Matasano Chargen - Latest Comments in iDefense Underbids on Vista Vulnerabilities

Re: iDefense Underbids on Vista Vulnerabilities

Ross Brown — Fri, 19 Jan 2007 16:35:33 -0000

One explanation of the imbalance might be the idea that you can sell an exploit/vuln to iDefense for $8k and not have your family kidnapped until you find another for the Russian mob....

It's the Hurley Theory of Embezzlement - if you are going to do something illegal for money, make sure you get enough on the first try to retire and disappear forever...

Re: iDefense Underbids on Vista Vulnerabilities

ivan — Wed, 17 Jan 2007 22:57:07 -0000

"...Im sure many researchers sell to iDefense because they know the vulnerability is going to a legitimate party and wont be used for malicious purposes."

And how do they know? iDefense and 3Com do background checks on their customers to decide if they are eligible to receive 0day information? What's the criteria? What prevents organized crime from setting up a front company, a facade, to buy 0days from them? What prevents 'malicious' users at their customer's organizations from using the legitimately acquired 0day for evil purposes? Or are you so naive to think that the 'bad guys' are unemployed, self-employed or 'employees' of organized crime only? My point?
The sellers are not the sole participants of the grey market, its very likely that there are 'grey' buyers as well.

Re: iDefense Underbids on Vista Vulnerabilities

Chris — Tue, 16 Jan 2007 13:37:26 -0000

"If you are a researcher who is capable of finding Vista/IE7 bugs (maybe I am underestimating how easy it will be to find remotes), and you were inclined to sell vulnerabilities, are you really going to give iDefense a 50%+ discount? I suspect if you do, it is because you don’t have anyone else who is willing to buy it from you."

Not neccesarily. Im sure many researchers sell to iDefense because they know the vulnerability is going to a legitimate party and wont be used for malicious purposes. And if they can profit off of that then great. Selling to someone willing offer $25,000+ probably means that buyer can make more then that off of your work. If Versign/Idefense cant justify paying that much, then who are you selling to who can? What will they be using it for? Its not worth the risk. I have never personally sold a vulnerability, probably never will. But I only see two reputable vulnerability buyers in the market these days, iDefense and 3com. Dont sell your work to just anyone, you never know the kind of damage you may be creating. Just my opinion.

Re: iDefense Underbids on Vista Vulnerabilities

Oliver Day — Mon, 15 Jan 2007 20:03:44 -0000

I'm not so sure about the 50k price tag myself. The underground market would see far more ROI for a remote exploit given the common uses of botnets, phishing, etc however Vista isn't very widely deployed. One could claim that Vista exploits have a higher cross platform potential on older MS operating systems. An IE7 exploit would be profitable given the uptick in iframe exploits I've seen in the last few months. Turning vulnerabilities into dollars isn't that difficult for the criminally minded.

Someone like Tipping Point can say to their clients, "Here is some vaccine[tm] to protect you against 0day attacks. While MS takes the time to craft a patch you will not be affected by this vulnerability." This has less economic value overall but still more then iDefense who simply assumes the role of advisor. Public and legal entities can't make back the same kind of money right away and with something like publicity the earnings are "soft" and more difficult to calculate.

This is all speculation though and I'd be interested in hearing what people here think are criteria for pricing.

Re: iDefense Underbids on Vista Vulnerabilities

Ofir Arkin — Fri, 12 Jan 2007 04:19:35 -0000

Another point to make: No one guaranties the so-called 0-day is really is 0-day. The seller could have used it before, or sold it before, and still the knowledge of the existence of this vulnerability/exploit is not widely known.

Re: iDefense Underbids on Vista Vulnerabilities

Thomas Ptacek — Thu, 11 Jan 2007 17:38:38 -0000

Bear in mind also that in the grey market you're not restricted to selling to just one party.

Re: iDefense Underbids on Vista Vulnerabilities

Josh Daymont — Thu, 11 Jan 2007 15:45:53 -0000

What are they doing with the vulnerabilities you sell them:

One or more of:

Selling the information on at a profit probably to multiple clients

Breaking into systems for money

Generating publicity (iDefense)

They certainly aren't providing the information to a vendor at a $10k+ price point unless their real motive is publicity

Re: iDefense Underbids on Vista Vulnerabilities

Nate — Thu, 11 Jan 2007 14:44:13 -0000

Tom, the (sarcastic) idea has nothing to do with disclosure and researcher credit. It would probably create the opposite of what we have now (some disclosure, some credit). I'm trying to make a point that whatever the reasons for security QA, they're not 100% economic because the price offered for 0-day is so low (as you point out).

There are 2 extremes that security QA swings between: 100% economic and 100% free/ego-based. The former is what you'd have if somehow there was a corporate monopoly on security QA. The latter is what you'd have if the early warez scene mentality somehow dominated. Of course, neither extreme is feasible -- there's always someone to whom credit matters more than any amount of money or someone who wants to sell warez no matter the peer pressure not to.

My point is: given that continuum, it's obvious each person involved in security QA makes their own decision where they want to stand. And people change over time as their motives change (e.g., "selling out"). It's pointless to sit and argue about what's the 'right' way since people have different motivations.

However, if everyone could see the ending price for vulnerability auctions, it would give a clearer view of the value researchers who do it for free are giving the world.

Re: iDefense Underbids on Vista Vulnerabilities

Marcin — Thu, 11 Jan 2007 14:09:04 -0000

I see it as guaranteed cash flow, versus selling an exploit online to who knows who. Trend Micro may have seen exploits going for $50k, but it wasn't confirmed and nobody knows if that's what the exploit actually went for.

I'll compare selling exploits on IRC/iDefense, to winning the lottery. You have two choices:
1) a guaranteed lump sum (with a paycut) or
2) paid over an undetermined time period in X installments.
Who knows what will happen in the future, and I don't exactly trust `v1ru$buy3r` on IRC to pay me.

Also, in my opinion, exploits decrease in value the longer they are 'known.' This gives the vendors time (through luck) or other methods to identify and patch that vulnerability.

Re: iDefense Underbids on Vista Vulnerabilities

Ofir Arkin — Thu, 11 Jan 2007 04:26:54 -0000

Buy an expploit, sit on it for a while, disctribute the knowledge through a service for your clients, show them your value, risk the rest...

Dr. Dave and I used to work for such a comapny...

Re: iDefense Underbids on Vista Vulnerabilities

Dave G. — Wed, 10 Jan 2007 23:02:06 -0000

Mr. Dole:
Good security folks aren't cheap, and larger orgs will have management overhead (and things like health insurance, office space, equipment, LEGAL), and finding a vulnerability can also have an opportunity cost (if the person isn't a dedicated vulnerability researcher).

Tom:
you aren't a doctor? why have i been getting medical advice from you? next someone is going to tell me that this isn't the real bob dole!

Re: iDefense Underbids on Vista Vulnerabilities

Thomas Ptacek — Wed, 10 Jan 2007 22:36:10 -0000

I'm not a doctor (one semester at UIC, total), and $1k/day is on the low side of reasonable (as a 1040 bill rate) for the kind of person who can routinely produce Vista remotes.

Re: iDefense Underbids on Vista Vulnerabilities

bob dole — Wed, 10 Jan 2007 22:07:28 -0000

Thus Dr. Ptacek has revealed his salary to be 260k a year ;) Lucky him!

Re: iDefense Underbids on Vista Vulnerabilities

Thomas Ptacek — Wed, 10 Jan 2007 20:45:20 -0000

Mike, if it takes you 3 weeks to find and refine a vulnerability, 15k is probably a breakeven point.

Re: iDefense Underbids on Vista Vulnerabilities

LMH — Wed, 10 Jan 2007 18:29:56 -0000

0bay - New & used exploits, remotes, locals, vulnerability goods & more at low prices.

Maybe the idea isn't that bizarre.

Re: iDefense Underbids on Vista Vulnerabilities

David McKinney — Wed, 10 Jan 2007 18:20:35 -0000

Of course, iDefense is also asserting a claim to exclusivity and some ownership of your intellectual property. Maybe on the open market, exclusivity is more negotiable and you can make the rounds with your exploit to multiple buyers. Bidding is a possibility on the open market as well, iDefense is setting the price and low-balling at that so maybe there's better connected sellers with better exploits that iDefense can't even engage at their prices?

Re: iDefense Underbids on Vista Vulnerabilities

Mike F. — Wed, 10 Jan 2007 18:20:27 -0000

If I'm getting 10-50k for a vuln, who cares if someone knows I wrote it or not?

Re: iDefense Underbids on Vista Vulnerabilities

Thomas Ptacek — Wed, 10 Jan 2007 18:14:04 -0000

How would that market value willingness to disclose and credit the researcher?

Re: iDefense Underbids on Vista Vulnerabilities

Nate — Wed, 10 Jan 2007 17:46:33 -0000

What we need is a bug/payment escrow service. I hand you the working 0-day, you verify it in a private lab, find buyers, and take the money from the highest bidder. Don't tell me who it is. You take a 10% cut and pay me.

This would be awesome because the market would find a natural equilibrium between losses due to phishing and banks' willingness to pay to protect their customers, for example. Or maybe some vendor thinks their rep is worth more than $8k. Everyone wins!