Re: (no subject)

[Dan Moniz <dnm () pobox com>]

Charles Miller wrote:

> Have you guys seen the public auction site selling 0-days:

Yep. A friend was kind enough to alert me about it a couple days ago.

> http://www.wslabi.com/wabisabilabi/initPublishedBid.do?
>
> Its probably not a good idea to give out so much information about  
> the vulnerabilities.  The Squirrelmail GPG Plugin one says its a  
> command injection vulnerability.  Shouldn't be too hard to rediscover  
> that.  Looking at it for 10 minutes, it looks like the exec in  
> gpg_sign_attachment() where shell meta characters are in  
> $passphrase.  I'm too lazy to install it and check.  I guess I could  
> pay 1750 euros and find out!  The MKPortal one looks pretty easy to  
> find too.
>
> Its nice for someone to point these bugs out so we can go look for them!
>
> Probably not the smartest way to run the site...

Have you seen the Press Release? Some choice examples, comments inline:

"The exchange will become a global database of every IT security
research ever found."

Ambitious, to say the least.

"Recently it was reported that although researchers had analyzed a
little more than 7,000 publicly disclosed vulnerabilities last year, the
number of new vulnerabilities found in code could be as high as 139,362
per year. Our intention is that the marketplace facility on WSLabi will
enable security researchers to get a fair price for their findings and
ensure that they will no longer be forced to give them away for free or
sell them to cyber-criminals."

That's an awfully precise number, and the fact that it would be that
exact upper bound year after year is amazing! Who knew variance didn't
exist in exploit discovery?

"Researchers can submit their findings to the exchange once they have
registered. WSLabi will then verify the research by analyzing and
replicating it at their independent testing laboratories."

Begs obvious questions about verifying high-value exploits on systems
WSLabi doesn't have and can't procure... let alone the more mundane but
crucial questions of what WSLabi does with exploits once they've
verified them.

"WSLabi will also help researchers to design the best business model
(e.g. selling schemes, starting selling price etc.) which will enable
them to maximize the value of their findings. For example, a piece of
research that would currently sell to one company on an exclusive basis
for $300 - $1000 could sell for ten to twenty times more than this
amount using the portal."

Business planning for exploit sales as a value-added service? And
they're going to do this for every exploit offered on the site? What do
they get out of it? What's their rational actor basis for this?

"Both researchers and buyers will have to identify themselves to WSLabi
to ensure they are legitimate. Researchers cannot submit security
research material which comes from an illegal source or activity. Buyers
will also be carefully vetted before being granted access to the auction
platform so that the risk of selling the right stuff to the wrong people
is minimized. The marketplace will be free to use for the first six
months for both researchers and buyers."

DUN DUN DUN! This will certainly constrain their goal of being a "global
database of every IT security research ever found". While it makes sense
from a legitimate business perspective (who wants to deal with
criminals?), they're sending a mixed message by advocating a supposedly
open "marketplace" with all sorts of weird rules and oversight. I don't
necessarily think that's bad, but it's at cross purposes with what their
saying. I think there's some misunderstanding of basic economics, the
exploit development landscape, or apparently legitimate security
research at work here. Probably all three.


-- 
Dan Moniz <dnm () pobox com> [http://pobox.com/~dnm/]
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave