When They Said "Get It On eBay", I Doubt This Is What They Meant
from the W32.this-space-for-rent.P@mm dept
The idea of using security exploits to make some cash certainly isn’t anything new — online extortion schemes have been fairly popular, even if script kiddies are killing the margins. But apparently discovering security vulnerabilities and selling them off to the highest bidder is a growth industry, according to one security firm, even being brazen enough to put them up on eBay. It’s hardly surprising to see hackers and malware writers searching for some remuneration for their efforts, particularly with the explosion in phishing, identity theft and other potenially lucrative crimes, and their dependence on staying a step ahead of security companies. What’s slightly more interesting, though, is that many security companies themselves are shelling out for the vulnerabilities, under the guise of the greater good, but really getting the information to give themselves a head start in closing the vulnerabilities, and enhancing their products and reputation. Economists love to talk about the value of incentives in motivating people to particular behavior — perhaps giving malware authors incentives to turn their work over to software developers or security companies isn’t such a bad idea.
Comments on “When They Said "Get It On eBay", I Doubt This Is What They Meant”
FINALLY lol
Re: Re:
Suggestion to Techdirt: delete the first post.
Re: Re: Re:
’nuff said. I’m getting tired of the “firstestist!” BS.
Turn off anonymous comments and turn on registration and moderation.
Re: Re: Re: Re:
No. Just no.
Re: Re: Re:
Delete the fifth post!
Oh yeah! I’m in for the 20th post!!!
Re: Re: Re: Re:
Delete the 21st post!!!! woohoo!!!!
Re: Re: Re:
why
Re: Re: Re:
It mad me Simle. Your’s did not.
good idea
Hey give the script kiddies something to do. It’s a good idea. find a hole, get paid for it. Why not. If you have found something no one else has, and maybe the way to fix it as well, why not get paid for your work. And it keeps them from doing things they shouldn’t be on other’s servers.
Profitability VS Responsibility
This brings up a whole new “gray area” in internet ethics. A person might look at this as rewarding people for unethical behaviour. I see it as rehabilitating these miscreants by giving them a viable place in the growing macrocosm which is the internet by using them to help “security companies…give themselves a head start in closing the vulnerabilities, and enhancing their products and reputation.” I agree wholeheartedly with Carlo when he says “perhaps giving malware authors incentives to turn their work over to software developers or security companies isn’t such a bad idea.”
That's the way (ah huh) I like it
Many times I have found certain exploits in several major software firms, but I never try to let the little script kiddies know about this. instead I always send them to the development teams of the companies. Many times in return they will give me free licensed software for my help in making their software better.
I probably have $20,000 in free legal software now and to me makes better sense to help the companies than some stupid loser high school kids that does not get it.
Find the flaw and work with the business is the only way to do it right, plus you get better “street cred” than those idiots out there.
Re: That's the way (ah huh) I like it
Agreed.
It's Not Renumeration
it’s REMUNERATION
1. The act of remunerating.
2. Something, such as a payment, that remunerates.
Re: It's Not Renumeration
LOL. Turns out I’ve been pronouncing the word wrong my whole life. It’s amazing what you learn on techdirt. 🙂
Re: Re: It's Not Renumeration
is is RENUMERATION if that is what you mean look here
http://www.wsu.edu/~brians/errors/remuneration.html
Re: It's Not Renumeration
Renumeration:
The act of numbering something that has already been numbered.
not good...
I think all this will end up doing is allow the illicit programers to make some extra cash off of code they’ve already exploited for their own gain, and have sence lost an interest in/use for.
This is just another incentive to CONTINUE their deplorable practice. Though I suppose it does keep a lot of people employed.
Re: not good...
If they have already exploited teh code before turning their ‘results’ in, they run the risk of identifying themselves as an exploiter. If real damage is caused they are going to be a suspect and greatly improved their chances of gettign caught. If you’re gonna turn in the code, better have clean hands.
Make secure code
Make secure code MS. I’m a programmer myself, and I have to say that if I’ve had to make critical fixes to something on a regular basis, I’d get a stern talking to from my management, and would surely be out of a job very quickly. This is slopiness and laziness plain and simple. If MS products where so swiss cheesed, this would not be an issue.
Re: Make secure code
Yakov,
You may be a programer but have you ever created an OS? I would bet not .. and I’d bet that you haven’t had to create a program that runs on the majority of PC’s world wide. But I may be wrong you may be some super intellect that is able to predict the future.
MS is easy to pick on simply because they are everywhere. They are everywhwere because the majority of people think their product is better than the competition.
Catch Me if You Can
Isn’t this simmilar to the Tom Hanks/Leo DiCaprio flick “cath me if you can”??
Leo’s character forged checks, and the FBI was after him. Once they found him, they made them help detect bad checks, and develop ways to test new checks for vurnabilities. It is quite nice to see someone “turn around” and hopefully crime will stop in the future. here’s to dreaming
Linux managed to make a more secure OS. Why in the world did MS make everything accessible to the kernal? XP is better in this regard and it began to resemble Linux’s more segregated architecture, but to assume MS can compete simply on its own merits of being a good product is a serious stretch.
Ok back on topic
If I as a programmer make a program that can be exploited on purpose. What if I send the exploit info to anonymous coward who then says he found the exploit and gets paid from my management as a thank you???
Sounds like a new job to me! I agree dont pay them but reward them with a copy of the software. Gets them using it and doesnt make an industry out of it.
Stop the MS bashing I can show you time and again where *nix and MAC have security holes the size of MS campus. To sit and think for a moment that one OS is better then the next is retarded. ALL digital information that is secure can be hacked and all the same info that is not secure can be hacked if you think your Linux is safe I will personally send you to sites dedicated to hacking *nix as its even easier to do. MAC = LINUX ro WINDOWS so your last people who can speak now.
Re: Ok back on topic
I don’t get paid for my security or alpha/beta-test work, however I usually do get to keep the software. Just counting single licenses, not multiple/unlimited licenses, I’m over the million dollar mark here and counting, although I certainly don’t use it all on a daily basis. The work is challenging and, for me, fun.
As for the bashing, I have to agree with an earlier poster. Among other things I’m a system engineer and have designed and written my own OS, database servers, and application suites over the last three decades. While no one has found a bug or security hole to date, it sure wasn’t easy although coming from the mainframe world where zero defects is de rigueur sure helps. The design and mathematical validation easily took ten times longer than the actual coding and testing. So does the threat of federal time if you frag up {smile}. I do get to see the security notices march by day in and day out, naturally since systems security is one of my main focii these days. Windows is just a better target, so it gets most of the savaging. It also helps that the codebase for Linux is significantly smaller at the kernal level. Lastly, Windows incorporates a lot of applications into the OS that are not in Linux directly. Toss in Linux applications to the mix for vulnerabilities and the numbers get more comprable.
Actually I get damned tired of this “my OS is better than your OS, nah, nah” BS. All of them are weak, Windows, Linux, and Mac, when it comes to overall (OS and applications) security. If I tried to get away with this crap when I was working for the government somebody would have died and they’d be considering whether it would be life in prison without the possiblity of parole or hanging.
Ever wonder why there are life/nuclear critical exclusions in so many operating systems and applications license agreements? Your bug, you go to prison.
Good idea
I think it’s a good idea to reward people that find exploits. What better way to protect against them? Thousands of users across the world have a better chance fully exploiting a product than the relatively small programming team that builds it. Kinda like in MMORPGs where the players are encouraged to report glitches (but I don’t think there is a reward system).
But definitely don’t offer money but instead free copies of the software. That why they know they are using a secure product (because they are one ones testing it) and it builds trust with that developer.
Only problem is if it became public (out in the open on the net) that you’re doing this then you would treated as a narc.
nice
sounds like a good way to make money to me.
Considering the, ah, WARM response you usually get when bringing a vulnerability to the responsible party’s attention, I can’t really blame someone for swinging the other way on this. I mean, we were telling the school district, in high school, the district’s computer was at risk. All it got us was time in The Chair. If the people most able to correct a problem aren’t interested in fixing it, only labeling you for a criminal, they deserve the consequences of their decision.
Delete post #26 as well, please.
Cut off their hands
I think it’s a great idea for these people to post themselves on eBay, or anywhere else. Now get somebody to find out where these people are, who they are, and cut off their hands, and jam them up their butts. These people are trash, they hurt many people, make life more difficult for all of us, could care less, even enjoy it. Five people get their hands cut off by some guy named Vinny and all the sudden being a dope doesn’t seem like such a good idea.
Well...
I’ve actually discovered a few faults with the Window OS myself. I almost always report them to Microsoft, even though I myself know I shouldn’t. I think that if people have found flaws in something, do not create malware or bullshit like that, but rather find a way to fix it and then market that to major companies that still use Microsoft. It can be quite profitable.
But all in all, this selling malware shit on e-Bay is fucked. I think these auctions should be shut down and the owner of the account IP banned. Even though IP bans really dont do much anymore with Proxies.
It would help if we would step across borders on t
We need to boost up our overseas ability to stop would be havens for malicious activity to stop. A much more important agenda than muzik downloads anyway….
It has gotten out of control though I do agree that some credit should go to those who find glitches and fix the problems someone may be having.
Reward those who find it and do not exploit it
These teenagers sit at their computers all day messing with Windows. They should get paid for their work as long as they do not publicly exploit the vulnerability. We all know some kid who does this all day. I plan on forwarding this newsletter to the kid I know who’s geekier than me.
Spelling....
Interesting article. Surprised spell check didn’t pick up “renumeration” as there is no such word. “Remuneration” is correct term. Picky I know but when you publish we look at it all.
im gay !!
yes we need to hold people accountable
… but according to the laws of which Country or State? How should we determine whos laws are the most just. And once we determine the criteria … there can be only one punnishment DEATH!
If the punishment were anything less it would not be serrious enough. However if Joe Script Kiddie or Bob Anonymous Hacker thought he was gonna fry for being a little bass turd would they be so willing to take their shot? Or would they find a new hobby or maybe get a real job …
Did you change the headline of this article?
Didn’t this article used to have this headline?
When They Said “Get It On eBay”, I Doubt This Is What They Meant
I just thought it’s kinda odd to see this changed without any note on the page…
Post 36
I agree with that 36. When THey Said doesn’t make sense
g
ad
Is this a Joke?
and what’s with the sub headline:
“from the W32.this-space-for-rent.P@mm dept”
and what’s with the sub headline:
“from the W32.this-space-for-rent.P@mm dept”
oh noez, teh scriptoz kidde1s f0und us
Make secure code
“They are everywhwere because the majority of people think their product is better than the competition.”
True. No one CARES that they dont have secure software, exept people like me. That is because the majority of people are STUPID. (no offense stupid people)
Smart people like me care. If more people were smart, and therefor cared, MS couldn’t get by with they’re bad software.
to marks comment
I think They deserve the consiquences of they’re actions, but not the rest of the population.
that includes u
Ok back on topic
ok, mabey they are all unsafe…………but that doesn’t mean that it is acceptible.
Post 36
Have you heard or seen the old Ebay ads..”Get it on Ebay? It refers to the old ad, that you can get just about anything on Ebay.
Profitability VS Responsibility
im sorry but that grey area has always been there and always will be there is nothing “new” about it….
Tek’a & Ordinator…
About the sub headline. When new exploits are found most anti-virus software makers give the exploits a name. Something that reflects the OS that it targets…W32. Then the exploit name…this-space-for-rent. Then I think it’s the version…P@mm( this would P mutation or verison or such).
Sounds like one of the kiddies is about to rat them out for doing this anyway under the table. So they are gonna try and bring it above board. Most of whats out their has been secretly sponsored by these same companies to keep them in biz.
Re:
1. article has no comments
2. someone posts
3. first post gets deleted
4. goto 2
???
5. PROFIT!!!!
Re:
When someone says that Linux is more secure, that comment always makes me laugh. Does anyone know the number of updates necessary to make linux “secure” this year. That number nearly quadruples MS’s number. So more secure or less in your face, take your pick.
Re:
What version/distro of linux in particular are you referring to? Sure, linux has a lot of updates but the vast majority of the updates are not security updates rather software bug fixes and such. Nothing near the amount of service packs and security updates MS has.