The hypocrisy of the zero-day exploit trade
In the high-priced market of exploit sales, developers resist government regulations -- but are more than happy when one wants to open its coffers to them.
The debate around the sale of vulnerabilities and exploits is again playing out within the security community, and this time it comes with a new twist.
It's really an old debate, one which heated up in 2009 when a group of well-known researchers announced their "No More Free Bugs" intention to the crowd at the annual CanSecWest hacker show in Vancouver.
At the time, Dino Dai Zovi, Alex Sotirov and Charlie Miller, annoyed that vulnerability hunters weren't being properly compensated for their discoveries, reacted, in true capitalistic spirit, by telling the world that they just want to get paid.
But since then, the conversation has taken on a much different tone. Remember, back in 2009, the scale of the advanced persistent threat and spy viruses weren't yet realized. There was no Stuxnet, no Flame, no Gauss. But as nation-states, prominent among them the United States, began using cyber weaponry and engaging in a modern-day arms race, governments now are paying a pretty penny for zero-day exploits, which are those attacks and threats for which there is no defense. In other words, today's researchers are selling the exploits to people who presumably want to use them, not fix them.
It's necessary to underscore the immensity of this fundamental shift. Researchers seemingly are becoming very incentivized to find vulnerabilities and create exploits that governments can use to launch attacks. As such, they appear to be becoming less incentivized to find these same vulnerabilities – and report them to the affected vendor for patching, even as bug bounty programs become more prominent.
And what it has created is a new breed of researcher who is also part mercenary -- someone who can earn hundreds of thousands of dollars by selling their discoveries to the highest government bidder. Most known of this group is France-based Vupen Security, which won a series of hacking contests at this year's CanSecWest event, but chose not to enter the competitions where they'd have to reveal the details of their exploits, opting instead to save those treasures for a government agency, better known as their deep-pocketed customers.
As Andy Greenberg of Forbes reported about Vupen in March, its business model is a risky endeavor:
It's this mindset that has prompted concern from the Electronic Frontier Foundation (EFF), an internet civil liberties group, which argued in a March blog post that the researchers and government buyers involved in these deals are both responsible for making the internet less safe.
Believing the group was implying that government regulations were necessary to oversee exploit sales, some coders felt attacked by the EFF (check out the thread here), which regularly advocates on behalf of security researchers.
As a result, the debate over exploit sales has now morphed beyond money and into a conversation around personal freedom and libertarianism.
Some researchers consider any attempt to regulate the exploit trade to be an attack on the free market. They believe they have a right to sell their research to any viable buyer – even if that's another government. And anything that prevents them from doing that is an unfair infringement on their basic rights.
David Maynor, founder and CTO of Errata Security, a vulnerability services company, is the most recent person to run with this argument.
Maynor's remarks sound like when Goldman Sachs CEO Lloyd Blankfein famously said that he and his firm were doing "God's work."
Let's continue with the Wall Street theme for a moment and compare it with the exploit market. The 2008 financial collapse -- from which the country hasn't come to close recovering -- underscored an extreme and desperate need for regulations. But these regulations have barely come, and the ones that have are token gestures at best.
Like Wall Street honchos, some exploit developers are wholeheartedly opposed to the government meddling in their business affairs. But just like Wall Street, they're more than happy to accept
government taxpayer money. That strikes me as hypocritical, but it also may create a market imbalance.
The government shouldn't be buying 0day in secret as it upsets the market with public money. It's basically welfare for already rich people.— Jacob Appelbaum (@ioerror) August 15, 2012
Some researchers, even ones who have admitted to selling exploits to governments for a handsome sum, suggest that the pricing signals that Appelbaum speaks of must change.
But what makes the trade of zero-days perhaps even more shadowy is that there is virtually no transparency around the process. At least the American public knew how much moolah it had to cough up to ensure that the banks were, indeed, too big to fail.
The fact researchers sell exploits to the government is bad for everyone, but is predictable given the dynamics of the vulnerability market.— Charlie Miller (@0xcharlie) August 14, 2012
@jcran As an initial matter, I'd like to see mandatory reporting of sales (buyer,seller,$). Obviously, not with details of the actual vuln.
— Christopher Soghoian (@csoghoian) August 15, 2012
The irony of the situation is that regulations around exploit sales would force the government to stay in check too, not just the sellers, as they are among the biggest buyers.
More to come from this saga, and I don't claim to have all the answers. Exploit hunters certainly have a right to profit from their discoveries, but I just hope transparency wins out. Because when we're talking about governments buying high-powered, offensive cyber weaponry that could -- and apparently easily -- fall into the wrong hands or result in collateral damage, we're probably better off knowing about it.