How To Go Broke Selling Zero-Day Exploits 66
Trailrunner7 writes "Despite all of the hand-wringing and moral posturing about the public sale of security vulnerabilities, it turns out that not many people are buying or selling vulns, and the ones who are aren't making much money at it. A new survey of security researchers who sell vulnerabilities either publicly or in private, directed sales found that the vast majority of the flaws sell for less than $5,000. Almost none of them sell for much more than $10,000. At those prices, there's little chance that this is going to turn into the chaotic Wild West marketplace that some people predicted. It's a small, mostly controlled market that isn't making anyone rich."
Not such good news, really (Score:4, Insightful)
It means that supply is keeping up with demand.
Re: (Score:2)
Whoops, never mind... didn't RTFA...
Don't worry (Score:3, Funny)
Neither did the mods. :)
Re: (Score:2, Interesting)
Re: (Score:3, Interesting)
$5,000-$10,000 per exploit, tax-free? This seems like nothing to you?
Depends how much work and time you had to put into it. You won't come up with a new 0-day every day ...
Re: (Score:1, Insightful)
Spend two months per 0-day and you are mediocre. Spend a month and you're pretty comfortable.
Re: (Score:2)
No, it means that in one of the few examples of a laissez-faire market in the modern world, Veblen [wikipedia.org] was right. No matter what the economic system, the main engine of expanding commerce, inventors, get fucked.
(For those interested in original text, I would note that all his major works were published in the late period of the public domain, including The Theory of the Leisure class (pdf). [psu.edu]
Survey participation (Score:5, Insightful)
I would think that the "companies" doing lucrative business selling exploits would not be voluntarily participating in a survey of this sort.
Re: (Score:3, Insightful)
I would think that the "companies" doing lucrative business selling exploits would not be voluntarily participating in a survey of this sort.
This "journalist" has never heard of selection bias, obviously.
"You're doing it wrong." (Score:5, Insightful)
Selling fully functional botnet time == probably a lot more
It's unfortunate, but I don't see it changing in the near future.
Re:"You're doing it wrong." (Score:5, Funny)
Are you sure about that?
I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.
Re:"You're doing it wrong." (Score:5, Funny)
I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.
They didn't sell vulnerabilities. Those were features - added at no additional cost. Loss-leaders, if you will.
Re: (Score:2)
I know of a certain company in Redmond that sold vulnerabilities in bulk packages. They seem to be doing alright.
They didn't sell vulnerabilities. Those were features - added at no additional cost. Loss-leaders, if you will.
They're not features until they get documented.
Re:"You're doing it wrong." (Score:4, Funny)
They're not features until they get documented.
Wait... they're easter eggs?
Re: (Score:3, Funny)
They're not features until they get documented.
Wait... they're easter eggs?
Exactly.
Re: (Score:2, Insightful)
Dammit mods (Score:1, Insightful)
This should be marked as Insightful.
(Currently marked as 3, Insightful)
You took that too literally. I think that the parent was talking about grandparent, not his post, even though he said this...
Re: (Score:1, Funny)
Maybe they will come up with the idea of the "Exploit Store" and a similar business model
Re: (Score:2)
Monetization / Productization. (Score:5, Insightful)
Turn the idea into a product, turn the product into money.
Sell a service providing the customer with the FINAL (or as close to the final) product as possible.
Use your zero-day exploit to build a zombie army and sell spam services.
Or collected credit card info.
Or bank account info.
Or access to corporate networks.
The do-it-yourself customer isn't going to spend a lot of money for something that he might not be able to verify.
$5000 not much money...HERE. (Score:1, Insightful)
Maybe in the US it's not much money, but in eastern Europe and most of Southeast Asia, $5000 is a shitload of money. Some places, that's more than people make in a year.
Maybe you think it's small change, but if you're living in some parts of southeast Asia, $5000 every 3-4 months feeds, clothes and houses your entire family.
Missing component: trust in the seller (Score:5, Insightful)
Right now there's no way to have much confidence that you're actually getting what you're paying for. If the exploit doesn't work, what recourse do you have? This is a pretty common element in any underworld economy, but is exacerbated by the Internet's anonymity and the newness/smallness of this particular market.
The bad news is, other underworld markets eventually overcame this problem.
Re: (Score:2)
Developers (Score:3, Insightful)
Probably companies buying exploits on their own apps - cheaper and more reliable than whatever pidgin-English speaking offshore muppets currently do QA/testing for them.
Re: (Score:1, Flamebait)
I duel licence my vulnerabilities; GPL and Microsoft Open License.
(shrug) My computer is disposable. (Score:1, Insightful)
In the unlikely event I get a computer-killing virus, trojan, or exploit (hasn't happened since 1985), I figure I'll just trash the thing and buy another one for $300-400. Computers have become disposable just like other appliances.
Re:(shrug) My computer is disposable. (Score:5, Insightful)
In the unlikely event I get a computer-killing virus, trojan, or exploit (hasn't happened since 1985), I figure I'll just trash the thing and buy another one for $300-400. Computers have become disposable just like other appliances.
It's not the computer that has value, it's your data.
Re: (Score:2)
But your data lives in the cloud -- GMail, Flickr, Facebook, etc. have all the content you've generated, and thepiratebay et al. have all the pr0n that was clogging your hard drive.
The cloud is not a truck.
Re: (Score:1)
Just so the cloud is not a brick.
Re: (Score:1)
Even for those where this is true (most of my data still lives on my hard disk, and I like it that way), there's still a bit of personal data criminals are very interested in. Like your online banking password.
Re:(shrug) My computer is disposable. (Score:5, Insightful)
Must be nice to have that kind of money to burn. For many of the rest of us, neither computers nor other appliances are disposable.
Re: (Score:2)
"...it's a small, mostly controlled market..." (Score:1, Funny)
Re:"...it's a small, mostly controlled market..." (Score:4, Funny)
Re: (Score:2)
Teabaggers want more regulation?
No they don't. Perhaps you mistyped and meant "I am a big government moron."
Also known as a Democrat.
Re: (Score:2)
(I copy pasted most of my question.)
Re: (Score:2)
only two words ... (Score:2)
become politician
The ones getting rich... (Score:5, Interesting)
...are the ones who aren't selling the exploits they find.
Re: (Score:2)
Not much market, if others know you have it (Score:4, Interesting)
Well, duh. (Score:5, Funny)
Guy: Hi, I have a security vulnerability, I'll tell you the details for $10k.
Software Company: Ok, show us the vulnerability.
Guy: Ok, I'll come over and demonstrate on my computer.
Software Company: Oh no, not on your computer, you could have set your computer up to be vulnerable. Do it to our computer, so we know you're not tricking us.
Guy: Ok, fine (launches attack on company computer)
Security Researcher A: Ok, the attack's coming in. Let's see what it's doing.
Security Researcher B: Ok, looks like a buffer overflow in the third step of the authentication process. Let's go tell our developers.
Guy: Guess what, it worked. Looks like I'm not tricking you after all. So, will you buy the vulnerability from me for the $10k we agreed on now?
Guy: ...
Guy: Guys?
Re:Well, duh. (Score:4, Insightful)
I might not be the best idea to stiff someone who's highly skilled at finding security vulnerabilities in software. Especially if you ARE a software company.
Re: (Score:2)
Re: (Score:2)
You're assuming that people willing to buy and sell exploits, something at the very edge of legality and ethics, is going to obey a contract?
These kind of relationships are enforced through fear, and the desire to maintain the relationship. Do you think drug dealers try to sue someone when a drug deal goes bad?
$10,000 ain't chump change (Score:5, Insightful)
$10,000 is a chunk of change in former Soviet Union. For that matter, it's a chunk of change for me too even being in the States but not as enriching as former USSR.
In any event my understanding from info I read (mostly here on /.) is that the big money is made from herding botnets to sell time on for spam, phishing, etc. activities. The same people who put together these exploits in packages to sell are already using them to build gigantic botnets.
I would not be surprised if they are able to tap into the botnets built with exploit packages they sell.
FWIW, the range of IP addresses my web site has been targeted from for phpBB spamming is truly awesome, I haven't seen anything like it before in the eight years I've had the site up. Also the amount of money reported in news as stolen from bank accounts is staggering.
I don't know what kind of happy talk article this is, but botnets are alive and well and thriving, and someone is getting rich at the expense of lots of victims who also unknowingly supply bots for the net. Whether $10,000 from an exploit package sale, or for a multi-billion spam run, or transferred out of a bank account, it adds up.
rd
Good for the goose is good for the gander (Score:2)
If the black hats share resources by selling one another exploits, or cloaking packages it just takes less work for the the white hats to patch the problem or break the cloak.
the geniuses get peanuts, as usual (Score:1)
I heard IBM is giving them away free with a USB ke (Score:1)