Posted by Alex Trent

Software crackers who make money breaking other people’s software don’t usually get rich from their skills. With the release of iDefense Labs report on Emerging Economic Models for Vulnerability Research, this may be changing.

While quite stealthy, or maybe not so stealthily, this paper is clearly an advertisement, a 20 page advertisement at that, aimed at crackers (or “security researchers” or whatever they want to call themselves) who want to make money cracking software, asking them to contribute their skills for monetary rewards to iDefense and TippingPoint (owned by 3com). For proof, just look page four, there is a chart right in the middle of the page detailing how the best hack in a quarter can pull in 10 grand! While the lamest hack, of the top five, only earns $2000. So, technically, having the most leet hack for every quarter for four quarters would earn you $40,000 a year, better than a manager at Burger King!

So, you got your xsploitn’ skillz and you’re ready to go, but who are these companies you’ll be working for? iDefense specializes in reselling the information provided to them via their exclusive subscriber service. They also provide their paranoid readership with special workarounds to use until a vendor releases a patch. Mainly only government agencies and financial institutions with money to blow sign up for this type of service. TippingPoint sells Intrusion Detection System (IDS) products that use the information provided to them to supply their IDS systems with signatures that will block the offending exploit. Corporate behemoths on the Fortune 500 list are some of their customers. These two companies don’t rely on paid 0day exploits for their only their only fear tactic. They publish vulnerability reports and even IDS signatures for “public” vulnerabilities.

The report goes on to tell us about how its hard to get crackers, who normally shroud themselves in anonymity, are sometimes hard to work with because they, not surprisingly, don’t trust the companies. Ironically, this 20 page advertisement, tells us that most security researchers working with these companies are recruited by word of mouth. They also tell us that they advertise at cool shows like BlackHat and DEFCON. Then they bemoan how hard it is to work with companies and “ethical issues.” Apparently vendors seem to have a problem with them paying for hacks from people who could be “malicious.” Also, the industry cries about how they are encouraging people to find vulnerablitites.

Near the end of their report the acknowledge the truth that everyone already knows. Why would a person with a profitable 0day exploit just submit it to them for a mere chance at $10,000 when they could just sell it to 5 people on IRC somewhere in China or Russian for $4000 each and be guaranteed to make twice as much? They also seem to poke fun of Microsoft and their Trustworthy Computing Initiate with this amusing swipe, “If clients lose confidence in a vendor’s ability to produce secure technology, the damage done to a vendor’s corporate reputation can be translated into lost sales. It is for this very reason that Microsoft has spent billions of dollars to launch their Trustworthy Computing Initiative .” Everyone knows how worthless the resulting Trusted Platform Module (TPM).

While I do see some benefit from these products, I can’t shake the feeling that this is just another form of blackmail or extortion. The problem is, that these services create a group of companies that are privy to this information while everyone else has to wait. This creates two worlds in which “private” vulnerability information sold by these companies is made available to their clients, while companies relying on “public” vulnerabilities could conceivably be attacked and exploited by the companies with access to the “private” vulnerability information. Maybe a non-profit that did the same while contributing the exploit information to normal vulnerability channels like cert would be something I could believe in. If these products end the world of closed source hardware and software then I’m all for it, otherwise I hope they sink to the depths never to return. For that matter is what these companies are doing even legal?!

This entry was posted on Monday, May 24th, 2010 at 10:21 am and is filed under Hacking, Network. You can leave a response, or trackback from your own site.

About the Author: Alex Trent is a staff writer for WebProNews