Re: the underground software vulnerability marketplace and its hazards (fwd)

[Mike Rosing]

On Thu, 22 Aug 2002, Eugen Leitl wrote:

> If this kind of secret traffic is allowed to continue, it will pose a
> very serious threat to our computer communications infrastructure.

Sure looks like it.

> iDEFENSE is offering a new alternative that appears far more dangerous
> than either of the two previous paradigms.  They want to be a buyer in
> a marketplace for secret software vulnerability information, rewarding
> discoverers of vulnerabilities with cash.

Not that much cash.  It's only $125 for an exploit.  that's not
much in $/hr of effort.

> First, secret software vulnerability information will be available to
> the highest bidder, and to nobody else.  For reasons explained later,
> I think the highest bidders will generally be organized crime
> syndicates, although that will not be obvious to the sellers.

governments have more cash.  the highest bidders could use it as a
way to keep track of who is doing what, since the web site says
people who find exploits are given full credit.  The mafiosi seem
like the least of our problems with this.

If I got paid, I wouldn't want anyone to have the ability to come find me!

> Second, finding software vulnerabilities and keeping them secret will
> become lucrative for many more talented people.  The result will be
> --- just as in the "responsible disclosure" days --- that the good
> guys will remain vulnerable for months and years, while the majority
> of current vulnerabilities are kept secret.

Not at that rate of pay.  Might be a good way to find talent tho.

> I think the highest bidders will be those for whom early vulnerability
> information is most lucrative --- the thieves who can use it to
> execute the largest heists without getting caught.  Inevitably, that
> means organized crime syndicates, although the particular gangs who
> are good at networked theft may not yet exist.

Yes they exist, and most have 3 letter acronyms.  Well, a few have
numbers in there :-)  A lot of government agencies need cash that
their handlers won't give, so they go steal it.  Since their jobs
are breaking laws, nobody notices.

> Right now, people who know how to find security exploits are either
> motivated by personal interest in the subject, motivated by the public
> interest, motivated by a desire for individual recognition, or
> personally know criminals that benefit from their exploits.  Creating
> a marketplace in secret vulnerability information would vastly
> increase the availability of that information to the people who can
> afford to pay the most for it: spies, terrorists, and organized crime.
>
> Let's not let that happen.

How?  iDEFENSE isn't really breaking any laws, they are just
immoral scum bags.  Maybe the publication of the first person
hunted down and executed by an angry government will slow down
contributors?

thanks for posting this, the net is getting more and more interesting
:-)

Patience, persistence, truth,
Dr. mike

the underground software vulnerability marketplace and its hazards (fwd)

[Matthew X]

 >>Let's not let that happen.<<

How,exactly do you propose to stop it? (w/out APster:) It looks like 
blacknet to me,but I'm new here.
Have you been drinking nitrogen again Eugie?

"If you give people a thorough understanding of what confronts them and the 
basic causes that produce it, they'll create their own program, and when 
the people create a program, you get action." Malcolm X.

the underground software vulnerability marketplace and its hazards (fwd)

[Eugen Leitl]

-- 
-- Eugen* Leitl http://leitl.org";>leitl
__
ICBMTO: N48 04'14.8'' E11 36'41.2'' http://eugen.leitl.org
83E5CA02: EDE4 7193 0833 A96B 07A7  1A88 AA58 0E89 83E5 CA02


-- Forwarded message --
Date: Thu, 22 Aug 2002 00:24:54 -0400 (EDT)
From: Kragen Sitaker <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: the underground software vulnerability marketplace and its hazards

On August 7th, an entity known as "iDEFENSE" sent out an announcement,
which is appended to this email.  Briefly, "iDEFENSE", which bills
itself as "a global security intelligence company", is offering cash
for information about security vulnerabilities in computer software
that are not publicly known, especially if you promise not to tell
anyone else.

If this kind of secret traffic is allowed to continue, it will pose a
very serious threat to our computer communications infrastructure.

At the moment, the dominant paradigm for computer security research
known as "full disclosure"; people who discover security
vulnerabilities in software tell the vendor about them, and a short
while later --- after the vendor has had a chance to fix the problem
--- they publish the information, including code to exploit the
vulnerability, if possible.  

This method has proven far superior to the old paradigm established by
CERT in the late 1980s, which its proponents might call "responsible
disclosure" --- never release working exploit code, and never release
any information on the vulnerability before all vendors have released
a patch.  This procedure often left hundreds of thousands of computers
vulnerable to known bugs for months or years while the vendors worked
on features, and often, even after the patches were released, people
wouldn't apply them because they didn't know how serious the problem
was.

The underground computer criminal community would often discover and
exploit these same holes for months or years while the "responsible
disclosure" process kept their victims, who had no connections in the
underground, vulnerable.

The problem with this is that vulnerabilities that are widely known
are much less dangerous, because their victims can take steps to
reduce their potential impact --- including disabling software,
turning off vulnerable features, filtering traffic in transit, and
detecting and responding to intrusions.  They are therefore much less
useful to would-be intruders.  Also, software companies usually see
security vulnerabilities in their software as PR problems, and so
prefer to delay publication (and the expense of fixing the bugs) as
long as possible.

iDEFENSE is offering a new alternative that appears far more dangerous
than either of the two previous paradigms.  They want to be a buyer in
a marketplace for secret software vulnerability information, rewarding
discoverers of vulnerabilities with cash.  

Not long before, Snosoft, a group of security researchers evidently
including some criminal elements, apparently made an offer to sell the
secrecy of some software vulnerability information to the software
vendor; specifically, they apparently made a private offer to
Hewlett-Packard to keep a vulnerability in HP's Tru64 Unix secret if
HP retained Snosoft's "consulting services".  HP considered this
extortion and responded with legal threats, and Snosoft published the
information.

If this is allowed to happen, it will cause two problems which,
together, add up to a catastrophe.

First, secret software vulnerability information will be available to
the highest bidder, and to nobody else.  For reasons explained later,
I think the highest bidders will generally be organized crime
syndicates, although that will not be obvious to the sellers.

Second, finding software vulnerabilities and keeping them secret will
become lucrative for many more talented people.  The result will be
--- just as in the "responsible disclosure" days --- that the good
guys will remain vulnerable for months and years, while the majority
of current vulnerabilities are kept secret.

I've heard it argued that the highest bidders will generally be the
vendors of the vulnerable software, but I don't think that's
plausible.  If someone can steal $20 000 because a software bug lets
them, the software vendor is never held liable; often, in fact, the
people who administer the software aren't liable, either --- when
credit card data are stolen from an e-commerce site, for example.
Knowing about a vulnerability before anyone else might save a web-site
administrator some time, and it might save the software vendor some
negative PR, but it can net the thief thousands of dollars.

I think the highest bidders will be those for whom early vulnerability
information is most lucrative --- the thieves who can use it to
execute the largest heists without getting caught.  Inevitably, that
means organized crime syndicates, although the particular gangs who
are good at networked theft may not yet ex