As a community it makes sense to embrace this. As vendors (and especially people who develop apps for walled gardens) start seeing real-world feedback on platform security, we can all make more informed choices. It also incentivizes the hell out of companies to make their stuff more secure. Terrific concept. This shouldn't be some kind of dark grey-market site. It should be on a web location as visible as E-bay. (owned by somebody with no skin in the game)
For those of you arguing that such information can and does kill people, I feel your pain. But you can't hide knowledge. There will be a market whether or not there's a Forbes article about it. The only difference is whether you know about these vulnerabilities or you don't. A big, public market lets everybody see how crappy the things we use are. A secret, government-controlled market keeps all of that critical information away from the very people who need it. If the Syrian government is using security exploits to kill dissidents, all the more reason to let the sun shine in.
This market, to me, looks very similar to the weapons industry. The more open it is the better for everybody. The other commenters are correct, this market isn't going anywhere. We may as well shed light on it.
That sounds ridiculous, I think. As soon as that is made public, there will instantly appear another market where that info is not made public, and most buyers will switch to that new market, sellers will follow as well.
Whatever your views on the morality or ethics surrounding this market, the fact is that it exists and isn't going away. In fact it has existed for a long time (I certainly remember exploits being traded, bought and sold in the early 2000s and 90s) but the thing that's new-ish is the presence of numbers in the public eye.
Charlie Miller's paper on the 0day market provides an example of what happens when someone has a lack of market information (they lowball and sell the bug for less than it's worth) in this space, and might be of interest to people who enjoyed this article.
 - http://securityevaluators.com/files/papers/0daymarket.pdf
To squash a market entirely requires extremely strict laws, punishment, and enforcement. Even then, it's impossible to destroy some markets if enforcement cost is too high, or is incompatible with the rules of a society (e.g. it's un-Constitutional).
For example, the U.S. spends billions each year on the war on drugs, and yet there's someone sitting right next to me in a coffee shop I could probably buy some off of right now. If $500 billion was spent yearly on enforcement, and police could do random searches of persons and property at any time without warrant, drugs would dry up. But at what cost? The loss of many of our rights, plus extremely high taxes, followed by an inefficient society spending so many resources on, well, "You can't stick that pill in your mouth." We'd become a military state with little else to offer, stagnating while the rest of the world surpasses us.
Black markets can be risky to engage in. If the risk of getting caught buying or selling an exploit was, say, 24/7/365 physical torture for 10 years, most people probably wouldn't do it. But a few would remain if it is worth the risk to them, or if they fail to assess risk (e.g. they don't comprehend it, or they ignore it; "It won't happen to me!"). The black market would "harden".
Mexican drug cartels hardened with guns, violence, secrecy, corruption, torture and death. You can theoretically calculate how many humans died in Mexican drug wars, per-joint you smoked, in 2011. That cost was built into the price you paid for the drugs. This "death cost" goes away if you legalize it.
So you're absolutely right; markets for software exploits will not go away unless it becomes unprofitable, or not worthwhile. Right now there are few, if any laws, banning it (asides from extortion, treason laws, etc...). Since many are vocally against it, they only have a few options to "prevent" it. Shame those who do it, buy them out ($$$), race them (white hats), or propose legislation to ban it (good luck). This market is likely here to stay for some time. If it remains legalized and becomes accepted by the general community, more people would do it, prices would come down, and so would earnings.
(1) Profitability can be defined as anything the supplier receives in return for their product/service which they deem "worth" something. It doesn't have to be money, but could be good feelings, increased social capital, learned knowledge, etc...
For the record, you can do this with any product from any industry where fatalities ever occur during production and distribution. For example, the cost of teamster's deaths during delivery has been factored into the cost of products for hundred(s?) of years. Whether that death occurred because of overwork, robbery, or modern day road accidents, it's been accounted for.
People die of heatstroke farming the food you eat and the coffee you drink. And people die getting you the weed you smoke. I'd like to see data comparing them.
No they're not, on both counts. They're not making themselves rich at the expense of everyone else. Their major customers are governments, who are in no rush to make their own purchasing patterns illegal. They're taking part in an active established market. Immunity have been doing this publicly for over a decade, with the difference being that anyone can buy Canvas.
The simple solution (which works in favour of the exploit dealers too btw) is to use a layered approach to defences that make it more expensive to develop an exploit. That's what Microsoft have been doing since Vista. There are now so many hurdles you have to jump through for a server-side remote code execution bug that for most people it's just not worth it (given that you'll have to chain exploits more often than not to bypass protective measures), which is partly why client side bugs are becoming more common.
* The client-side attack surface is, probably by many orders of magnitude in any metric you care to use, more complex than the serverside attack surface. Look at the kinds of libraries that have been long-term thorns in the sides of developers and security teams --- image codecs, font libraries, compression --- a big chunk of everything that goes on your computer screen can be influenced by attackers.
Not to take anything away from your point; I'm glad you're injecting some sanity onto these threads.
Not to mention that gaining access to that server would probably be fairly simple given the atrocious security standards of most web hosting companies. CPanel, pilfered ssh key, SQLi, PHP bugs in the forum software, rent a VPS on the same host and LPE... I hardly need to tell _you_ how many alternative (cheap) ways exist to gain access to the server. (And this is assuming that they aren't running their own colo's and web hosts a la http://www.schneier.com/blog/archives/2008/10/clever_counter...)
Given the relative ease of access to servers, the poor quality of intel stored on them, and its no wonder that the market focus is on client sides. Finally, its worth mentioning that most (all?) of the servers with interesting data on them are in the legal jurisdiction of the US (just ask Kimble, ha!). Accessing that data requires a sternly worded letter on official letterhead-- not an exploit.
So, not to detract from either of your' points; but there is another angle to add to the mix.
However, the meat on the bones is really on the servers. If someone pops my desktop at work, they won't find much valuable data. But they will be able to keylog me, grab admin password hashes, arp-spoof etc. Still, no data. But what they will get enables them to access our company files and databases in short order.
In essence, client-side attacks in the corporate world are definitely targeted at server data, while in the consumer world, they're targeted towards identity theft or botnet creation.
There are very few governments that care about what is on your company file server or in your company databases. (Ignoring the elephant in the room on that one.)
Law enforcement agencies keep huge Access databases of the contacts they extract from cell phones taken from criminals. They share this intel with each other via email (I know, I know...). They can discover a great deal about who is involved in an activity and where they are on the totem pole from just this data. Its even possible to identify people by correlating the content of the "name" field and using the phone number is a unique ID. Criminals tend to have poor OPSEC.
The sellers have no way of determining how the exploits will be used. The mere fact that buyers are willing to spend so much on an exploit indicates they are not just collecting them out of idle curiosity. Even we could completely trust the buyers to not misuse or share information about the exploit, the original bug remains unpatched for others to independently discover and exploit.
The sellers are willing to inflict damage on everyone else so they can benefit. That sounds like leeching to me.
I don't know you but I get the impression that you've never gone through the bug reporting process from a bug hunter's perspective. Some places do offer bug bounties, and of course you have the usual ZDI, pwn2own etc. that you can go through, but from my own personal experience I've been ignored, threatened with legal action and dragged into a quagmire of free IT support because the manager handling the bug won't let me speak to a developer and doesn't understand the bug amongst other things.
On the other hand, finding a bug isn't hard, but developing a reliable weaponised exploit that works repeatably against multiple targets can be a heck of a lot more work.
My own personal view when it comes to disclosure is 'finders keepers'. It's my bug, I found it. It's not worth my time weaponising it to sell on the black market and it's too high risk for me personally to be associated as being active in it, it's only worth weaponising to the point where I can use it in future on pentests and help customers implement workarounds.
> The sellers are willing to inflict damage on everyone else so they can benefit. That sounds like leeching to me.
[edit: more pithiness]
Buyers of exploits (at least those who aren't blackhats/criminal enterprises) generally intend to use them for their security services/applications. They have to have the latest exploits otherwise they can't protect their clients.
So while I personally find the sale of exploits distasteful†, I think Soghoian is in the weeds with this argument about exploit developers being "modern merchants of death". Exploits are nothing like conventional munitions. They're extremely scarce and their extraction from software imposes no intrinsic costs on the rest of the world.
In other words: vendors can simply outbid intelligence agencies for their bugs, or, better yet, invest more heavily in countermeasures to moot those bugs. Unlike guns, which can be manufactured so cheaply and at such a scale that no one organization could hope to stem the tide with markets, vendors can stop immoral abuses of their own software simply by participating more actively in the market.
$200,000 sounds like a lot of money, but it's under the cost of one senior headcount at a major software vendor, and vendor cash flows are expressed in high multiples of their total headcount cost. The higher the prices go, the more incented vendors are to stop vulnerabilities at the source.
Even today, the whole technology industry is captivated by the misconception that vulnerabilities somehow cost some fraction --- maybe 1/3, maybe 1/4 --- of a senior full-time dev salary. After all, they're generated by people who would otherwise be occupying that kind of headcount. And for the most part, that misconception has been bankable, because the best exploit developers almost as a rule suck at marketing themselves.
Every other price in the application security field follows from this misconception, from headcounts and org charts at vendors to assessment budgets to shipping schedules for products to the salaries of full-time application security people.
It's all built on a misconception; that misconception creates a market inefficiency; people like (allegedly) The Gruguqhquq are arbitraging on that inefficiency. But the solution to a market inefficiency is to eliminate it, not, as Soghoian implies, to install umpires around it and erect bleachers and a jumbotron so we can watch it more carefully.
I see this story as evidence of chickens coming home to roost, not as some dangerous new ethical lapse on the part of the security industry.
† This is an easy moral stance for me to take because I don't invest any serious time into developing exploits for the targets on this price list.
Companies do not directly lose money if their products are exploited. How many thousands of exploits have been developed for windows? They're still doing just fine.
Software is buggy and exploitable by it's very nature. The cost to secure a large software project is orders of magnitude higher than the cost to find a flaw and exploit it.
By participating in an open market for exploits and greatly raising demand for them, the government is making us all less secure. "This is why we can't have nice things".
The fundamental moral problem with the market isn't the value being imputed to exploits; it's the lack of value imputed to resilient software.
Actually they can and are. Not so much the exploit dev bit, but the bug hunting is getting more automated.
 - http://www.scribd.com/doc/55229891/Bug-Shop
Of course the great thing about code defects is that updates are just as good at introducing new bugs if the developers don't have proper security processes in the first place.
Your point about software maintenance introducing a continuous stream of new flaws is well taken, but ultimately I think vendors who take this problem seriously are in a very good position to do something about it.
Why not? All large software projects have flaws. Doesn't more demand for exploits mean more people are going to look for and find them?
> The fundamental moral problem with the market isn't the value being imputed to exploits; it's the lack of value imputed to resilient software.
I think it's both. People shouldn't be selling exploits to entities that will use them offensively. And vendors largely don't care about security as much as they should.
But couldn't employees already create holes on purpose to sell them? With an open market, perhaps I know that there is a bug in IE that involves flash and allows easy access to root. It just sold at 4 million bucks. With a closed market, I may suspect the same thing, but I don't really know for sure. The thing is, the vulnerability, the market, the sale, and the exploit still exist regardless of whether I know about it or not. The only question here is whether other people are in on what's going on in the marketplace.
"The cost to secure a large software project is orders of magnitude higher than the cost to find a flaw and exploit it."
Yes, that is the current state of affairs. But the current state of affairs is that there are all sorts of vulnerabilities that the average person doesn't see. It's not the cost to secure a large project, it's the relative cost to the customer base of the exploit versus the current margin to the software provider. That's the way it should have been working all along. If you sell me a product for a buck and it steals my bank account -- or even if there is a one-in-a-million chance of it stealing my bank account -- I'm not buying it. Right now vendors create walled gardens and put everything in there. What probably should be happening is that separate physical devices should handle different types/values of things. My iPad should probably never both run Angry Birds in Space and control my brokerage account. That's simply too many eggs in one basket. Vendors get away with this because they are trying to hide all of the hidden risks. It's my belief that this practice has to stop. Immediately.
Because as technologists we love to generalize we are always trying to create multi-purpose walled gardens. But that's not the way anything else works in the world. My wallet does not also function as a gaming device, something I wave around to exercise with, and a device for meeting girls. I don't take all the physical cash I own to Starbucks and build little towers out of it. We keep things in physically separate areas for a very good reason -- it decreases risk. (And we accept various kinds of risk for various kinds of things) Opening up this market will only cause an evolution that has needed to occur for a decade or more: the end of the general-purpose computer.
Most corporate programmers would have no idea who would buy such a thing or what the right price is. Making that market clear and making transactions easy should increase production. That's what every commodities market does. As an example, consider the Chicago Mercantile Exchange, the early history of which is well described here: http://www.amazon.com/The-Merc-Emergence-Financial-Powerhous...
Ouch. Remind me never to have that guy review any of my books.
I understand what you are saying, and I understand why it's feasible to keep it small, concealed and restrict participants to certain customers. At least early in the game.
What I'm saying is that this state of affairs is temporary at best. Forbes is out with it. There will be many more articles. The prices are already in the 6-figure range. Soon they'll be at seven figures. No matter what we'd like the market to be like, any programmer with Google access should easily be able to determine he could make himself a millionaire just by releasing a vulnerability into the wild. Whether that information is easy to find right now or not is moot. It'll get easier. We're all connected. Supply meets demand. No amount of wishing it weren't so is going to change any of that. Works this way for illegal drugs, will work this way for security vulnerabilities.
I think the question here is whether to shun, outlaw, shame and hide this kind of stuff or to embrace it. In my opinion, we have enough examples that the first choice doesn't work so well, where the second choice benefits the rest of us even if we find the entire affair distasteful.
But I believe the greater point is that there are so many people affected by this hidden market that keeping information from them should be a crime. Yes, I wish that we could live in a world where we could slap a big old Google, Microsoft, Amazon, or Apple logo on something and know that it is safe. But that world doesn't exist and it's never going to exist. Might as well start living in the world we find ourselves.
Illegal drugs is a poor analogy; there are a lot of participants in the market, a lot of small transactions, and it can be a victimless crime. If you are looking to buy a little weed, your friends probably don't care.
A better one is high-end weapons. E.g., missiles. That's a market that's relatively small and obscure, and the prices are high. State actors can get away with trafficking, but individuals run a substantial risk of running across sting operations and other law enforcement activities. Further, as long as the market is widely reviled, random citizens are likely to report suspicious activity.
Forfeiture of all money gained as such and a stiff jail sentence should be enough to discourage any but those who are already doing this without public knowledge of the market.
View it like this. The exploits are out there, discovered and used by black hats. The idea that a whitehat security researcher is in anyway decreasing the level of security by selling an exploit to Google, or Apple, or any third party, is silly.
The more security researchers that are evaluating software, the more secure we'll be. Zero days will always be around, simply because the incentives are still favoring the blackhats. Until that's reversed, we'll be playing catch up.
The government buying exploits has nothing to do with why we can't have "nice things." We can't have "nice things" because this is a hard world, with people who won't blink to take advantage of poorly designed and poorly coded software.
An exploit for a widely used application, especially a client-side application with a good reputation like Chrome is extremely valuable to someone wanting to create a botnet etc. There's no way to avoid bugs in software, but rewarding security researchers can help mitigate the risk. And security is all about mitigating risk in a cost effective manner.
If Google started paying $200k to match the spot price on the exploit market, the market would react by pushing the price up. Soon Google would be paying $300k, then $400k.
But at some point, that price appreciation has to stop, because there will stop being counterparties who will see $500k or $700k as a rational price to pay for an exploit.
When that happens, one of the legs of the vulnerability market will get knocked out; the market will have discovered some approximation of the true value of an exploitable security vulnerability (again: that value is based on immoral behavior, but reality doesn't care about that). Google will pay it, because it can, because the final price of exploitable vulnerabilities is certainly a tiny tiny fraction of their total overhead, and because Google has an advantaged long-term position that will enable it to control the supply of exploits and eventually bring its costs back down.
Are there any documented cases of malware killing someone? All this cyberwarfare stuff seems a little overblown.
In Myanmar, this kind of thing has circulated : http://www.crime-research.org/news/05.10.2007/2928/
Another virus, sent to the Dalai Lama's office, was used to track Tibetan sympathizers, probably by the Chinese government.
There are REAL cases where REAL people's life is put in danger. Everyone uses email know and usually do that on insecure platforms.
I almost support the person in this article, but I wished he would sell only to Europe and USA out of ethical concerns instead of simple profit optimization, because otherwise, he would have the same responsibility as an arms dealer selling weapons to Syria.
Another metic you could use is who causes the most deaths, in which case the US is pretty high up on the unethical list.
Wrench can explode a reactor, but it is not made specifically to blow up a reactor. Stuxnet, on the other hand was specifically made to do the damage to fuel cells. Hence it's a weapon and wrench is not.
I don't think it's fair to characterize the intention of stuxnet as blowing up reactors. From what I've read, the purposeful damage it was designed to inflict was to disable uranium-enriching equipment. I don't recall reading anything about purposeful attempts to use the software to kill or wound.
That's where I'd draw the line: purposeful killing. So I'd describe this as a case of cyber-sabatoge -- not a case of cyber-war.
1. Stuxnet was designed to slow Iran's progress toward developing their own nuclear power (and weapons).
2. Nuclear power is a cleaner alternative to burning fossil fuels.
3. Fossil fuels are the cause of many deaths through pollution, mining accidents, and wars over oilfields.
4. Therefore, by delaying Iran's use of nuclear power, Stuxnet resulted in an increase in killing or wounding, via wars over oil and pollution.
That's where I'd draw the line: purposeful killing. So I'd describe this as a case of cyber-sabatoge -- not a case of cyber-war.
Sabotage can be a tactic used in an ongoing war.
I think the exploits are probably most useful for spying.
I don't know about anyone else, but I'll take an infected computer over gunfire any day.
No exploit > No Stuxnet > No Death
Sometimes you can exploit a bug to give you something, sometimes it's just a plain old bug.
People only pay for the security-critical ones.
"57 Small Programs that Crash Compilers" http://blog.regehr.org/archives/696
(14 comments) http://news.ycombinator.com/item?id=3794934
As an additional point, if either side becomes known as a bad actor in the market, they will severely limit their ability to operate. There is some short term incentive to be dishonest (more money now), but in the long term it removes the ability to earn in the future. Like selling your fishing rod for fish today, tomorrow you'll be hungry again, only now you can't fish. (To butcher a cliche.)
I've heard they'll actually pay for one they already have if they hear a broker selling it. In this case, they are paying to keep it scarce (as these deals come with exclusivity).
Grugq makes me think of Gerald Bull.
The value of a zero days is largely rooted in the fact that it hasn't been disclosed publicly and any widespread use of a zero day threatens that value. Zero days will be used when the risk of discovery is very low or the payoff is very high and attacking random people who visit dodgy websites is unlikely to meet those conditions.
2. Push as many links for subscription to "legit" porn site (those 5-7 minutes video with a "view more / view the full version here")
3. Take a % on the people that register through that
That and ads are the main income source. The percentage of people who end up subscribing is very small, but then again a dozen bucks buys you a lot of bandwith these days.
i believe they recently paid out 2x $60,000 prizes.
Admittedly, I'm probably just being sentimental about my childhood, but that's how I remember it.
Three very common cases. Would quarter million dollar exploits be used for these? Probably not, but it doesn't change the fact that there are legit reasons to buy, sell, and use zero-day vulnerabilities.
But then the law is a strange thing.
Also the buyer could stay anonymous too.