Dailydave mailing list archives
Re: (no subject)
From: Dan Moniz <dnm () pobox com>
Date: Fri, 06 Jul 2007 13:01:12 -0400
Charles Miller wrote:
Have you guys seen the public auction site selling 0-days:
Yep. A friend was kind enough to alert me about it a couple days ago.
http://www.wslabi.com/wabisabilabi/initPublishedBid.do? Its probably not a good idea to give out so much information about the vulnerabilities. The Squirrelmail GPG Plugin one says its a command injection vulnerability. Shouldn't be too hard to rediscover that. Looking at it for 10 minutes, it looks like the exec in gpg_sign_attachment() where shell meta characters are in $passphrase. I'm too lazy to install it and check. I guess I could pay 1750 euros and find out! The MKPortal one looks pretty easy to find too. Its nice for someone to point these bugs out so we can go look for them! Probably not the smartest way to run the site...
Have you seen the Press Release? Some choice examples, comments inline: "The exchange will become a global database of every IT security research ever found." Ambitious, to say the least. "Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals." That's an awfully precise number, and the fact that it would be that exact upper bound year after year is amazing! Who knew variance didn't exist in exploit discovery? "Researchers can submit their findings to the exchange once they have registered. WSLabi will then verify the research by analyzing and replicating it at their independent testing laboratories." Begs obvious questions about verifying high-value exploits on systems WSLabi doesn't have and can't procure... let alone the more mundane but crucial questions of what WSLabi does with exploits once they've verified them. "WSLabi will also help researchers to design the best business model (e.g. selling schemes, starting selling price etc.) which will enable them to maximize the value of their findings. For example, a piece of research that would currently sell to one company on an exclusive basis for $300 - $1000 could sell for ten to twenty times more than this amount using the portal." Business planning for exploit sales as a value-added service? And they're going to do this for every exploit offered on the site? What do they get out of it? What's their rational actor basis for this? "Both researchers and buyers will have to identify themselves to WSLabi to ensure they are legitimate. Researchers cannot submit security research material which comes from an illegal source or activity. Buyers will also be carefully vetted before being granted access to the auction platform so that the risk of selling the right stuff to the wrong people is minimized. The marketplace will be free to use for the first six months for both researchers and buyers." DUN DUN DUN! This will certainly constrain their goal of being a "global database of every IT security research ever found". While it makes sense from a legitimate business perspective (who wants to deal with criminals?), they're sending a mixed message by advocating a supposedly open "marketplace" with all sorts of weird rules and oversight. I don't necessarily think that's bad, but it's at cross purposes with what their saying. I think there's some misunderstanding of basic economics, the exploit development landscape, or apparently legitimate security research at work here. Probably all three. -- Dan Moniz <dnm () pobox com> [http://pobox.com/~dnm/] _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- (no subject) Charles Miller (Jul 06)
- Re: (no subject) Dan Moniz (Jul 06)
- Re: SquirrelMail GPG Plugin vuln Nicob (Jul 08)