The Virus Bulletin 2012 (VB2012) conference opened in Dallas on Wednesday, with a keynote presentation by Christopher Soghoian taking a look at the murky world of the security exploit industry.
Soghoian has made a high profile name for himself, calling out technology firms for privacy and security issues but used the platform of VB2012’s opening address to raise the curtain on the market for selling security vulnerabilities to the highest bidder in a talk entitled “The trade in security exploits: free speech or weapons in need of regulation”.
According to Soghoian, famed hacker Charlie Miller was the first to admit selling security exploits to the US government, after discovering an exploitable security hole in the Samba server software.
In a phone call, Miller was told by the government agency that they weren’t able to name a price – but that the researcher should name a price instead.
Miller asked for $80,000 which was instantly accepted by the official on the other end of the line. “Oh man, I could have gotten a lot more,” Miller remembered in 2007.
Don’t feel too sorry for Miller, though. He did manage to furnish a brand new kitchen from the proceeds. A picture of the kitchen was briefly pictured on screen by Soghoian, and I can confirm it looked very fancy.
(Update: It was revealed later on Twitter, that the kitchen pictured wasn’t actually Miller’s but from a catalog).
It didn’t take long before legitimate bug bounties were announced by companies such as Mozilla ($500), Google ($500-$1337 for Chrome vulnerabilities) and later Facebook and PayPal , eager that any exploitable security vulnerabilities were reported directly to them rather than exploited by malicious hackers.
It seemed the era of “No more free bugs” might have truly arrived.
And it wasn’t just lone individuals earning a living by selling details of exploitable bugs.
Companies like iDefense and ZDI (Zero Day Initiative) would pay $500-20,000 for exclusive details of exploits, effectively acting as middle-men between the bug-discoverers and the companies whose software was at risk, and selling a subscription service to those who wanted information about the bugs in advance.
Other, less well known, companies working in the field included Endgame Systems.
Endgame’s website doesn’t provide any information about what the company does do (all there is is a contact email address), but they were thrust into the spotlight after the Anonymous hack of HBGary.
Private emails exposed by the hack showed Endgame Systems saying they had “been very careful NOT to have public face on our company”, and the CEO was adamant that they didn’t “ever want to see our name in a press release.”
Endgame Systems’ clients included the US Department of Defense, and their chief scientist was vulnerability researcher Dino Dai Zovi, pictured above holding the “No more free bugs” sign.
Another company, France-based Vupen, is brazen in displaying its lack of interest in playing by the rules that companies like Google would prefer. It’s chief executive and lead hacker Chaouki Bekrar has turned his nose up at $60,000 bug bounties offered by the search engine giant, as Forbes reported:
"We wouldn't share this with Google for even $1 million... We don't want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers."
The truth was – big money was involved now. And Soghoian summed up the state of play quite well during his talk:
“Google and Microsoft can’t outbid the US government – they will never win a bidding war with the army, navy or NSA”
If an exploitable security vulnerability is discovered today, researchers have a choice of full disclosure (letting the whole world know the complete details, before a fix is available), responsibly informing the software company of the issue (and perhaps receiving a bounty) or selling it to the highest bidder.
And the rewards can be considerable.
A Bangkok-based bug broker called “The Grugq” was even pictured in Forbes magazine, a large pile of cash in a bag by his feet, a martini next to his laptop.
The Grugq puts researchers who discover software bugs in touch with those who want to buy them, generating a reported $1 million in revenue per year and taking 15% commission.
According to Forbes, The Grugq is selective about the transactions he chooses to engage in, refusing to deal “with anything below mid-five-figures these days.”
It’s important to realise that, however much of an unpleasant taste this might or might not leave in your mouth, none of these people are acting illegally.
They’ve worked hard, using their skills to discover vulnerabilities in software systems. They are not exploiting these security holes themselves, and they aren’t breaking the law.
But, because details of the vulnerabilities do not always end up with the software company capable of fixing them, because customers and users of software like you and me could be left exposed if details of a vulnerability are exclusively sold to a third party, the exploit industry has something of an image problem.
Christopher Soghoian told attendees at the Virus Bulletin conference that the exploit sellers view regulation as limiting their freedom.
But at some point, the US government is going to realise that just maybe other countries might also be interested in buying exploits for their own ends.. and then regulation will surely follow.
Soghoian left the VB2012 audience pondering the question of whether it’s possible that the exploit trading industry could possibly regulate itself, avoiding the need for interference by the powers that be.
Personally, I’m not sure that that’s going to work.
If the industry attempted to regulate for itself the sale and distribution of exploit information that would not only prove highly unpopular amongst many – who would view it as an attack on their freedom – but will also drive the unregulated sale of exploits, to perhaps unfriendly nations or the criminally-minded, further underground.