×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

An eBay For Hackers

kdawson posted more than 6 years ago | from the can-you-spell-zero-bay dept.

Security 60

cyberdelicat writes to let us know about a Swiss security firm called WabiSabiLabi that is causing waves with its open auction for zero-day security vulnerabilities. While WSLabi claims they will thoroughly vet both buyers and sellers of vulnerabilities, many researchers are skeptical about how effectively they can do this. The Washington Post article mentions the guy who almost opened a similar auction site several years back, to be called Zero-Bay, but pulled the plug at the last minute. SearchSecutiry notes that some security researchers are now referring to WSLabi as "zerobay" as they undermine the auction site by reproducing and publishing vulnerabilities as soon as they appear for sale.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

60 comments

How about an Ebay for Dupes? (3, Funny)

Anonymous Coward | more than 6 years ago | (#19863511)

Re:How about an Ebay for Dupes? (1, Informative)

x_MeRLiN_x (935994) | more than 6 years ago | (#19863519)

The last time this was posted the site actually worked. Now when you click on an auction you get a 404.

Re:How about an Ebay for Dupes? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#19864701)

Harry marries Ginny and has three kids. Ron marries Hermione. Snape becomes headmaster. Tonks and Lupin have a child. Draco lives, gets married, has a child named Scorpius. Neville becomes herbology teacher.

The scar had not pained Harry for nineteen years. All was well.

Everyone lives happily ever after.

Re:How about an Ebay for Dupes? (1)

billcopc (196330) | more than 6 years ago | (#19867747)

Hey there sonny, when you're as old as I am (27), and you find that your brain forgets stuff because it's so full of techno bullshit, you too will appreciate the weekly re-runs :)

dupe (0)

Anonymous Coward | more than 6 years ago | (#19863527)

same crappy three exploits that were up a week ago

SearchSecutiry? (0)

Anonymous Coward | more than 6 years ago | (#19863555)

OK now I know I'm reading Slashdot ;)

All kinds of new auction sites (1, Informative)

Anonymous Coward | more than 6 years ago | (#19863597)

What do you guys think of this one http://www.swarmbuy.com/ [swarmbuy.com]

Re:All kinds of new auction sites (0)

Anonymous Coward | more than 6 years ago | (#19865009)

What do you guys think of this one http://www.swarmbuy.com/ [swarmbuy.com]
Looks liek it could be a good idea. It's interesting that the guy has gone with an advertising model instead of the usual cash grab that eBay and other auction type sites usually use. Too bad there's nothing really there at the moment, the forum says it only got launched a few days ago. Maybe once it gets hopping it'll be fun to explore. I think I'll go get a good username now hah!

Re:All kinds of new auction sites (0)

Anonymous Coward | more than 6 years ago | (#19865575)

Too bad there's nothing really there at the moment, the forum says it only got launched a few days ago.
Yeah, and he posted as an AC ... hmmm, might there be some connection? Hmmmmm.....

Sounds Familiar (0, Redundant)

chrishajer (133668) | more than 6 years ago | (#19863621)

The scar had not pained Harry for nineteen years. (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#19863851)

All was well.

Re:The scar had not pained Harry for nineteen year (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#19874637)

Hehehe..... I don't know if I wanna read it now :P

Everything on Slashdot sounds familiar. (0)

Anonymous Coward | more than 6 years ago | (#19864061)

Either because it's a dupe or we read about it somewhere else a week earlier.

But hey, keep up the good work, kdawson!

*Yes, I'm duping my own post on Slashdot about dupes on Slashdot. Seriously, are kdawson and Zonk actually paid for the time they waste here?

YAD (0, Redundant)

m0nkyman (7101) | more than 6 years ago | (#19863629)

Yet Another Dupe.

Re:YAD (0)

Anonymous Coward | more than 6 years ago | (#19864957)

What I want to know is how do you know bidders aren't people with nefarious purposes? It's really easy to create a shell company that looks good on paper that is set up to be nothing but a front for bad guys.

Not only that, what's really scandalous is the idea that the company can be sure that it is not selling instructions for breaking into computers and networks directly to the criminals most likely to use them.

Dupe (-1, Troll)

Anonymous Coward | more than 6 years ago | (#19863699)

kdawson caN lick my fucking ballz

A site for redundant /. stories (0)

Anonymous Coward | more than 6 years ago | (#19863703)

i guess we could just stay here....

So what happens when... (4, Funny)

Mr EdgEy (983285) | more than 6 years ago | (#19863757)

A sold vulnerability ends up being used against the site?

Re:So what happens when... (0)

Anonymous Coward | more than 6 years ago | (#19865111)

"The capitalists will sell us the rope,to hang them with" Lenin

What's next? (1)

Citius (991975) | more than 6 years ago | (#19863947)

If they're auctioning off vulnerabilities... and someone that we'd prefer to not know about them knows... who's at fault?

Re:What's next? (1)

Antique Geekmeister (740220) | more than 6 years ago | (#19865343)

While that's a concern, there is a fairly serious underground already in selling such vulnerabilities. Both script kiddies exchanging cheap tools, and serious crackers using, selling, and giving away tools to "trusted friends" have been in play for decades. And far, far too many vulnerabilities are unpublished by security groups, "because the vendor hasn't given permission an not yet provided a fix".

CERT is sitting on at least a few vulnerabilities, and has been doing so for at least 5 years on some of them, particularly vulnerabilities involving Windows. So who is safer now that the vulnerability has been available for 5 years, but legitimate people like you and me can't look it up? And Microsoft is not alone in this, although they're usually the worst offender.

Re:What's next? (1)

Citius (991975) | more than 6 years ago | (#19866157)

Point taken. However, correct me if I'm wrong - script kiddies and their cheap tools tend to be more obsolete than the serious crackers...

Isn't part of computer security security through obscurity?

Re:What's next? (1)

Antique Geekmeister (740220) | more than 6 years ago | (#19866699)

Well, yes. "Tend to be more obsolete" is reassuring, until you realize that these crackers don't much recognize verbal agreements not to publish to other crackers, and both share with each other and steal from each other on a regular basis. So the rawest script kiddies receive infusions of the latest tools on a surprisingly frequent basis. The result is that the security through obscurity of keeping things unpublished becomes insecurity for most casual users.

Re:What's next? (1)

Lars T. (470328) | more than 6 years ago | (#19868419)

http://www.networkworld.com/news/2007/070907-avera ge-zero-day-bug-has-348-day.html [networkworld.com]

Immunity, which buys but does not disclose zero-day bugs, keeps tabs on how long the bugs it buys last before they are made public or patched. While the average bug has a lifespan of 348 days, the shortest-lived bugs are made public in 99 days. Those with the longest lifespan remain undetected for 1,080 days, or nearly three years, Aitel said.

Reminds me of Tom Jones.... (0)

Anonymous Coward | more than 6 years ago | (#19863957)

It's not Unusual to have secks in tha butt...
(DaNaNaNaNaaaa...)

FREAKIN ' LOAL DUDES!!!
ME AM BRAZIL!!!!

Wow. (1)

spazmonkey (920425) | more than 6 years ago | (#19864049)

This whole idea is wrapped in so many layers of stupid I can't wrap my brain around it.

  Problem is, like many functional solutions in this world, it may be just stupid enough actually work.

Re:Wow. (1)

null.account (1126537) | more than 6 years ago | (#19868807)

This whole idea is wrapped in so many layers of stupid I can't wrap my brain around it.
I guess that makes you pretty stupid, then, eh ?

Sounds dumb (1)

cdrguru (88047) | more than 6 years ago | (#19864153)

How does someone selling something illegal get paid? If I open an auction site for heroin it would be greeted with great fanfare, even by the law enforcement community. Because they could just arrest the "winners" (actually losers). Sounds like a real money-maker for about 30 seconds.

OK, so there is an open auction for a remote exploit for Yahoo Messenger. So if I wanted to steal bank account information from lots of Yahoo Messenger users, this would be a good start. The minimum bid is 2000 Euro, which sounds pretty fair for something that could be used to grab millions of dollars from unsuspecting users worldwide. I would assume that similar exploits could be used in a similar fashion - to steal from people. Isn't that the new way to make money on the Internet from Eastern Europe?

Re:Sounds dumb (3, Insightful)

Nazlfrag (1035012) | more than 6 years ago | (#19864937)

There is nothing I can think of that is illegal about not immediately disclosing any security vulnerability a professional researcher or basement dwelling hacker stumbles across. There is also nothing illegal about providing exploit riddled software according to licenses I've read. What is illegal is robbing peoples bank accounts. I'm fairly sure that these guys aren't planning to keep the best hacks undisclosed while they rob banks (though it would be an interesting twist). I'm fairly sure they will be able to track the dissemination of these exploits far better than the existing markets.

Researching security holes should be a legitimate and profitable R&D investment, and should be done in an up front manner such as this rather than via the black market where your dire vision already thrives.

Well it depends (3, Insightful)

Sycraft-fu (314770) | more than 6 years ago | (#19865371)

Quite often, it is illegal to sell someone something if you should reasonably know they are planning on using it for an illegal purpose. As a simple example, a gun dealer in in a world of shit if someone comes in and says "I need a gun so I can go kill my wife, what do you have for me?" Basically, you are an accessory to a crime if you have or should reasonably have knowledge that a crime is going to be committed and you provide support, material or otherwise, for the commission of the crime. So while not disclosing a venerability is legal, selling it to someone that you have a good idea is going to use it for criminal means is illegal. The ignorance defense only goes so far, while being an accessory requires knowledge of the crime (you can't be charges for letting someone in a house if you legitimately believed they should be there, for example) it doesn't require that it was spelled out for you. If there was enough evidence that you should have known what was happening and were just being willfully ignorant, that doesn't cut it, especially if there was profit involved.

There are additional problem when you start dealing with certain classes of items. If something has substantial legal uses you are on much more solid ground. To use the gun example again, guns are widely used for hunting, target shooting, personal and home defense, all perfectly legal uses. Thus it isn't a stretch to assume someone has a legal use for it, unless there's specific reason to believe otherwise. However if the item in question has little to no legal use, then there can be problems. I see exploits as being mostly in this category. Other than the companies, who really has a legit use for the details behind an exploit? Now this isn't a challenge to try and come up with obscure reasons someone might want it, it is something to think about in general. What would people by and large want to buy these for? If the majority of realistic answers are illegal ones, then you can have a real problem when you sell it if you aren't real careful.

Re:Well it depends (1)

lordkuri (514498) | more than 6 years ago | (#19867435)

Other than the companies, who really has a legit use for the details behind an exploit?

Any user of that software that won't/can't/doesn't want to wait for the company to get off of their lazy asses and fix it, so they need a workaround.

Re:Well it depends (1)

Nazlfrag (1035012) | more than 6 years ago | (#19868193)

Security affects users far more than it affects the company providing the tools. From this perspective, there are far more legitimate users trying to secure their systems from attack than there are than illegitimate ones trying to exploit them. If bank robbers want to get exploits from this site, they will need credentials far exceeding what the black market requires. Face it, the bank robbers laugh at these 'zero day' vulnerabilities, they are last weeks or last months vulnerabilities. An open and forthright exchange for these insecurities is needed not to legitimize fraudsters but to expose and destroy their monopoly on exploits. Computer security is still immature, and seems not to learn the lessons of physical security well. Security through obscurity was debunked for physical locks over a century ago, yet we continue to repeat the mistakes of the past.

Vulnerability Info Exchange is Good (2, Interesting)

this great guy (922511) | more than 6 years ago | (#19864997)

Selling information about security vulnerabilities may be considered unethical by some, but it is perfectly legal in almost all countries (notable exception: France). Don't forget that a vuln is just a bug, they are selling information about how to trigger a bug. Why would that be illegal ? If a buyer exploit the bug for nefarious purposes, then the buyer is doing something illegal, not the seller. There are plenty of legitimate cases where a market for selling vulnerabilities is a good thing:

  • The developer of a vulnerable application may want to buy vulnerabilities found in his application. Financial reward is an incentive for security researchers to find more vulnerabilities in an application when they know they would get paid for it. Additionally, over time, the security of the application increases.
  • Penetration testing companies can increase their chance of a successful pentest with access to new and original vulnerabilities. This prompts the client (pentest target) to secure his IT infrastructure, by rearchitecting it, or implementing new security mechanisms.
  • Vulnerability assessment tools developers can gain an edge over their competitors by buying info about vulns. A legitimate security vuln market moves the VA market forward, and in the end increases the rate of discovery, and therefore the rate at which security vulns are fixed.
  • The biggest argument is perhaps this one: a vulnerability sold to a legitimate buyer is often one less sold to a criminal.

Amen! (1)

Weezul (52464) | more than 6 years ago | (#19866349)

Or the most basic: A sold vulnerability market also supports honest scurity researchers financially. Security will become a higher priority for venders if they must bid against black hats. etc.

Big security problems currently come from people not installing patches. You can't fix this since you can't write perfect code. But you can help by writing better code. So we must make venders see the real costs.

Sounds even dumber (0)

Anonymous Coward | more than 6 years ago | (#19865937)

I usually try to not feed the troll, but eh.

If you think malware comes only from Eastern Europe, you're mistaken.

I for one... (0, Redundant)

Tatisimo (1061320) | more than 6 years ago | (#19864291)

Welcome our new dupe overlords. Soon we'll have enough to make a beowulf cluster of them.

Don't let stupidity fool you (2, Interesting)

packetmon (977047) | more than 6 years ago | (#19864395)

I saw via a security mailing list ridicule at "Who the hell would buy a Yahoo messenger exploit. har har". So let's think about this for a minute... Done, how many people do you know that use Yahoo messenger at their corporate office? As obscure as some may think the site will be, all you need is some hardcore "pwning" going on, and some government will treat the site as they did Pirate Bay and shut it down quickly

Re:Don't let stupidity fool you (1)

Loucks (951130) | more than 6 years ago | (#19865051)

That's a good point, given that The Pirate Bay is no longer online and all.

Re:Don't let stupidity fool you (1)

karnal (22275) | more than 6 years ago | (#19868237)

I missed the sarcasm in your post. I checked the site and thought "Damn, he got me."

Good show!

Dude, this sucks (3, Interesting)

TheModelEskimo (968202) | more than 6 years ago | (#19864599)

I posted this awesome cultural comment the last time this story was posted and nobody even replied. Now the dupe is just plowing up all those bad memories again. http://it.slashdot.org/comments.pl?sid=246095&cid= 19763499 [slashdot.org]

Re:Dude, this sucks (1)

chawly (750383) | more than 6 years ago | (#19865301)

Yes, a dupe so soon after the first one ----- it sucks. I found your comment to be cultural, informational, interesting, and nothing whatsoever to do with the subject (as far as I can see, anyhow). I would have replied, but I didn't get a chance to read /. that day. The dupe gives us all a second chance - let's look on the good side.

I just want to say thanks - without your awesomely irrelevant comment I would never have known about our fiercely contemplative Japanese companions.

I agree with you : Know your neighbour is a good idea - even if the s.o.b. does live in Japan. So THANKS for the comment.

Good idea, actually... (1)

stevejsmith (614145) | more than 6 years ago | (#19864649)

Of course it sounds ridiculous, but if you think about it, it's actually not a bad idea. For one, if there are these critical bugs being published all the time and big companies are taking the heat for these vulnerabilities, you can bet the companies would either a) pay top dollar to buy the exploit themselves and hopefully patch the hole, or b) encourage them to be more proactive. Rewards for finding holes would mean a reliable stream of money for those who find them, ensuring that there would be plenty of people willing to essentially clean up what the original programmers missed. You'd have to live under a rock to think that vulnerabilities were not already traded in a black market (and this isn't a normal black market -- it's a market of people who, buy their very presence in this market, are very technologically adept and know exactly where to seek out these sorts of things). If they're going to be bought and sold anyway, why not legalize it and have it do some genuine good?

whoa! (1)

dexomn (147950) | more than 6 years ago | (#19864743)

Oh man, I wonder if I could get five bucks for a rickroll! I mean.. that shit has to be worth five bucks. =)

How about... (0)

Anonymous Coward | more than 6 years ago | (#19864911)

A Slashdot for Dupes?

No reserve l@@k! (0)

Anonymous Coward | more than 6 years ago | (#19865567)

This zero day exploit uses a buffer overflow in IE to delete all the files on the PC. Ending in 7 days.

Auctioning known defects (1)

TheCybernator (996224) | more than 6 years ago | (#19866243)

Thats a good idea. From now on, I'll sell the defective products and then later auction the known defects :)
???
Profit!!

the idea has merit (1)

v1 (525388) | more than 6 years ago | (#19866817)

If something is a problem for you but the people that could fix it don't care, then naturally no one is in a hurry to fix it. MAKE it an immediate problem and you will get a faster fix. There will be more collateral damage of course, but the unfortunate part is not the collateral damage, it's that we have to HAVE it to motivate the people to fix their crap. This whole concept of blaming, attacking, and trying to silence the whistleblowers has got to stop. It's not their fault. Are they making the problem worse? You bet they are. But the problem should not have existed in the first place, and the ones that are in a position to fix the problem are in no hurry and so these things just get hidden, ignored, and drug out. By making the problem a magnitude worse, they mostivate people to fix things because they can no longer tolerate the reproducssions of their apathy. (or rather, their customers can't tolerate it, and rocks roll downhill)

I'm all for this. The only ones that are really against this are the producers that are too cheap to invest sufficient funds in securing their product and do not want their cheapness to be exposed - they cry that their shortcoming is someone else's fault, merely because they pointed it out to the public. If I expose your failure, that doesn't make the results of your failure suddenly my fault.

Stop referring to security people are researchers (0)

Anonymous Coward | more than 6 years ago | (#19867451)

Most are just extortionists, especially ever single poster on Full-Disclosure who claims they should profit ``their work'' (which is used to extort companies) .

The ``work'' they speak of is running tools they didn't make on code and finding bugs then trying to extort companies because they found this bug. Don't let the full-disclosure ethic confuse you, security researchers are black hat extortionists, the only ones who aren't are those who bother holding a faculty position, so they are already paid.

What happens when this site gets cracked? (1)

r_jensen11 (598210) | more than 6 years ago | (#19867503)

The whole thing just seems stupid. Sell information about a vulnerability, then wonder why your website is down 5 minutes later...

I think you mean an eBay for crackers. (1)

that this is not und (1026860) | more than 6 years ago | (#19867749)

The eBay we already have is the 'for hackers' one.

I use it regularly to buy PIC controllers, semi-exotic silicon, and weird computer hardware (i.e. anything 'the natives' can't Install Windoze on here in tardo flyoverlandia). I also sell a lot of cool stuff, like PDP-11 hardware, etc. Without eBay or at the least the Web and mail order, a person such as myself couldn't live in this godforsaken (actually, god-addled) part of the country.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...