Welcome to the Malware-Industrial Complex
February 14, 2013 12:32 PM   Subscribe

Sometimes the discoverer of a zero-day vulnerability receives a monthly payment as long as a flaw remains undiscovered.

?
posted by Sys Rq at 1:03 PM on February 14

Sometimes the discoverer of a zero-day vulnerability receives a monthly payment as long as a flaw remains undiscovered.

?

...By anyone else other than the discoverer and the people using the zero-day, I would presume.
posted by Strange Interlude at 1:07 PM on February 14 [2 favorites]

Sometimes the discoverer of a zero-day vulnerability receives a monthly payment as long as a flaw remains undiscovered.

?

I'm pretty sure they're saying you get residuals for as long as the bug goes unfixed, and phrasing it poorly.

All this talk of the market for zero day exploits, but they never mention who I should call to sell them.
posted by atbash at 1:08 PM on February 14 [1 favorite]

This isn't new by any stretch but it's certainly going to get worse.

>Sometimes the discoverer of a zero-day vulnerability receives a monthly payment as long as a flaw remains undiscovered.

The person that finds a secret back door in a software program and sells it to a bidder keeps making money until someone else discovers the back door, and presumably announces it to security researchers and the software company to be fixed.

Putting on my paranoia hat, that lends a certain scariness to all software you don't write yourself.. how can you be 100% sure the developer isn't making a little extra on the side by including a flaw?
posted by anti social order at 1:11 PM on February 14 [6 favorites]

Ahhhh. Yeah, that makes more sense.
posted by Sys Rq at 1:11 PM on February 14

The business of selling zero-days scares me - how many vulnerabilities are being exploited that we don't know about yet? Who knows if someone sold the same 0day-exploit to both the good and bad guys, however you define them. If there are any good guys at all.

I work in the computer security business, and we do find 0day vulnerabilities now and them. Most of the time we can't report the issues our self for confidentiality reasons, but we always make sure our client reports it (which means we never get the credit, but that is the nature of our job).
posted by rpn at 1:18 PM on February 14 [1 favorite]

anti social order: " how can you be 100% sure the developer isn't making a little extra on the side by including a flaw?"

You don't even get that far. You can't trust the compiler. Do they not teach Thompson any more? Woe betide anybody who talks about trusting code without having read Reflections on Trusting Trust.

Of course, that's if you're naive enough to trust the hardware your code runs on. (thanks acb).
posted by boo_radley at 1:18 PM on February 14 [6 favorites]

All this talk of the market for zero day exploits, but they never mention who I should call to sell them.

Don't worry...they know where you are...
posted by Thorzdad at 1:20 PM on February 14 [3 favorites]

Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects’ computers or mobile phones.

That seems like the kind of thing that would have been illegal, back when we had restrictions on the power of law enforcement agencies.
posted by Horace Rumpole at 1:53 PM on February 14 [3 favorites]

That seems like the kind of thing that would have been illegal, back when we had restrictions on the power of law enforcement agencies.

It's in the really, really fine print of the 4th Amendment.
posted by ryoshu at 3:00 PM on February 14 [1 favorite]

I have discovered a bug in which Firefox goes slower and slower the longer I leave it running. Please send me some money.
posted by Joe in Australia at 3:20 PM on February 14 [3 favorites]

Putting on my paranoia hat... how can you be 100% sure the developer isn't making a little extra on the side by including a flaw?

People can be bribed to dump toxic waste into the sources of their own drinking water. Why would you take your paranoia hat off?

I really like M.Report's comment: "insurmountable opportunity."

U.S. law enforcement agencies play with their 4th amendment interpretations so much they're going to need glasses.
And we keep monkeying with our own systems hoping the monkeying will protect us from monkeying. Like - ah, hell, we can always buy bottled water if it gets too bad.

This situation reminds me of Mithridates. He was the king of what's now mostly Turkey in 70 (odd) B.C. and he was afraid of being poisoned by his enemies, mostly the Romans and Cappadocians, and his friends. Mostly his friends.
So he'd take arsenic and honey and opium and other stuff (mostly opium) as a proactive antidote

This would build up his tolerance enough that his system would withstand the shock without killing him.
So, he eventually lost to the Romans (Pompey) and in order to avoid capture he took poison, which, of course, failed to kill him:
"Though I have kept watch and ward against all the poisons that one takes with his food, I have not provided against that domestic poison, always the most dangerous to kings, the treachery of army, children, and friends."
posted by Smedleyman at 4:16 PM on February 14 [1 favorite]

Joe in Australia: "I have discovered a bug in which Firefox goes slower and slower the longer I leave it running. Please send me some money."

That's more like a 5 million day vulnerability at this point.
posted by symbioid at 5:04 PM on February 14 [4 favorites]

"Putting on my paranoia hat... how can you be 100% sure the developer isn't making a little extra on the side by including a flaw?"

There are a ton of things to be paranoid about, but I'd put this low on the list (a developer allowing a flaw to exist for his/her country's intelligence agency seems a more likely scenario). You nailed the reason - 'a little extra on the side'; developers at a position to add bugs to critical software (browsers, operating systems) are generally making a good comfortable living. Why would they risk their entire life (ie: job loss, jail, reputation loss/inability to work in industry again) for 'a little extra on the side' (and even a couple of hundred of thousand dollars would be less than a couple years salary). While it may not be illegal to find and sell these bugs as an independent researcher who has no access to confidential information (source, etc), it's very very illegal for an insider to sabotage a code base by inserting a flaw which they then sell.

Also, why would the buyers of such vulnerabilities expose themselves to the risk of buying 'illegal vulns' (purchasing insider knowledge in order to violate security) when they don't have to (can purchase very legally independent security research).
posted by el io at 11:48 PM on February 14

>that's if you're naive enough to trust the hardware

Trust? Never! It's shellcode, all the way down. Everything else is social engineering. That's why I use a telegraph machine and hand craft every IP packet from 1's and 0's. None of that new fangled hex stuff!

But trusting your silicon is actually a pretty interesting area. Huawei and ZTE (Chinese networking companies) both got slapped around by some congress committee last year for being unable to "prove" they didn't have ties to the state or secret back doors. Do they? No clue. But then again it's fairly likely that US tech companies like microsoft or cisco aren't free of influence either.
posted by anti social order at 6:02 AM on February 15