Last week, Roberto Preatoni, founder of WabiSabiLabi, the exploit eBay, gave a talk at the ITWeb Security Conference about his creation. I really wanted to ask a question, but there was no time. At the end of his talk, when asked who agrees that WabiSabiLabi is a good idea (i.e. creating a market place for vulnerabilities and exploits to be freely sold and traded, like eBay) like Roberto, I was surprised to see so many hands go up as the general info sec community has reacted quite harshly to the idea. A possible explanation based on my experience is that many ITWeb attendees are not 'hardcore' security people, and haven't been following the disclosure argument over the last decade. Then, given only Roberto's talk, chose to agree with him due to a lack of any exposure to rebuttal. When asked who disagrees, I was the only one who put their hand up.
So, here's why.
First up, let me say, I don't know Roberto personally, and have no personal vendetta. I also do not work for a security vendor, so am not coloured by a shoot the messenger mentality. Finally, I agree that to do what Roberto and his team did took serious courage and they have weathered some big (and unfair) fights, which probably would've had me packing for the hills. However, from the comfort of my blogging seat, I don't think an exploit market is a "good thing". My rebuttal *is* coloured by the ethics debate. It could be a hangover from the last decade of the debate being coloured by this, but, as a 'white-hat' I am specifically defining myself as a security person with ethics. If you don't care about anything but getting the most money to vulnerability researchers, then you won't buy my argument.
Roberto's main premise seems to be that vulnerability researchers (I don't like the term 'security researcher' for this purpose, it is too vague and generalised), are forced to hand over the results of their time and effort for free, to a vendor who often does not respect them for their work, all in the name of ethics. By providing a market-place, a place where sellers and buyers can gather, vulnerability researchers can have their work monetized. The implication being, that vulnerability research can be a job, and the security world benefits by getting holes closed.
The All Knowing Market
I've never been a fan of 'free markets'. The main reason is that the invisible hand isn't always an ethical one. Take for example the world's terrible food distribution, where food is literally thrown away while others starve all because of how the market has structured the whole scheme to get the buyers with the most money to the sellers. Roberto explicitly mentioned the pharmaceutical industry as a comparison, which is a great example of where the market hasn't provided for the needs of people. We've had people researching esoteric illnesses instead of the African killer, tuberculosis, because of where the money is coming from. We've had over priced AIDS drugs, forcing India, Brazil and SA to threaten calling a state of emergency to allow us to produce cheap generics in terms of the TRIPS agreement. The end result is that the best course of action, namely curing the most number of most sick people, hasn't happened, but is considered better than no market where doctors do it for free. There are 'better' solutions however, such as the medical innovation prize fund, a model which could well work here, but more on that later. Let's make it more specific though, here's why I think a free market in this instance is bad too.
Implications
Ok, so given that by creating a market, things may not be driven by ethical lines, let's examine what sort of behaviours we could see.
Vendors held ransom
Now that the bugs are being peddled on an open market, vendors must compete with a variety of buyers, from security firms to bad guys. They will always have to assume that their buying the bug is better than someone else buying it, and in the case of big bugs (Vista 0day for example) will have to pay a fair amount of money. This has two problems. The first is that vendors have to start spending money that could otherwise be used to find, fix, or better, prevent, their own bugs. The second is that you have a skewed market where it is always in the best interest of the vendor to acquire the bug, and they are pitted against the whole market, not exactly willing buyer.
Criminal Syndicates
Given that the vendor now has to outbid the entire market, it is likely that prices will be driven fairly high. Now, we can safely assume bad guys may want to buy bugs. However, the individual bad guy wont have the funds. Thus, bad guys will need to club together and pool their money to outbid the vendor (or other security firms), and now you have a syndicate. I'm not saying that this is the only way syndicates can form, just that it encourages new ones to form, and makes existing syndicates likely competition. WabiSabiLabi does implement a vetting system, but a quick look at existing handgun registration systems will show that this isn't an effective way to stop bad guys from buying legitemate (as opposed to the black market guns we know they get), or at the very least, from using them to kill someone, it is just a semi-ineffective post-event auditing technique.
Black Market
On the syndicate point, people often suggest free or free-er markets in reaction to the existence of a black market. This could provide some interesting stats; we could get an idea of what bugs are being traded, how many, their price etc. A potentially very valuable tool for threat research. However, Roberto himself concedes that this will not get rid of the black market. First, because many syndicates are actually hiring vulnerability researchers of their own (some straight out of varsity) and second, because the existing black market provides more anonymity, or at least more trusted anonymity. In essence, they have their own vulnerabilities, and can make more money exploiting things with them, than selling them.
Weaponisation
Another implication of this market is that it will encourage people to weaponise vulnerabilities into exploits. Right now, (for example) a demonstration of a repeatable crash is usually enough to show the vulnerability exists, and things are weaponised usually to prove a point. However, in a true exploit market place, several types of guns (exploits) can be sold to exploit the same vulnerability in the human head. Thus, when a Microsoft patch is released, it may be worth my while to reverse engineer it and create a working exploit to sell to the highest bidder. This could be stopped by only allowing original vulnerabilities to be sold, but seems like an arbitrary restriction on the otherwise free market.
Arbitrary Restrictions
Speaking of arbitrary restrictions. Roberto brought up a few in his talk. He mentioned that they refused to sell exploits in online poker sites, or an XSS in MySpace etc. The general trend was that they didn't allow web app vulnerabilities to be sold. This is a pretty arbitrary restriction, as I don't see much difference between allowing an authentication bypass for windows to be sold vs allowing an authentication bypass for MySpace to be sold. If you look at other 'market regulators' such as the SEC or our own JSE, they usually implement controls to ensure the market functions correctly (e.g. prevent people from misrepresenting market related information e.g. financial statements or abusing market mechanisms e.g. insider trading). They do not stop certain stocks from being traded based on the supposed actions of the investors or the company. Now, if WabiSabiLabi has already started down this road of arbitrary restrictions, most likely due to some ethical drive, then they must acknowledge that they want an ethical outcome. Given that a free market doesn't lead to an ethical outcome, a free marketplace may not be the best way of doing this. In short, they either have to remove the restrictions and put up with the potential badness, or keep them and be labeled hypocrites or at least inconsistent (logical doomsday words ;) ) or shut down the market.
A better way
In his talk, Roberto did a sort of reductio on responsible disclosure. However, the model of responsible disclosure he presented was the sort of model 3Com's Zero Day Initiative (ZDI) takes. I was fairly confused about this, as I don't see much difference between the ZDI model and that of WabiSabiLabi's in terms of disclosure, in fact Roberto acknowledged them as competitors.
Now, responsible disclosure isn't really a well pinned down term, but I don't believe it is an inherently flawed model in all possible cases. So let me present a model as I believe many understand it, which will work to the most ethical outcome, and cover Roberto's need to monetize the whole shebang. It will be brief, as there is already stacks of info out there about this.
If you find a bug, report it privately to the vendor. The vendor should get back to you within a reasonable time frame, produce a good fix within a reasonable timeframe and credit you in the patch release. If the vendor is antagonistic or takes too long to release a patch, then full disclosure applies where all details are released publicly to drive the vendor to action. This model worked very well with Microsoft, where full disclosure drove the otherwise antagonistic or ignorant vendor into making some serious changes and turning them into (dare I say it) the good security vendor we see today.
This model is not without money. The disclosure model gets you credit, this has long been a way of building up eminence in the market. Over the long term this credit gets your day job work. Take David Litchfield as an example (who incidentally spoke before Roberto). He flogged Oracle silly over their terrible security, and now is probably one of the highest paid Oracle security consultants in the world, and even has Oracle as one of his clients. This is a man who monetised his vulnerability research. Granted, he couldn't just sit in a chair making Gobbles-like vulnerability findings and hope to make money, but it certainly gave him the opportunity.
Vulnerability Research Prize Fund
To be honest, I haven't put much thought into how the medical innovation prize fund described here, here and here could be retrofitted to this model. Although, my gut feel is that it can given the similarities in the vulnerability research field to the pharmaceutical industry, i.e. we want to pay for and encourage the best research, but we want the knowledge to be shared as widely and appropriately as possible instead of creating monopolies (e.g. ZDI, Syndiactes). It would be great for some of use to put some thought into this and see what we can come up with as it would potentially provide an 'even better' way that any of the exisiting solutions.
Conclusion
So, at the end of it all I believe that the vulnerability market place won't lead to the best outcomes, already has some inconsistencies and may slippery slope into more, and that a better model already exists. Finally, I believe an even better model could exist structured along the lines of the medical innovation prize fund and that more attention should be paid to this as a solution.
Tracked: Feb 05, 09:23