Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

So You Want To Be a Zero Day Exploit Millionaire?

Soulskill posted more than 2 years ago | from the good-luck-with-that dept.

Security 36

gManZboy writes "There's a thriving trade in zero-day vulnerabilities, predicated on keeping knowledge of these vulnerabilities out of the public domain. For security researchers with knowledge of a bug that's not worth much, or for researchers who question the ethics of selling any bug information, there are alternatives. Vulnerability information service Secunia launched its Secunia Vulnerability Coordination Reward Program, which formalizes what Secunia says it's been doing informally for some time: It acts as a go-between for security researchers that have discovered a vulnerability in a product, and the vendor of that product. Do such practices jeopardize security for the many, while safeguarding just the few? It's still unclear whether Stuxnet's authors discovered the zero-day vulnerabilities themselves, procured them from a legal market, or bought them on the black market. If you're going to cash in, you face some tough ethical questions."

cancel ×

36 comments

Sorry! There are no comments related to the filter you selected.

I cannot spend ethics (3, Insightful)

codepunk (167897) | more than 2 years ago | (#38029096)

I cannot spend ethics, cash however is always welcome.

Re:I cannot spend ethics (0)

Anonymous Coward | more than 2 years ago | (#38029132)

in God We trust all others muct pay cash or charge.

Re:I cannot spend ethics (3, Insightful)

El_Muerte_TDS (592157) | more than 2 years ago | (#38029258)

Besides that. "Ethics"? what a crock. That's something for Disney movies.

Re:I cannot spend ethics (1)

Anonymous Coward | more than 2 years ago | (#38029374)

Ethics is something an employed person might care about.

Take away those jobs and take into account corporations' lax attitude about security (which doesn't "add value") and you will have a lot of disgruntled people with inside knowledge of vulnerabilities and trade secrets, who may choose to instead profit directly or indirectly from their new line of work.

People won't bite the hand that feeds them, but they will bite the hand that slaps 'em.

-- Ethanol-fueled

Re:I cannot spend ethics (0)

Anonymous Coward | more than 2 years ago | (#38030058)

Ethics is something an employed person might care about.

Take away those jobs and take into account corporations' lax attitude about ETHICS (which doesn't "add value") and you will have a lot of disgruntled people with inside knowledge of vulnerabilities and trade secrets...

FTFY

Re:I cannot spend ethics (0)

Anonymous Coward | more than 2 years ago | (#38029454)

Besides that. "Ethics"? what a crock. That's something for Disney movies.

Just look at the ragers few days ago when some company's equipment was used by Iran or Syria to censored or track down descent.

Re:I cannot spend ethics (1)

Sumtingwong (1107983) | more than 2 years ago | (#38037462)

Hmmm, so I guess your daughter/son/mother/brother/other loved one is fair game, huh? Ethics has many faces, friend. Home is a good starting point.

Exactly (0)

Anonymous Coward | more than 2 years ago | (#38029708)

The only point of deliberation is the trade-off between potential money, potential sentence, and risk of getting caught.

Ethics schmethics.

Re:I cannot spend ethics (1)

Weezul (52464) | more than 2 years ago | (#38029820)

There is a fairly eloquent youtube video that discusses security researchers actually being paid for their efforts :

http://www.youtube.com/watch?v=aVtXac6if14#t=4m

Re:I cannot spend ethics (1)

martin-boundary (547041) | more than 2 years ago | (#38030440)

True, but selling information that enables criminal hacking can make you an accessory. Actually getting paid for this can and will be used in court against you.

Re:I cannot spend ethics (0)

Anonymous Coward | more than 2 years ago | (#38031046)

I cannot spend ethics, cash however is always welcome.

try this on for size. one way to look at selling something is 'buying cash' with it (trading it for cash; if you have trouble with this, it might be easier to picture with a goods exchanged for a foreign currency first; if one man gives a TV to another for some rubles, he's obviously trading it for the rubles, or, if you will, buying rubles with it. same with dollars or your local currency.)

Now.

  • You can buy cash with a lot of other things besides vulnerabilities on the black market
  • But you can't buy ethics with anything, cash or otherwise. if it's gone, it's gone.

If you value both cash and ethics to some extent, which does it make more sense to hang onto for longer or while you can?

There is a documentary on this. (0)

Anonymous Coward | more than 2 years ago | (#38029156)

http://www.youtube.com/watch?v=XrLNU6OU7_M [youtube.com]

This showed me the mindset of how to get a go-getter attitude to get things done. The only problem is discovering the perspective of the world to allign your perspective to the one's most receptive to paying for this.

"Sourceforge Top Downloads" (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#38029210)

Why is this now appearing on the frontpage? And how do I make it stop (short of userChrome.css/Greasemonkey)?

Re:"Sourceforge Top Downloads" (0)

Anonymous Coward | more than 2 years ago | (#38029416)

Can you explain why you wouldn't want to know top downloads on sourceforge? Are you already getting this information some other way?

Re:"Sourceforge Top Downloads" (0)

Anonymous Coward | more than 2 years ago | (#38030790)

I wouldn't care if it was at the bottom or somewhere else. It's just it's at the top of that sidebar, and thus forces the other content I've purposely put there for easy viewing further down the page.

Yes (0)

Anonymous Coward | more than 2 years ago | (#38029322)

1. Write software that blocks suspicious traffic. or 1.1. Patch holes or 1.2 Make sure my software is secure in the first place.

2. ???

3. Profit!

Anybody in the security space who does this stands a very good chance of retiring with well in excess of a $1 million net worth. You don't have to compromise your principals or anything.

Of course what they are really asking is, "do you want to become a millionaire really quickly and spend a lot of time worrying about the knock on the door and feeling like shit".

No.

I sell 0-day anal exploits! (-1)

Anonymous Coward | more than 2 years ago | (#38029360)

It happened when I was 19, a guy I met a guy in my College library took to his dorm and turned me around having pulled pants down. I figured he wanted to eat me doggystyle, when he stuck his tongue up my anus...

7 years later and more than 30 partners of all shades; half of whom have performed analingus on me, has me thinking its perhaps the new cunnilingus and 10 years time it will be part of foreplay.

PS: I return the favour.

Your thoughts.

Ur a twisted freak. (0)

Anonymous Coward | more than 2 years ago | (#38030068)

In prison it's called getting ur salad tossed. Ur not just a twisted freak, but ur not even original.

Only in a sick, twisted, jew-ified society... (0)

Anonymous Coward | more than 2 years ago | (#38030214)

>>In prison it's called getting ur salad tossed.
This can't be -- salad is the one ingredient that doesn't go that way.

>>but ur not even original.
You are implying he is ab-original? Fucking Aus'ies. GTFO 'murika /. serber!

Re:Only in a sick, twisted, jew-ified society... (0)

Anonymous Coward | more than 2 years ago | (#38076710)

>>In prison it's called getting ur salad tossed.
This can't be -- salad is the one ingredient that doesn't go that way.

>>but ur not even original.
You are implying he is ab-original? Fucking Aus'ies. GTFO 'murika /. serber!

omg this is hilarious

what does "ethics" have to do with it? (4, Insightful)

khallow (566160) | more than 2 years ago | (#38029436)

If you're selling zero day exploits to the highest bidder, you are beyond caring about the ethics. The study of ethics assumes that someone sincerely, rationally cares about what they should do or not do. Selling zero day exploits to whoever clearly indicates you're not in that camp.

Re:what does "ethics" have to do with it? (0)

Anonymous Coward | more than 2 years ago | (#38030566)

I'm all for an exploit sale market.

Seriously.

"It's horrificly immoral", so? I'm not going to bid on a hack; you're going to turn around and resell it as many times as possible to make your money before it gets patched. Fact is, such a market creates flows about such information which in turn ensure enterprise class software vendors can't sit under a rock sueing everyone who publishes a hack on their system. "Oh, we'll make it illegal" oh you will? Awesome, lets drive that sucker underground where your bugs are not going to get fixed and one party can buy an ARSENAL of hacks to completly trash your systems.

If I'm a CTO am I going to buy someone's system if I know they ain't patching it? Probably not.

Force the companies who's systems are being compromised to start offering warrants for found exploits, and if they find it's an expensive ordeal, hire the people finding the exploites and harden your systems.

Re:what does "ethics" have to do with it? (0)

Anonymous Coward | more than 2 years ago | (#38034370)

Well, in terms of Stuxnet, let's look at the buyer. Is the Israeli government so eager to attack Iran that they're buying stuff on the black market, while lambasting others for doing the same? THAT'S the ethical issue that needs more scrutiny.

There's no ethical dilemma here (0)

Anonymous Coward | more than 2 years ago | (#38029590)

If there is money to be made, it is going to get made. If we want to have secure software, either the bounties for exploits need to be higher than the price on the black market or companies need to stop releasing programs with security holes in them.

Tough ethical questions (2)

nurb432 (527695) | more than 2 years ago | (#38029818)

Not really. And remember too that ethics are relative.

I know what i would decide without thinking twice, and yes the world would be screwed. In a heartbeat.

Custom made vulnerabities (1)

Anonymous Coward | more than 2 years ago | (#38029888)

It's still unclear whether Stuxnet's authors discovered the zero-day vulnerabilities themselves, procured them from a legal market, or bought them on the black market.

-- OR --

Perhaps the vulnerabilities were originally engineered for the authors?

Ethics be damned.. (3, Informative)

angiasaa (758006) | more than 2 years ago | (#38030128)

It is common practice among digitally inclined firms to sue white-hats when they contact them about security vulnerabilities in their systems, rather than getting down and patching the holes and fixing the flaws.

It seems to me that it is no wonder that ethically inclined hackers would prefer to avoid approaching firms with their discoveries and instead just sit on them. Personally, I think ethics be gone and let the big lawyered up firms take their attitudes and suffer the consequences.

Contact the firm, set a deadline and then release the zero-day exploit anonymously on the specified date as promised.

Re:Ethics be damned.. (1)

The Mr.K (810856) | more than 2 years ago | (#38041476)

It's unfortunate, but the companies have basically made this market a viable option for white-hats looking to solve security issues. It helps protect them against being sued, and they also get money to boot.

Ethics? (1)

Fnord666 (889225) | more than 2 years ago | (#38030244)

Ethics? Have you looked at the pathological behaviour that passes for ethics in business these days?

Get a job at Microsoft (2)

PPH (736903) | more than 2 years ago | (#38030534)

1. Get a job at Microsoft.
2. Incorporate bugs into product.
3. Sell info. on said bugs through Secunia.
4. ????
5. Profit!

I think Scott Adams addressed the issue of a bug market years ago.

Re:Get a job at Microsoft (0)

Anonymous Coward | more than 2 years ago | (#38034882)

"It's still unclear whether Stuxnet's authors discovered the zero-day vulnerabilities themselves, procured them from a legal market, or bought them on the black market."

"1. Get a job at Microsoft."

You don't need to work for Microsoft. Stuxnet's authors were the United States government. The implementors were the Israelis.

1) Windows has back doors inserted intentionally, by U.S. law. These are the same doors that the Chinese used against Google and several fortune 500 companies in the U.S.
2) The vulnerabilities include those in Siemen's PLCs.
3) An Israeli general was credited for Stuxnet at his retirement.
4) The Iranians executed the Israeli mole who infected them.
5) Stuxnet is limited to attacks in 1 geographical area.
6) Stuxnet has been researched and made ready to use against the U.S.

It doesn't take a rocket scientist to figure out what is going on.

Re:Get a job at Microsoft (0)

Anonymous Coward | more than 2 years ago | (#38060238)

The bounty system has failed in a lot of situations exactly for this reason. Rat farms in South Africa and dinosaur bone crushing in China are well known failures of such an approach.

Ethics Gradient (2)

mac1235 (962716) | more than 2 years ago | (#38033306)

It would depend on how many days I had gone without food.

Ethics? It's much simpler than that for me! (1)

MrNthDegree (2429298) | more than 2 years ago | (#38033674)

if(free_s)
{
        return bugfix;
}
else
{
      return profit;
}

Secunia doesnt pay anything. (1)

munky99999 (781012) | more than 2 years ago | (#38033686)

Secunia's program doesn't offer any $ so why the fuck give them anything. ZDI offers basically nothing.

There are a few places which offer decent cash and there are a few ebay-ish places which let you sell but they aren't that popular.

Amazon says they want to offer everything... they should allow it and all we need to do is put them up there.

weaponized computing HAAAA :)) (0)

Anonymous Coward | more than 2 years ago | (#38038444)

"Have you discovered a killer zero-day vulnerability in a widely used product? Can the bug be "weaponized," or actively exploited?"

Solution, don't plug your flakey Windows Desktop 'computer` into the Internet.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>