
The Black-Market Code Industry - timr
http://www.fastcompany.com/magazine/127/nexttech-fear-of-a-black-hat.html
======
tptacek
This is only one of the most widely-discussed phenomenon in all of computer
security. Thanks, Fast Company, for "breaking" this story.

~~~
gaius
Also for letting us know that HPUX is a database :-)

------
michaelbuckbee
IANAL but I would think selling exploits would be legal (and distinct from
using them). A very strong argument could be made that it's no different than
an employee of one of the security groups or the government uncovering them.

~~~
wmf
The whole business stinks. I wonder if these black hats offer right of first
refusal to the affected vendors, because that sure sounds like extortion.
"I'll happily sell this exploit to you... or to the Russian mob -- it's your
choice."

~~~
tptacek
No. People who sell vulnerabilities sell them immediately, to well-known
brokers. At least part of the market for vulnerabilities is open and "above
board" --- TippingPoint's Zero Day Initiative and iDefense being two of the
best known.

Most of the brokers you've heard of have relatively strict policies on
notifying the vendor and securing patches prior to open release, though
there's usually loopholes that benefit the broker themselves.

------
jcl
_In keeping with the adage there's no honor among hackers, Rigano called t0t0
a thief._

Does it count as an adage if you make it up yourself?

~~~
kleevr
Reminds me of the 'self-quote':

"I think I said it best when I said 'X'"

Oddly enough the perpetrator was a college professor... color me surprised.

~~~
jcl
Sounds like he's channeling George Bernard Shaw: "I often quote myself. It
adds spice to my conversation."

