UK Home >  OUT-LAW News >  OUT-LAW Radio

The inside story of selling security secrets

OUT-LAW Radio, 16/08/2007

We talk to the man behind a new market with a difference: it sells IT security secrets to the highest bidder.

A text transcription follows.

This transcript is for anyone with a hearing impairment or who for any other reason cannot listen to the MP3 audio file.

The following is the text spoken by OUT-LAW journalist Matthew Magee.

Hello and welcome to OUT-LAW Radio, the weekly podcast that keeps you up to date on all the twists and turns in the world of technology law. Every week we bring you the latest news and in depth features that help you to make sense of the ever-changing laws that govern technology today.

My name is Matthew Magee, and coming up on this week's show we talk to the man behind an auction service with a difference: he's selling security vulnerabilities in other people's software to the highest bidder.

But first, the news:

  • US court says SCO did not own UNIX copyright; and
  • Press Complaints Commission uses new multimedia powers

Novell owns the copyrights in the UNIX operating system a US judge has ruled in a long-running case. SCO had claimed rights in the software.

SCO first made claims in 2003 to intellectual property rights in the UNIX operating system.

A US judge, Dale Kimball of the US District Court for the District of Utah, has said that Novell owns the UNIX copyrights. He said that SCO could owe Novell millions of dollars in licensing income it received from its UNIX customers, such as Microsoft and Sun Microsystems.

SCO had claimed that Novell was wrong to claim ownership of the system, but Kimball said in his ruling that "there is no basis in the evidence before this court for finding that Novell's public claims of ownership were a misappropriation or seizure of SCO's property".

The Press Complaints Commission (PCC) has issued its first ever ruling on video content published online by a newspaper. It said that the Hamilton Advertiser breached school pupils' rights to privacy with a video of an unruly classroom.

The newspaper published the unedited video taken by a pupil on a mobile phone on its website which the PCC ruled invaded the right to privacy of the pupils who were identifiable from the film. The PCC's remit was extended just this year to include editorial audio-visual content published by newspapers, and this is the first use of those powers.

Pictures from the film appeared in the Sun, the Daily Mirror and the Hamilton Advertiser, but a parent group's complaints were rejected by the PCC as the story was deemed to be of public interest. Children were identifiable in the film, though, which the PCC said was a breach of their privacy.

That was this week's OUT-LAW news.

Viewers of the Rocky series of films know that capitalism won the cold war so our world is ruled by the markets. But there are still some things that you just don't expect to be traded like pork bellies or a job lot of sub-prime mortgages.

One of those things is a software security vulnerability, yet one man has created an open, public market where people who find flaws in software can sell the information to the highest bidder - whoever they are.

The security industry is fuming in public, but the founder of WabiSabiLabi.com, the new market says that they are signing up to the service in droves behind closed doors.

The IT world has always been full of amateur security researchers who probe and poke at software until they find something wrong.

According to WabiSabiLabi chief executive Herman Zampariolo, if they tell an IT security firm they get little more than a pat on the back and a t-shirt; he says he is offering them something more.

But the IT security world is asking: at what price?

We'll hear later from a traditional security firm about what the problems with the system could be, but first Zampariolo clarifies exactly what he is, and isn't, selling.

Zampariolo: What is happening on our marketplace is an exchange of vulnerabilities and not of exploit because this is a huge difference. One thing is to say if your flat using this kind of glass windows they can resist to a pressure of up to and you specify that and you give this information to people making glass windows and to people buying flats or things like this. Another thing is to sell weapons to break windows and this is roughly the difference so that is vulnerability. Vulnerability is research about software operating system database and application on which through research a number of researchers are finding the relative weakness or vulnerability.

What he has done is create a marketplace where raw commerce dictates the ultimate owner of exploitable flaws in software used all over the world.

This has been, to say the least, a controversial proposal in the world of it security. Zampariolo is not the first to create such a market, but his is the most public and the most prominent so far. He says it will bring some trading activity out of the shadows and into the light of at least some public scrutiny.

Zampariolo: We should remember that we didn’t invent the idea that you can trade or exchange or sell vulnerability. Though a number of companies they are trading them. Some of them are doing that fully legally; some others they are the hidden side of the market, exchanges that are bit less than legal, or I would suggest, ethical. So what we meant that is not exactly the exchange of vulnerability but the idea that it is happening the market place in which anyone is free to register and has transparent legitimate identity.

Greg Day is a security analyst at McAfee, and he says that auctions such as WabiSabiLabi are unlikely to encourage people to act in the public's interest.

Day: When somebody puts vulnerability up for auction it’s sold off to a private individual or an organisation and it is really up to them as to what they then do with that. Do they use that to launch their own attack, do they maybe try and blackmail the manufacturer? The scope is very broad as to what could be done. Whereas really, I think, what’s in the public’s interest is that that vulnerability is disclosed to the manufacturer or provider of that software so that they can actually work to create a fix for the general public en masse.

The danger of the system is that exploitable information about otherwise unknown software vulnerabilities could fall into criminal hands.

Zampariolo says that his company checks the credentials of the companies that register with him to buy vulnerabilities.

Zampariolo: Anyone who is registering in our marketplace there is a bit of paperwork to be done to show that you are a legitimate company we want to assure that of course, the legal entity to what is taking place to the market place is in existence, legally recognised. So in a nutshell we are asking you a bit more than what is needed, what is normally needed in Europe to open up a bank account.

Day says that such checks are unlikely to be enough to prevent abuse.

Day: I think we have certainly seen plenty of examples both in the electronic world and the physical world of just how easy it is to spoof an identity and so I don’t know how far they are going within their checks. It is pretty easy to set up a dummy company from what we see happening both in cyberspace and the real world. I would certainly like to see them go further and to see what they actually do with that vulnerability code once they’ve got it. Does it get passed on to the manufacturer, does it end up being an attack? So I would certainly to see further checks in there than there are today.

There is a problem with the current system, according to Zampariolo. when researchers find vulnerabilities they are given almost no reward. with a tempting black market looming, Zampariolo says his auction house helps to keep research on the go, and on the right side of the law.

Zampariolo: This is a rather unbalanced market. The market in which software vendors are making profits in the tunes of billions regularly and researches are rewarded with a T-shirt or $100 in the hand. I think a bit more of an equilibrium should be set. We hope that we can give a contribution because what we are talking to economical animals at the end of the day.

Day says that researchers don't need those returns, that the finding of vulnerabilities is like a degree, a CV and a job interview all rolled into one, and that that system works just fine.

Day: There is a very simple reality today which is there is a very big skills shortage of people that are skilled enough to find these kinds of vulnerabilities and most of these people are hobbyists. They do this thing because they have a passion for it and they are very skilled at it. But then they have to get some credibility to then go and join some level of whether it is a software company or a security company and this is very often a great way for them to build up their credibility, they go out they find these vulnerabilities but then they go through the right ethical processes to disclose that to the manufacturer of that software and that builds up their profile to make them a very marketable resource and these people can earn a very good salary.

So how much money do these vulnerabilities actually sell for? Accounts vary wildly. Day says that black market vulnerabilities can go for seventy five thousand dollars , while Zampariolo says that in the month that the market has been open, prices have risen from a few hundred to typically a few thousand dollars.

Oddly, it is this price differential that could do more than any security system to keep the auctions safe. Day says that more can be earned in the black markets, which could keep criminals away from the public market, and Zampariolo says that criminal uses of research will always be with us, WabiSabiLabi or no Wabisabilabi.

Day: On the black market it is very common to see them going for the tens of thousands of dollars. What I have certainly seen so far form WabiSabiLabi has been very small amounts that have been offered. We are only talking about literally the kind of the thousands of dollars, so a far more trivial amount.

Zampariolo: If bad people want to go ahead being a bidder for less than reasonable morally acceptable standards they can do what they are doing already on the black market. They cover themselves and unfortunately for the word there is a lot of criminals around exchanging not vulnerability but exploits or malicious code.

That's all we have time for this week, thanks for listening.

Why not get in touch with OUT-LAW Radio? Do you know of a technology law story? We'd love to hear from you on radio@out-law.com.

Make sure you tune in next week; for now, goodbye.

OUT-LAW Radio was produced and presented by Matthew Magee for international law firm Pinsent Masons.

OUT-LAW Recommends

Data Protection training
We offer training courses on Data Protection and Freedom of Information laws

Winner at 2008 Webby Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.