When They Said "Get It On eBay", I Doubt This Is What They Meant

from the W32.this-space-for-rent.P@mm dept

Fri, Jul 14th 2006 11:07am — Carlo Longino

The idea of using security exploits to make some cash certainly isn't anything new -- online extortion schemes have been fairly popular, even if script kiddies are killing the margins. But apparently discovering security vulnerabilities and selling them off to the highest bidder is a growth industry, according to one security firm, even being brazen enough to put them up on eBay. It's hardly surprising to see hackers and malware writers searching for some remuneration for their efforts, particularly with the explosion in phishing, identity theft and other potenially lucrative crimes, and their dependence on staying a step ahead of security companies. What's slightly more interesting, though, is that many security companies themselves are shelling out for the vulnerabilities, under the guise of the greater good, but really getting the information to give themselves a head start in closing the vulnerabilities, and enhancing their products and reputation. Economists love to talk about the value of incentives in motivating people to particular behavior -- perhaps giving malware authors incentives to turn their work over to software developers or security companies isn't such a bad idea.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

50 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

unibomber, 14 Jul 2006 @ 11:13am

FINALLY lol
[ link to this | view in chronology ]
- Anonymous Coward, 14 Jul 2006 @ 11:29am
  
  Re:
  Suggestion to Techdirt: delete the first post.
  [ link to this | view in chronology ]
  - DittoBox, 14 Jul 2006 @ 12:54pm
    
    Re: Re:
    'nuff said. I'm getting tired of the "firstestist!" BS.
    
    Turn off anonymous comments and turn on registration and moderation.
    [ link to this | view in chronology ]
    - Anonymous Coward, 14 Jul 2006 @ 6:31pm
      
      Re: Re: Re:
      No. Just no.
      [ link to this | view in chronology ]
  - Anonymous Coward, 14 Jul 2006 @ 2:25pm
    
    Re: Re:
    Delete the fifth post!
    
    Oh yeah! I'm in for the 20th post!!!
    [ link to this | view in chronology ]
    - Wire Cramped, 14 Jul 2006 @ 2:57pm
      
      Re: Re: Re:
      Delete the 21st post!!!! woohoo!!!!
      [ link to this | view in chronology ]
  - satan, 14 Jul 2006 @ 11:19pm
    
    Re: Re:
    why
    [ link to this | view in chronology ]
  - Anonymous Coward, 15 Jul 2006 @ 12:17pm
    
    Re: Re:
    It mad me Simle. Your's did not.
    [ link to this | view in chronology ]
  - ioral, 16 Jul 2006 @ 9:59pm
    
    Re: Re:
    1. article has no comments
    2. someone posts
    3. first post gets deleted
    4. goto 2
    ???
    5. PROFIT!!!!
    [ link to this | view in chronology ]
Anon, 14 Jul 2006 @ 11:15am

good idea
Hey give the script kiddies something to do. It's a good idea. find a hole, get paid for it. Why not. If you have found something no one else has, and maybe the way to fix it as well, why not get paid for your work. And it keeps them from doing things they shouldn't be on other's servers.
[ link to this | view in chronology ]
Joe Bastedo, 14 Jul 2006 @ 11:22am

Profitability VS Responsibility
This brings up a whole new "gray area" in internet ethics. A person might look at this as rewarding people for unethical behaviour. I see it as rehabilitating these miscreants by giving them a viable place in the growing macrocosm which is the internet by using them to help "security companies...give themselves a head start in closing the vulnerabilities, and enhancing their products and reputation." I agree wholeheartedly with Carlo when he says "perhaps giving malware authors incentives to turn their work over to software developers or security companies isn't such a bad idea."
[ link to this | view in chronology ]
- phorcephield, 16 Jul 2006 @ 8:10pm
  
  Re: Profitability VS Responsibility
  im sorry but that grey area has always been there and always will be there is nothing "new" about it....
  [ link to this | view in chronology ]
CoderDude, 14 Jul 2006 @ 11:26am

That's the way (ah huh) I like it
Many times I have found certain exploits in several major software firms, but I never try to let the little script kiddies know about this. instead I always send them to the development teams of the companies. Many times in return they will give me free licensed software for my help in making their software better.
I probably have $20,000 in free legal software now and to me makes better sense to help the companies than some stupid loser high school kids that does not get it.
Find the flaw and work with the business is the only way to do it right, plus you get better "street cred" than those idiots out there.
[ link to this | view in chronology ]
- MetaLChurch, 14 Jul 2006 @ 11:54am
  
  Re: That's the way (ah huh) I like it
  Agreed.
  [ link to this | view in chronology ]
Dam, 14 Jul 2006 @ 11:32am

It's Not Renumeration
it's REMUNERATION

1. The act of remunerating.
2. Something, such as a payment, that remunerates.
[ link to this | view in chronology ]
- Mischa, 14 Jul 2006 @ 1:24pm
  
  Re: It's Not Renumeration
  LOL. Turns out I've been pronouncing the word wrong my whole life. It's amazing what you learn on techdirt. :-)
  [ link to this | view in chronology ]
  - Wire Cramped, 14 Jul 2006 @ 1:36pm
    
    Re: Re: It's Not Renumeration
    is is RENUMERATION if that is what you mean look here
    
    http://www.wsu.edu/~brians/errors/remuneration.html
    [ link to this | view in chronology ]
- Anonymous Coward, 14 Jul 2006 @ 1:43pm
  
  Re: It's Not Renumeration
  Renumeration:
  
  The act of numbering something that has already been numbered.
  [ link to this | view in chronology ]
Captain Howdy, 14 Jul 2006 @ 11:35am

not good...
I think all this will end up doing is allow the illicit programers to make some extra cash off of code they've already exploited for their own gain, and have sence lost an interest in/use for.

This is just another incentive to CONTINUE their deplorable practice. Though I suppose it does keep a lot of people employed.
[ link to this | view in chronology ]
- cjay, 14 Jul 2006 @ 11:47am
  
  Re: not good...
  If they have already exploited teh code before turning their 'results' in, they run the risk of identifying themselves as an exploiter. If real damage is caused they are going to be a suspect and greatly improved their chances of gettign caught. If you're gonna turn in the code, better have clean hands.
  [ link to this | view in chronology ]
Yakov, 14 Jul 2006 @ 11:49am

Make secure code
Make secure code MS. I'm a programmer myself, and I have to say that if I've had to make critical fixes to something on a regular basis, I'd get a stern talking to from my management, and would surely be out of a job very quickly. This is slopiness and laziness plain and simple. If MS products where so swiss cheesed, this would not be an issue.
[ link to this | view in chronology ]
- Vokay, 14 Jul 2006 @ 12:38pm
  
  Re: Make secure code
  Yakov,
  You may be a programer but have you ever created an OS? I would bet not .. and I'd bet that you haven't had to create a program that runs on the majority of PC's world wide. But I may be wrong you may be some super intellect that is able to predict the future.
  
  MS is easy to pick on simply because they are everywhere. They are everywhwere because the majority of people think their product is better than the competition.
  [ link to this | view in chronology ]
  - ubigcow, 16 Jul 2006 @ 6:46pm
    
    Re: Re: Make secure code
    "They are everywhwere because the majority of people think their product is better than the competition."
    
    True. No one CARES that they dont have secure software, exept people like me. That is because the majority of people are STUPID. (no offense stupid people)
    
    Smart people like me care. If more people were smart, and therefor cared, MS couldn't get by with they're bad software.
    [ link to this | view in chronology ]
Movie Viewer, 14 Jul 2006 @ 12:16pm

Catch Me if You Can
Isn't this simmilar to the Tom Hanks/Leo DiCaprio flick "cath me if you can"??

Leo's character forged checks, and the FBI was after him. Once they found him, they made them help detect bad checks, and develop ways to test new checks for vurnabilities. It is quite nice to see someone "turn around" and hopefully crime will stop in the future. here's to dreaming
[ link to this | view in chronology ]
Tashi, 14 Jul 2006 @ 12:45pm

Linux managed to make a more secure OS. Why in the world did MS make everything accessible to the kernal? XP is better in this regard and it began to resemble Linux's more segregated architecture, but to assume MS can compete simply on its own merits of being a good product is a serious stretch.
[ link to this | view in chronology ]
- PC Tech, 17 Jul 2006 @ 4:53am
  
  Re:
  When someone says that Linux is more secure, that comment always makes me laugh. Does anyone know the number of updates necessary to make linux "secure" this year. That number nearly quadruples MS's number. So more secure or less in your face, take your pick.
  [ link to this | view in chronology ]
  - Anonymous Coward, 17 Jul 2006 @ 11:03am
    
    Re: Re:
    What version/distro of linux in particular are you referring to? Sure, linux has a lot of updates but the vast majority of the updates are not security updates rather software bug fixes and such. Nothing near the amount of service packs and security updates MS has.
    [ link to this | view in chronology ]
Wire Cramped, 14 Jul 2006 @ 1:34pm

Ok back on topic
If I as a programmer make a program that can be exploited on purpose. What if I send the exploit info to anonymous coward who then says he found the exploit and gets paid from my management as a thank you???

Sounds like a new job to me! I agree dont pay them but reward them with a copy of the software. Gets them using it and doesnt make an industry out of it.

Stop the MS bashing I can show you time and again where *nix and MAC have security holes the size of MS campus. To sit and think for a moment that one OS is better then the next is retarded. ALL digital information that is secure can be hacked and all the same info that is not secure can be hacked if you think your Linux is safe I will personally send you to sites dedicated to hacking *nix as its even easier to do. MAC = LINUX ro WINDOWS so your last people who can speak now.
[ link to this | view in chronology ]
- Brian, 14 Jul 2006 @ 4:28pm
  
  Re: Ok back on topic
  I don't get paid for my security or alpha/beta-test work, however I usually do get to keep the software. Just counting single licenses, not multiple/unlimited licenses, I'm over the million dollar mark here and counting, although I certainly don't use it all on a daily basis. The work is challenging and, for me, fun.
  As for the bashing, I have to agree with an earlier poster. Among other things I'm a system engineer and have designed and written my own OS, database servers, and application suites over the last three decades. While no one has found a bug or security hole to date, it sure wasn't easy although coming from the mainframe world where zero defects is de rigueur sure helps. The design and mathematical validation easily took ten times longer than the actual coding and testing. So does the threat of federal time if you frag up {smile}. I do get to see the security notices march by day in and day out, naturally since systems security is one of my main focii these days. Windows is just a better target, so it gets most of the savaging. It also helps that the codebase for Linux is significantly smaller at the kernal level. Lastly, Windows incorporates a lot of applications into the OS that are not in Linux directly. Toss in Linux applications to the mix for vulnerabilities and the numbers get more comprable.
  Actually I get damned tired of this "my OS is better than your OS, nah, nah" BS. All of them are weak, Windows, Linux, and Mac, when it comes to overall (OS and applications) security. If I tried to get away with this crap when I was working for the government somebody would have died and they'd be considering whether it would be life in prison without the possiblity of parole or hanging.
  Ever wonder why there are life/nuclear critical exclusions in so many operating systems and applications license agreements? Your bug, you go to prison.
  [ link to this | view in chronology ]
  - ubigcow, 16 Jul 2006 @ 7:05pm
    
    Re: Re: Ok back on topic
    ok, mabey they are all unsafe............but that doesn't mean that it is acceptible.
    [ link to this | view in chronology ]
Sanguine Dream, 14 Jul 2006 @ 1:49pm

Good idea
I think it's a good idea to reward people that find exploits. What better way to protect against them? Thousands of users across the world have a better chance fully exploiting a product than the relatively small programming team that builds it. Kinda like in MMORPGs where the players are encouraged to report glitches (but I don't think there is a reward system).

But definitely don't offer money but instead free copies of the software. That why they know they are using a secure product (because they are one ones testing it) and it builds trust with that developer.

Only problem is if it became public (out in the open on the net) that you're doing this then you would treated as a narc.
[ link to this | view in chronology ]
Joe Snuffy, 14 Jul 2006 @ 3:09pm

nice
sounds like a good way to make money to me.
[ link to this | view in chronology ]
Mark, 14 Jul 2006 @ 5:31pm

Considering the, ah, WARM response you usually get when bringing a vulnerability to the responsible party's attention, I can't really blame someone for swinging the other way on this. I mean, we were telling the school district, in high school, the district's computer was at risk. All it got us was time in The Chair. If the people most able to correct a problem aren't interested in fixing it, only labeling you for a criminal, they deserve the consequences of their decision.
[ link to this | view in chronology ]
- ubigcow, 16 Jul 2006 @ 6:57pm
  
  Re: to marks comment
  I think They deserve the consiquences of they're actions, but not the rest of the population.
  
  that includes u
  [ link to this | view in chronology ]
Techdirt, 14 Jul 2006 @ 7:50pm

Delete post #26 as well, please.
[ link to this | view in chronology ]
fred mcmurry, 14 Jul 2006 @ 9:07pm

Cut off their hands
I think it's a great idea for these people to post themselves on eBay, or anywhere else. Now get somebody to find out where these people are, who they are, and cut off their hands, and jam them up their butts. These people are trash, they hurt many people, make life more difficult for all of us, could care less, even enjoy it. Five people get their hands cut off by some guy named Vinny and all the sudden being a dope doesn't seem like such a good idea.
[ link to this | view in chronology ]
Sean, 14 Jul 2006 @ 11:39pm

Well...
I've actually discovered a few faults with the Window OS myself. I almost always report them to Microsoft, even though I myself know I shouldn't. I think that if people have found flaws in something, do not create malware or bullshit like that, but rather find a way to fix it and then market that to major companies that still use Microsoft. It can be quite profitable.

But all in all, this selling malware shit on e-Bay is fucked. I think these auctions should be shut down and the owner of the account IP banned. Even though IP bans really dont do much anymore with Proxies.
[ link to this | view in chronology ]
Andrew Strasser, 14 Jul 2006 @ 11:52pm

It would help if we would step across borders on t
We need to boost up our overseas ability to stop would be havens for malicious activity to stop. A much more important agenda than muzik downloads anyway....

It has gotten out of control though I do agree that some credit should go to those who find glitches and fix the problems someone may be having.
[ link to this | view in chronology ]
Rob Maeurer, 15 Jul 2006 @ 2:36am

Reward those who find it and do not exploit it
These teenagers sit at their computers all day messing with Windows. They should get paid for their work as long as they do not publicly exploit the vulnerability. We all know some kid who does this all day. I plan on forwarding this newsletter to the kid I know who's geekier than me.
[ link to this | view in chronology ]
John Bamford, 15 Jul 2006 @ 6:28am

Spelling....
Interesting article. Surprised spell check didn't pick up "renumeration" as there is no such word. "Remuneration" is correct term. Picky I know but when you publish we look at it all.
[ link to this | view in chronology ]
unibomber, 15 Jul 2006 @ 1:55pm

im gay !!
[ link to this | view in chronology ]
kilroy, 15 Jul 2006 @ 5:43pm

yes we need to hold people accountable
... but according to the laws of which Country or State? How should we determine whos laws are the most just. And once we determine the criteria ... there can be only one punnishment DEATH!

If the punishment were anything less it would not be serrious enough. However if Joe Script Kiddie or Bob Anonymous Hacker thought he was gonna fry for being a little bass turd would they be so willing to take their shot? Or would they find a new hobby or maybe get a real job ...
[ link to this | view in chronology ]
Johan, 15 Jul 2006 @ 7:41pm

Did you change the headline of this article?
Didn't this article used to have this headline?

When They Said "Get It On eBay", I Doubt This Is What They Meant

I just thought it's kinda odd to see this changed without any note on the page...
[ link to this | view in chronology ]
Anonymous Coward, 15 Jul 2006 @ 8:57pm

Post 36
I agree with that 36. When THey Said doesn't make sense
[ link to this | view in chronology ]
- Mackie928, 16 Jul 2006 @ 8:04pm
  
  Re: Post 36
  Have you heard or seen the old Ebay ads.."Get it on Ebay? It refers to the old ad, that you can get just about anything on Ebay.
  [ link to this | view in chronology ]
gaurav, 15 Jul 2006 @ 10:52pm

g
ad
[ link to this | view in chronology ]
Ordinator, 16 Jul 2006 @ 8:49am

Is this a Joke?
and what's with the sub headline:

"from the W32.this-space-for-rent.P@mm dept"
[ link to this | view in chronology ]
Tek'a, 16 Jul 2006 @ 12:18pm

and what's with the sub headline:

"from the W32.this-space-for-rent.P@mm dept"

oh noez, teh scriptoz kidde1s f0und us
[ link to this | view in chronology ]
Mackie928, 16 Jul 2006 @ 8:13pm

Tek'a & Ordinator...
About the sub headline. When new exploits are found most anti-virus software makers give the exploits a name. Something that reflects the OS that it targets...W32. Then the exploit name...this-space-for-rent. Then I think it's the version...P@mm( this would P mutation or verison or such).
[ link to this | view in chronology ]
hee haw, 16 Jul 2006 @ 8:50pm

Sounds like one of the kiddies is about to rat them out for doing this anyway under the table. So they are gonna try and bring it above board. Most of whats out their has been secretly sponsored by these same companies to keep them in biz.
[ link to this | view in chronology ]