years ago | (#33910362)

He compared his company to "Craigslist", not "iTunes".

I'm not sure that's the image you'd want to project for your company, but I'm not that guy.

Re:Moy didn't say "iTunes" (-1, Redundant)

Anonymous Coward | about 4 years ago | (#33910396)

Modded you up for a good comment.
 
--TrisexualPuppy

Re:Moy didn't say "iTunes" (0, Redundant)

Dishevel (1105119) | about 4 years ago | (#33911016)

I can not tell. Is it worse if you are a GNAA dumbass or if you are so needy that you have to take credit for modding a post?

Re:Moy didn't say "iTunes" (0, Offtopic)

spamking (967666) | about 4 years ago | (#33910426)

So you're not all for the get a free hooker with your exploit ad?

Re:Moy didn't say "iTunes" (2, Informative)

putch (469506) | about 4 years ago | (#33910572)

There ain't no such thing as a free hooker

Re:Moy didn't say "iTunes" (1)

spamking (967666) | about 4 years ago | (#33911202)

Now that you mention it I guess that's true . . .

Re:Moy didn't say "iTunes" (1)

c6gunner (950153) | about 4 years ago | (#33911544)

TANSTAAFH?

I dunno, it just doesn't have the same ring to it ...

Re:Moy didn't say "iTunes" (1, Funny)

Anonymous Coward | about 4 years ago | (#33912404)

If you have to bring rings into the discussion, it's not a hooker. Just sayin'...

Re:Moy didn't say "iTunes" (1)

chrisj_0 (825246) | about 4 years ago | (#33910498)

He did reference AppStore in TFA

Re:Moy didn't say "iTunes" (0)

Anonymous Coward | about 4 years ago | (#33912812)

I think a better slogan would be "Who do you want to pwn today?"

New Site Aims To Be iTunes For Exploits (0)

Anonymous Coward | about 4 years ago | (#33910398)

Does this mean they force you to install quicktime?

Just say no.

Re:New Site Aims To Be iTunes For Exploits (0)

Anonymous Coward | about 4 years ago | (#33910430)

Well, naturally... all the exploits run on QuickTime anyway.

(And Flash, and Adobe Reader, and Windows Media Player... let’s not single any one out in particular, here...)

What the hell (1)

mrsteveman1 (1010381) | about 4 years ago | (#33910422)

An "above-board" market for exploits?

Who exactly is planning on buying these things and NOT planning to do something illegal with them?

Re:What the hell (4, Interesting)

mea37 (1201159) | about 4 years ago | (#33910442)

RTFA. Or educate yourself generally on how the IT security industry operates. Either way works.

Re:What the hell (4, Interesting)

clone53421 (1310749) | about 4 years ago | (#33910504)

The people who wrote the software in the first place. They want to produce software that isn’t buggy and exploitable, and the only way to find exploitable bugs is to be actively looking for them and to be good at exploiting them.

They need good software crackers (in both senses of the word: skilled and working for them) working on betas to find vulnerabilities in the software so that the vulnerabilities can be fixed before the alpha of the software is released.

Note that it specifically says that they won’t be dealing with 0-day exploits (critical exploits in existing, already-released software products). They want to find these before they release, and to do that, they have to hire crackers.

Re:What the hell (1)

Dishevel (1105119) | about 4 years ago | (#33911044)

How is that you get guys working on Beta software before the Alpha is released? :)

Re:What the hell (1)

clone53421 (1310749) | about 4 years ago | (#33911168)

Erm, yeah, I meant the release version.

Re:What the hell (1)

Dishevel (1105119) | about 4 years ago | (#33911284)

Just playing the /. game. :)

Re:What the hell (1)

tomhudson (43916) | about 4 years ago | (#33916338)

Nonsense. It's ethically the same as paying a blackmailer.

Oh, right - silly me, ethics no longer has anything to do with business decisions.

-- Barbie

Re:What the hell (1)

clone53421 (1310749) | about 4 years ago | (#33917446)

Well... that depends on what the guy who found the exploitable bug is planning on doing with it if you don’t buy it...

(and if he’s threatening to sell it to highest bidder if you won’t buy it, that is blackmail/extortion, and quite illegal)

Re:What the hell (0)

Anonymous Coward | about 4 years ago | (#33917566)

Not quite - its ethically the same as paying an advisor to warn of you things that may lead to you getting blackmailed (or exploited). You still have to pay out to someone, but you don't have to suffer the other consequences i.e. embarrassment etc. It's all pretty standard in politics etc.

Re:What the hell (0)

Anonymous Coward | about 4 years ago | (#33910508)

People who want to develop protection against the exploits.

Giving a financial incentive for exploit discoverers to reveal them to the good guys seems to be the whole point here - like a bug bounty.

Re:What the hell (0)

GameboyRMH (1153867) | about 4 years ago | (#33910616)

Companies who want to patch the holes in their software...but charging a company money for information you have on security holes in their software doesn't sound "above board" to me in the least.

Re:What the hell (4, Insightful)

WCguru42 (1268530) | about 4 years ago | (#33910710)

charging a company money for information you have on security holes in their software doesn't sound "above board" to me in the least.

And not earning anything for your work does? If I help you fix your broken program I'm within my rights to ask for compensation. Now, threatening to release and abuse it if you don't pay isn't so ethical.

Re:What the hell (1)

CannonballHead (842625) | about 4 years ago | (#33911290)

So charging companies for security exploits found with your own labor is ok with Slashdot. Charging money for software you created 'with your own labor' is generally bad.

It seems that some ideals in the OSS community tend to be a bit conflicting/self-contradictory.

(note: I don't know what you personally think, I'm just using your post as a springboard :) )

Re:What the hell (4, Informative)

stephanruby (542433) | about 4 years ago | (#33912100)

Charging money for software you created 'with your own labor' is generally bad.

No. Open source doesn't mean free. It never did. RMS, the GPL, they all say that you can charge for your work. Do I really need to find the citation for this? Or are you just pulling my leg?

Re:What the hell (2, Interesting)

GameboyRMH (1153867) | about 4 years ago | (#33911372)

Here's how I see it, it's like inspecting a dam (on your own time) and finding a crack. Now you could charge the dam company (haha) for the information you found - even though they didn't ask for it. If they were nice, fair people and you ask a fair price, they'd pay you, but they may decide not to (or you could be an asshole and ask way too much), they may say go screw yourself and not fix the crack. What then? Now you can either:

1. Give up the information anyways - the dam company will never pay you for any information in the future, and neither will anyone else who hears about it.

2. Sit on the information that threatens the people of Floodplain Valley until the dam company pays (if ever). Maybe it's just me but I would find this very wrong.

3. Release the information to the public and hope the dam engineers get to the crack before Snidely Whiplash.

Now you are left with a bunch of bad options, all of which have put innocent third parties at more risk than if you'd given up the information freely.

This is why I say that if you find an exploit on your own time in someone's software, you should give them the information for free. If you have a problem with this, then either stop spending your time looking for the exploits (can't blame you, you're not getting paid and if you feel you must get paid for doing it, you obviously don't do it for fun) or drop the pretense of morality and become a black hat.

Re:What the hell (1)

c6gunner (950153) | about 4 years ago | (#33911632)

That's kinda dumb.

For one thing, options 1 is no worse than if you had just given up the info in the first place, for free, and option 3 is only slightly worse in the short term and possibly better in the long term (it might teach them to pay up next time).

For another, you're ignoring the 4th option: tell everyone who will listen that you've found a crack in the dam, and would LOVE to show the dam engineers how to fix the dam thing, only they won't give you the dam money that you worked dam hard for. Public pressure and negative publicity ought to get them to cough up the dough.

Re:What the hell (1)

GameboyRMH (1153867) | about 4 years ago | (#33912012)

I dunno your option 3 and 4 both sound rather extortion-ey...

Re:What the hell (1)

c6gunner (950153) | about 4 years ago | (#33912104)

If I tell you that the brakes on your car are failing and it'll cost $300 to replace them, and you refuse to get the work done .... is it extortion when I go and tell other people that you're an idiot who is not only risking his own life, but also endangering others?

I know it's not a perfect analogy, but I really don't see why you'd consider one scenario to be extortion, and not the other.

Re:What the hell (1)

GameboyRMH (1153867) | about 4 years ago | (#33912160)

The problem is that it's not like saying that the brakes on the car are failing and it'll cost $300 to replace them, it's like saying that something is wrong with your car and it'll cost $300 to tell you what it is and get it fixed.

Re:What the hell (2, Interesting)

c6gunner (950153) | about 4 years ago | (#33912938)

*shrug* I would have no problem with that. I don't see why you should get a free diagnostic out of the deal. Hell, unless you have your own ODBC reader, most mechanics will charge you $50 just for a basic readout. I bought the code reader because it pays for itself in the long run, but I see nothing wrong with mechanics wanting to get paid for the work they do.

Re:What the hell (0)

Anonymous Coward | about 4 years ago | (#33911784)

So, what about consultation and inspection contractors? Why should their businesses exist? They're hired to find/solve problems in services or structures. Should 'Dam Inpectors Ltd' exist or should they do the work for free? If the Ltd. exists, do they now have a moral obligation, by the fact of their existence, to find and point out flaws in dams or are they morally sound by asking dam builders to hire them to find problems?

      Now, the model of going to a dam without a contract, finding flaws, then approaching the builder asking for money is more slippery, but I don't think it is as bad as it seems. The headlines if the dam broke in the meantime would be something like, "Person knew about flaw, didn't report it because he wanted money! Evil!" However, it could also read, "Dam contractor that specialized in inspections existed within 50 miles of the dam, but didn't do free inspections that could have saved lives!".

      I guess if these exploit companies simply only 'strongly implied' to the software producers that their services could be useful without actually admitting they found anything, it would be more like an inspection contractor and not as morally grey..

Re:What the hell (1)

GameboyRMH (1153867) | about 4 years ago | (#33911980)

So, what about consultation and inspection contractors? Why should their businesses exist? They're hired to find/solve problems in services or structures. Should 'Dam Inpectors Ltd' exist or should they do the work for free? If the Ltd. exists, do they now have a moral obligation, by the fact of their existence, to find and point out flaws in dams or are they morally sound by asking dam builders to hire them to find problems?

Yes they should exist. Dam Inspectors Ltd would have no moral obligation by the fact that they exist to perform inspections, and I would see no problem with them asking the dam builders to hire them to find problems.

Now, the model of going to a dam without a contract, finding flaws, then approaching the builder asking for money is more slippery, but I don't think it is as bad as it seems. The headlines if the dam broke in the meantime would be something like, "Person knew about flaw, didn't report it because he wanted money! Evil!" However, it could also read, "Dam contractor that specialized in inspections existed within 50 miles of the dam, but didn't do free inspections that could have saved lives!"

Why should the inspection company be obligated in any way to do free inspections? It's up to the dam company to take the initiative to get their work checked - it would be their fault for not doing this, nobody else's in any way.

I guess if these exploit companies simply only 'strongly implied' to the software producers that their services could be useful without actually admitting they found anything, it would be more like an inspection contractor and not as morally grey..

That would be a little better than scaring the company into paying for an exploit you found on your own free will in your own time.

Re:What the hell (0)

Anonymous Coward | about 4 years ago | (#33912336)

The situation with dams is different. If the dam fails, the company that built it is probably liable. If people use exploits in Flash to hack your computer, Adobe couldn't care less. Companies need to be more responsible about the security of the software they release. Either hire full-time security professionals or pay people for exploits.

Re:What the hell (0)

Anonymous Coward | about 4 years ago | (#33912200)

2. Sit on the information that threatens the people of Floodplain Valley until the dam company pays (if ever). Maybe it's just me but I would find this very wrong.

That's the same situation they'd be in if you hadn't gone digging for exploits.

Re:What the hell (1)

Draek (916851) | about 4 years ago | (#33917140)

You're forgetting that the "innocent third parties" aren't at risk from the information on the crack but rather from the crack itself being there in the first place, and you not knowing about it won't make the crack on the dam magically dissapear.

Re:What the hell (1)

Lazareth (1756336) | about 4 years ago | (#33910780)

I can kind of see the justification. They're basically providing a service and charging a fee for it after the fact, a fee that you can even choose to ignore. "Hi, I made this suit specially tailored for you. If you don't want it, that's fine. If you want it, well here you go!"

However it does lay a pressure on the buyer to buy it, since otherwise others can choose to buy it and exploit it without the programmers knowing exactly what the exploit entails. That's somewhat alike to extortion.

I can see both sides of the coin, both as a genuine service and as extortion. Regardless of how you view it it's a business and the goal is money.

Re:What the hell (2, Interesting)

Dishevel (1105119) | about 4 years ago | (#33911130)

No. If you say I have found an exploit for your software. If you want it it will cost you X. If not, have a nice day. I hope no one else can find the same type of exploit. There is nothing wrong with that.

If on the other hand you you tell the company that wither they buy it or you will sell it to others then that is extortion and is illegal. You do one or the other. There is now other side to the coin.

They are separate coins altogether.

Re:What the hell (1)

falsified (638041) | about 4 years ago | (#33911166)

Really? Do you refuse to pay doctors and nurses, too?

Re:What the hell (1)

spamking (967666) | about 4 years ago | (#33911218)

True, but the white hats gotta make their money some how.

"iTunes for exploits" doesn't sound illegal (1)

Sloppy (14984) | about 4 years ago | (#33911232)

(I didn't RTFA, but in this case, that probably helped.) I interpret "iTunes for exploits" as meaning that you go to the trouble to load up your computer with exploits, then you do a sync, and suddenly all of the exploits which you had loaded, but which didn't come from their "iTunes for exploits" are inexplicably missing. So as long as you install this "iTunes for exploits" software but don't ever use it for installing your malware, then occasional syncs can function as malware disinfectant. That doesn't sound illegal; it sounds like the natural progression of AV software.

MetaSploit Framework anyone? (1, Interesting)

Anonymous Coward | about 4 years ago | (#33910484)

I'm not all that familiar with the MetaSploit Framework (which has been bought out) but don't things like this already exist...except they're...you know...free!

Re:MetaSploit Framework anyone? (1)

Sarten-X (1102295) | about 4 years ago | (#33910692)

And that's the problem. If an unscrupulous hacker finds a 0-day exploit, are they really more likely to give it away for free than to sell it to the highest bidder?

Similarly, even knowing that companies are willing to pay (rather than sue/prosecute/harass/whatever) may lead to more exploration of vulnerabilities, and that means more secure programs overall.

Sure, I'd love to see more hackers meeting the minimum ethical requirements to follow responsible disclosure, but there's still a black market for exploits, and legitimizing it may be the best way to kick the various criminals out of the game.

Re:MetaSploit Framework anyone? (1)

jandrese (485) | about 4 years ago | (#33910862)

As I understand it, organized crime is willing to pay for exploits because they don't have direct access to real hackers but still want to set up bot nets for various purposes. If someone is willing to pay for something you made (well discovered), then why give it away for free? Especially if you're some anonymous teenager still living at home.

Re:MetaSploit Framework anyone? (1)

munky99999 (781012) | about 4 years ago | (#33910962)

The problem is that there are so many companies who sue/prosecute/harass/discredit and with law as it is... a hacker is liable to lose their life to such things. Not literally but going to jail or having lost your job and all your money to protect yourself from a large corporation with bored lawyers/PR on staff is awful. In addition many companies dont offer $$$ for exploits; they expect to get them for free. Sooooo many factors all forcing hackers to go to the black market.

Ebay for exploits (2, Interesting)

munky99999 (781012) | about 4 years ago | (#33910804)

We need an auction site where vendors, bad guys, and good guys all bid on 0days.

Re-packaging what is already free (1)

checkitout (546879) | about 4 years ago | (#33911328)

I'm sure most of this will come from metasploit, packetstorm, and exploit-db. Directly selling exploits is shady, no matter what company is backing it.

An economics analysis (0)

Anonymous Coward | about 4 years ago | (#33912196)

Exploits have value on the 'black' market: they can be used to steal information or to redirect computer resources for the exploiters ends. Both information and captive computer resources are fungible; there are active markets for them.

In the hands of a cracker, an exploit can be used over and over to create value (illegally, immorally, unethically, etc, but so what.) It is a capital investment that can continue to pay dividends and has a long expected life span.

The value that is taken is spread out over diffuse and disorganized individuals.

Even better for the exploit writer, the exploit is a product that can be sold to many crackers at zero marginal cost. So the 'black' market for exploits has a large payoff for the exploit writer: the total value of the exploit is: what can be stolen X how often it can be reused X how many times it can be reused X the number of people who can use it

Now the legal market:
The exploit writer sells the exploit once, then it disappears. Potential buyers in this market are not the same people who are threatened directly by the exploit; instead, they are usually the creators of the exploited product. They have less to lose than the potential victims do, which is the same as saying that they have less to gain in preventing the exploit than the numerous crackers do in using it.

This is why the legal market does not work: the exploit writer is being asked to sell the exploit for less than its value elsewhere, and therefore is losing money.

The probability of being caught on the cross-border Internet ase pretty low, so its a good bet to try and profit from an illegal exploit.

So:
If you are willing to pay less than the total value of the exploit as a criminal tool, no one will sell it to you
If you are willing to pay the exact value, you can buy it, but you have created no value; you have only shifted wealth from your pocket to those of the potential victims.
If you are willing to pay more, you will get even more exploits created by raising the value of all exploits

Good luck with that.

iTunes for exploits? (3, Funny)

slapout (93640) | about 4 years ago | (#33912416)

So you're going to start out selling exploits for 99 cents? And then create a(n expensive) portable device that people can buy to run your exploits on? And then become the market leader? And then introduce new models of your hardware? And then create an "exploit" store sdk so people can sell there own exploits? And them submit to exploit creators demands that the price be raised to $1.29? And then remove color from the user interface?
 

Not a bad idea at all (1)

ladadadada (454328) | about 4 years ago | (#33913608)

Seems like a nice easy way to make a bit of cash in your spare time without any particularly rare skills needed. Just find a vulnerability from CVE that doesn't have a corresponding Metasploit module, write a Metasploit module and put it up in Exploit Hub.

Since it's not a 0-day, there's nothing to be gained by getting an exclusive purchase so the prices will be reasonable. There's less risk of being sued too because it's not a 0-day; just a bit of code that you can use to test for an already disclosed vulnerability.

  • The company who wrote the vulnerable software will want it to put into their QA cycle to guard against regressions.
  • Anyone who writes penetration testing software will want it to integrate into their product... unless the price is higher than just having their own coders do it.
  • Penetration testers will want it in their arsenal to make sure they get the maximum coverage possible.

The "bad guys" probably won't want it. It's already known and getting patched and they'll have to rewrite it anyway because it will have an easily identifiable signature as it comes from Exploit Hub.

There will still be a market for 0-day exploits, but as the article mentions, it's a finicky market. Setting up a market for turning disclosed vulnerabilities into Metasploit modules is smart.

iTunes for exploits (1)

allo (1728082) | about 4 years ago | (#33917248)

bloated and unstable exploits?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?