When They Said "Get It On eBay", I Doubt This Is What They Meant

from the W32.this-space-for-rent.P@mm dept

The idea of using security exploits to make some cash certainly isn’t anything new — online extortion schemes have been fairly popular, even if script kiddies are killing the margins. But apparently discovering security vulnerabilities and selling them off to the highest bidder is a growth industry, according to one security firm, even being brazen enough to put them up on eBay. It’s hardly surprising to see hackers and malware writers searching for some remuneration for their efforts, particularly with the explosion in phishing, identity theft and other potenially lucrative crimes, and their dependence on staying a step ahead of security companies. What’s slightly more interesting, though, is that many security companies themselves are shelling out for the vulnerabilities, under the guise of the greater good, but really getting the information to give themselves a head start in closing the vulnerabilities, and enhancing their products and reputation. Economists love to talk about the value of incentives in motivating people to particular behavior — perhaps giving malware authors incentives to turn their work over to software developers or security companies isn’t such a bad idea.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “When They Said "Get It On eBay", I Doubt This Is What They Meant”

Subscribe: RSS Leave a comment
Joe Bastedo (user link) says:

Profitability VS Responsibility

This brings up a whole new “gray area” in internet ethics. A person might look at this as rewarding people for unethical behaviour. I see it as rehabilitating these miscreants by giving them a viable place in the growing macrocosm which is the internet by using them to help “security companies…give themselves a head start in closing the vulnerabilities, and enhancing their products and reputation.” I agree wholeheartedly with Carlo when he says “perhaps giving malware authors incentives to turn their work over to software developers or security companies isn’t such a bad idea.”

CoderDude (user link) says:

That's the way (ah huh) I like it

Many times I have found certain exploits in several major software firms, but I never try to let the little script kiddies know about this. instead I always send them to the development teams of the companies. Many times in return they will give me free licensed software for my help in making their software better.

I probably have $20,000 in free legal software now and to me makes better sense to help the companies than some stupid loser high school kids that does not get it.

Find the flaw and work with the business is the only way to do it right, plus you get better “street cred” than those idiots out there.

Captain Howdy says:

not good...

I think all this will end up doing is allow the illicit programers to make some extra cash off of code they’ve already exploited for their own gain, and have sence lost an interest in/use for.

This is just another incentive to CONTINUE their deplorable practice. Though I suppose it does keep a lot of people employed.

cjay says:

Re: not good...

If they have already exploited teh code before turning their ‘results’ in, they run the risk of identifying themselves as an exploiter. If real damage is caused they are going to be a suspect and greatly improved their chances of gettign caught. If you’re gonna turn in the code, better have clean hands.

Yakov (profile) says:

Make secure code

Make secure code MS. I’m a programmer myself, and I have to say that if I’ve had to make critical fixes to something on a regular basis, I’d get a stern talking to from my management, and would surely be out of a job very quickly. This is slopiness and laziness plain and simple. If MS products where so swiss cheesed, this would not be an issue.

Vokay says:

Re: Make secure code


You may be a programer but have you ever created an OS? I would bet not .. and I’d bet that you haven’t had to create a program that runs on the majority of PC’s world wide. But I may be wrong you may be some super intellect that is able to predict the future.

MS is easy to pick on simply because they are everywhere. They are everywhwere because the majority of people think their product is better than the competition.

Movie Viewer says:

Catch Me if You Can

Isn’t this simmilar to the Tom Hanks/Leo DiCaprio flick “cath me if you can”??

Leo’s character forged checks, and the FBI was after him. Once they found him, they made them help detect bad checks, and develop ways to test new checks for vurnabilities. It is quite nice to see someone “turn around” and hopefully crime will stop in the future. here’s to dreaming

Wire Cramped (user link) says:

Ok back on topic

If I as a programmer make a program that can be exploited on purpose. What if I send the exploit info to anonymous coward who then says he found the exploit and gets paid from my management as a thank you???

Sounds like a new job to me! I agree dont pay them but reward them with a copy of the software. Gets them using it and doesnt make an industry out of it.

Stop the MS bashing I can show you time and again where *nix and MAC have security holes the size of MS campus. To sit and think for a moment that one OS is better then the next is retarded. ALL digital information that is secure can be hacked and all the same info that is not secure can be hacked if you think your Linux is safe I will personally send you to sites dedicated to hacking *nix as its even easier to do. MAC = LINUX ro WINDOWS so your last people who can speak now.

Brian says:

Re: Ok back on topic

I don’t get paid for my security or alpha/beta-test work, however I usually do get to keep the software. Just counting single licenses, not multiple/unlimited licenses, I’m over the million dollar mark here and counting, although I certainly don’t use it all on a daily basis. The work is challenging and, for me, fun.

As for the bashing, I have to agree with an earlier poster. Among other things I’m a system engineer and have designed and written my own OS, database servers, and application suites over the last three decades. While no one has found a bug or security hole to date, it sure wasn’t easy although coming from the mainframe world where zero defects is de rigueur sure helps. The design and mathematical validation easily took ten times longer than the actual coding and testing. So does the threat of federal time if you frag up {smile}. I do get to see the security notices march by day in and day out, naturally since systems security is one of my main focii these days. Windows is just a better target, so it gets most of the savaging. It also helps that the codebase for Linux is significantly smaller at the kernal level. Lastly, Windows incorporates a lot of applications into the OS that are not in Linux directly. Toss in Linux applications to the mix for vulnerabilities and the numbers get more comprable.

Actually I get damned tired of this “my OS is better than your OS, nah, nah” BS. All of them are weak, Windows, Linux, and Mac, when it comes to overall (OS and applications) security. If I tried to get away with this crap when I was working for the government somebody would have died and they’d be considering whether it would be life in prison without the possiblity of parole or hanging.

Ever wonder why there are life/nuclear critical exclusions in so many operating systems and applications license agreements? Your bug, you go to prison.

Sanguine Dream says:

Good idea

I think it’s a good idea to reward people that find exploits. What better way to protect against them? Thousands of users across the world have a better chance fully exploiting a product than the relatively small programming team that builds it. Kinda like in MMORPGs where the players are encouraged to report glitches (but I don’t think there is a reward system).

But definitely don’t offer money but instead free copies of the software. That why they know they are using a secure product (because they are one ones testing it) and it builds trust with that developer.

Only problem is if it became public (out in the open on the net) that you’re doing this then you would treated as a narc.

Mark says:

Considering the, ah, WARM response you usually get when bringing a vulnerability to the responsible party’s attention, I can’t really blame someone for swinging the other way on this. I mean, we were telling the school district, in high school, the district’s computer was at risk. All it got us was time in The Chair. If the people most able to correct a problem aren’t interested in fixing it, only labeling you for a criminal, they deserve the consequences of their decision.

fred mcmurry says:

Cut off their hands

I think it’s a great idea for these people to post themselves on eBay, or anywhere else. Now get somebody to find out where these people are, who they are, and cut off their hands, and jam them up their butts. These people are trash, they hurt many people, make life more difficult for all of us, could care less, even enjoy it. Five people get their hands cut off by some guy named Vinny and all the sudden being a dope doesn’t seem like such a good idea.

Sean (user link) says:


I’ve actually discovered a few faults with the Window OS myself. I almost always report them to Microsoft, even though I myself know I shouldn’t. I think that if people have found flaws in something, do not create malware or bullshit like that, but rather find a way to fix it and then market that to major companies that still use Microsoft. It can be quite profitable.

But all in all, this selling malware shit on e-Bay is fucked. I think these auctions should be shut down and the owner of the account IP banned. Even though IP bans really dont do much anymore with Proxies.

Andrew Strasser says:

It would help if we would step across borders on t

We need to boost up our overseas ability to stop would be havens for malicious activity to stop. A much more important agenda than muzik downloads anyway….

It has gotten out of control though I do agree that some credit should go to those who find glitches and fix the problems someone may be having.

kilroy says:

yes we need to hold people accountable

… but according to the laws of which Country or State? How should we determine whos laws are the most just. And once we determine the criteria … there can be only one punnishment DEATH!

If the punishment were anything less it would not be serrious enough. However if Joe Script Kiddie or Bob Anonymous Hacker thought he was gonna fry for being a little bass turd would they be so willing to take their shot? Or would they find a new hobby or maybe get a real job …

ubigcow says:

Make secure code

“They are everywhwere because the majority of people think their product is better than the competition.”

True. No one CARES that they dont have secure software, exept people like me. That is because the majority of people are STUPID. (no offense stupid people)

Smart people like me care. If more people were smart, and therefor cared, MS couldn’t get by with they’re bad software.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...