WingNews logo WingNews
top | item 42965354

(no title)

joshfraser | 1 year ago

I've seen the invite-only marketplaces where these exploits are sold. You can buy an exploit to compromise any piece of software or hardware that you can imagine. Many of them go for millions of dollars.

There are known exploits to get root access to every phone or laptop in the world. But researchers won't disclose these to the manufacturers when they can make millions of dollars selling them to governments. Governments won't disclose them because they want to use them to spy on their citizens and foreign adversaries.

The manufacturers prefer to fix these bugs, but aren't usually willing to pay as much as the nation states that are bidding. All they do is drive up the price. Worse, intelligence agencies like the NSA often pressure or incentivize major tech companies to keep zero-days unpatched for exploitation.

It's a really hard problem. There are a bunch of perverse incentives that are putting us all at risk.

discuss

order

JumpCrisscross|1 year ago

> It's a really hard problem

Hard problems are usually collective-action problems. This isn't one. It's a tragedy of the commons [1], the commons being our digital security.

The simplest solution is a public body that buys and releases exploits. For a variety of reasons, this is a bad idea.

The less-simple but, in my opinion, better model is an insurance model. Think: FDIC. Large device and software makers have to buy a policy, whose rate is based on number of devices or users in America multiplied by a fixed risk premium. The body is tasked with (a) paying out damages to cybersecurity victims, up to a cap and (b) buying exploits in a cost-sharing model, where the company for whom the exploit is being bought pays a flat co-pay and the fund pays the rest. Importantly, the companies don't decide which exploits get bought--the fund does.

Throw in a border-adjustment tax for foreign devices and software and call it a tariff for MAGA points.

[1] https://en.wikipedia.org/wiki/Tragedy_of_the_commons

impossiblefork|1 year ago

I think what is actually the problem is the software and hardware manufacturers.

Secure use of any device requires a correct specification. These should be available to device buyers and there should be legal requirements for them to be correct and complete.

Furthermore, such specifications should be required also for software-- precisely what it does and legal guarantees that it's correct.

This hasn't ever been more feasible, also considering that we Europeans are basically at war with the Russians, it seems reasonable to secure our devices.

fluoridation|1 year ago

A tragedy of the commons occurs when multiple independent agents exploit a freely available but finite resource until it's completely depleted. Security isn't a resource that's consumed when a given action is performed, and you can never run out of security.

skirge|1 year ago

security maybe considered "commons" but accountables are individual manufacturers. If my car is malfunctioning I'm punished by law enforcement. There are inspections and quality standards. Private entities may provide certifications.

Always42|1 year ago

Please no more mandated insurance programs.

tptacek|1 year ago

The markets here are complicated and the terms on "million dollar" vulnerabilities are complicated and a lot of intuitive things, like the incentives for actors to "hoard" vulnerabilities, are complicated.

We got Mark Dowd to record an episode with us to talk through a lot of this stuff (he had given a talk whose slides you can find floating around, long before) and I'd recommend it for people who are interested in how grey-market exploit chain acquisition actually works.

https://securitycryptographywhatever.com/2024/06/24/mdowd/

Melatonic|1 year ago

Makes me wonder if there are engineers on the inside of some of these manufacturers intentionally hiding 0 days so that they can then go and sell them (or engineers placed there by companies who design 0 days)

tptacek|1 year ago

People have been worrying about this for 15 years now, but there's not much evidence of it actually happening.

One possible reason: knowing about a vulnerability is a relatively small amount of the work in providing customers with a working exploit chain, and an even smaller amount of the economically valuable labor. When you read about the prices "vulnerabilities" get on the grey market, you're really seeing an all-in price that includes value generated over time. Being an insider with source code access might get you a (diminishing, in 2025) edge on initial vulnerability discovery, but it's not helping you that much on actually building a reliable exploit, and it doesn't help you at all in maintaining that exploit.

timewizard|1 year ago

> It's a really hard problem.

Classify them as weapons of mass destruction. That's what they are. That's how they should be managed in a legal framework and how you completely remove any incentives around their sale and use.

kingaillas|1 year ago

How about some penalties for their creation? If NSA is discovering or buying, someone else is creating them (even if unintentionally).

Otherwise corporations will be incentivized (even more than they are now) to pay minimal lip service to security - why bother investing beyond a token amount, enough to make PR claims when security inevitably fails - if there is effectively no penalty and secure programming eats into profits? Just shove all risk onto the legal system and government for investigation and clean up.

JumpCrisscross|1 year ago

> weapons of mass destruction. That's what they are

Seriously HN? Your Netflix password being compromised is equivalent to thermonuclear war?

tptacek|1 year ago

That is never, ever going to happen, and they are nothing at all like NBC weapons.

joshfraser|1 year ago

Yes. Except our government is the largest buyer.

Henchman21|1 year ago

Suddenly I felt like re-reading Ken Thompson’s essay Reflections on Trusting Trust.

We’ve created such a house of cards. I hope when it all comes crashing down that the species survives.

davisr|1 year ago

Instead of hoping, you can do a lot just by ditching your cell phone and using Debian stable.

westoque|1 year ago

reminds me of the anthropic claude jailbreak challenge which only pays around $10,000. if you drive the price up, i'm pretty sure you'll get some takers. incentives are not aligned.