When They Said "Get It On eBay", I Doubt This Is What They Meant

from the W32.this-space-for-rent.P@mm dept

The idea of using security exploits to make some cash certainly isn't anything new -- online extortion schemes have been fairly popular, even if script kiddies are killing the margins. But apparently discovering security vulnerabilities and selling them off to the highest bidder is a growth industry, according to one security firm, even being brazen enough to put them up on eBay. It's hardly surprising to see hackers and malware writers searching for some remuneration for their efforts, particularly with the explosion in phishing, identity theft and other potenially lucrative crimes, and their dependence on staying a step ahead of security companies. What's slightly more interesting, though, is that many security companies themselves are shelling out for the vulnerabilities, under the guise of the greater good, but really getting the information to give themselves a head start in closing the vulnerabilities, and enhancing their products and reputation. Economists love to talk about the value of incentives in motivating people to particular behavior -- perhaps giving malware authors incentives to turn their work over to software developers or security companies isn't such a bad idea.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    unibomber, 14 Jul 2006 @ 11:13am

    FINALLY lol

    link to this | view in chronology ]

  • identicon
    Anon, 14 Jul 2006 @ 11:15am

    good idea

    Hey give the script kiddies something to do. It's a good idea. find a hole, get paid for it. Why not. If you have found something no one else has, and maybe the way to fix it as well, why not get paid for your work. And it keeps them from doing things they shouldn't be on other's servers.

    link to this | view in chronology ]

  • identicon
    Joe Bastedo, 14 Jul 2006 @ 11:22am

    Profitability VS Responsibility

    This brings up a whole new "gray area" in internet ethics. A person might look at this as rewarding people for unethical behaviour. I see it as rehabilitating these miscreants by giving them a viable place in the growing macrocosm which is the internet by using them to help "security companies...give themselves a head start in closing the vulnerabilities, and enhancing their products and reputation." I agree wholeheartedly with Carlo when he says "perhaps giving malware authors incentives to turn their work over to software developers or security companies isn't such a bad idea."

    link to this | view in chronology ]

    • identicon
      phorcephield, 16 Jul 2006 @ 8:10pm

      Re: Profitability VS Responsibility

      im sorry but that grey area has always been there and always will be there is nothing "new" about it....

      link to this | view in chronology ]

  • identicon
    CoderDude, 14 Jul 2006 @ 11:26am

    That's the way (ah huh) I like it

    Many times I have found certain exploits in several major software firms, but I never try to let the little script kiddies know about this. instead I always send them to the development teams of the companies. Many times in return they will give me free licensed software for my help in making their software better.
    I probably have $20,000 in free legal software now and to me makes better sense to help the companies than some stupid loser high school kids that does not get it.
    Find the flaw and work with the business is the only way to do it right, plus you get better "street cred" than those idiots out there.

    link to this | view in chronology ]

  • identicon
    Dam, 14 Jul 2006 @ 11:32am

    It's Not Renumeration

    it's REMUNERATION

    1. The act of remunerating.
    2. Something, such as a payment, that remunerates.

    link to this | view in chronology ]

  • identicon
    Captain Howdy, 14 Jul 2006 @ 11:35am

    not good...

    I think all this will end up doing is allow the illicit programers to make some extra cash off of code they've already exploited for their own gain, and have sence lost an interest in/use for.

    This is just another incentive to CONTINUE their deplorable practice. Though I suppose it does keep a lot of people employed.

    link to this | view in chronology ]

    • identicon
      cjay, 14 Jul 2006 @ 11:47am

      Re: not good...

      If they have already exploited teh code before turning their 'results' in, they run the risk of identifying themselves as an exploiter. If real damage is caused they are going to be a suspect and greatly improved their chances of gettign caught. If you're gonna turn in the code, better have clean hands.

      link to this | view in chronology ]

  • identicon
    Yakov, 14 Jul 2006 @ 11:49am

    Make secure code

    Make secure code MS. I'm a programmer myself, and I have to say that if I've had to make critical fixes to something on a regular basis, I'd get a stern talking to from my management, and would surely be out of a job very quickly. This is slopiness and laziness plain and simple. If MS products where so swiss cheesed, this would not be an issue.

    link to this | view in chronology ]

    • identicon
      Vokay, 14 Jul 2006 @ 12:38pm

      Re: Make secure code

      Yakov,
      You may be a programer but have you ever created an OS? I would bet not .. and I'd bet that you haven't had to create a program that runs on the majority of PC's world wide. But I may be wrong you may be some super intellect that is able to predict the future.

      MS is easy to pick on simply because they are everywhere. They are everywhwere because the majority of people think their product is better than the competition.

      link to this | view in chronology ]

      • identicon
        ubigcow, 16 Jul 2006 @ 6:46pm

        Re: Re: Make secure code

        "They are everywhwere because the majority of people think their product is better than the competition."

        True. No one CARES that they dont have secure software, exept people like me. That is because the majority of people are STUPID. (no offense stupid people)

        Smart people like me care. If more people were smart, and therefor cared, MS couldn't get by with they're bad software.

        link to this | view in chronology ]

  • identicon
    Movie Viewer, 14 Jul 2006 @ 12:16pm

    Catch Me if You Can

    Isn't this simmilar to the Tom Hanks/Leo DiCaprio flick "cath me if you can"??

    Leo's character forged checks, and the FBI was after him. Once they found him, they made them help detect bad checks, and develop ways to test new checks for vurnabilities. It is quite nice to see someone "turn around" and hopefully crime will stop in the future. here's to dreaming

    link to this | view in chronology ]

  • identicon
    Tashi, 14 Jul 2006 @ 12:45pm

    Linux managed to make a more secure OS. Why in the world did MS make everything accessible to the kernal? XP is better in this regard and it began to resemble Linux's more segregated architecture, but to assume MS can compete simply on its own merits of being a good product is a serious stretch.

    link to this | view in chronology ]

    • identicon
      PC Tech, 17 Jul 2006 @ 4:53am

      Re:

      When someone says that Linux is more secure, that comment always makes me laugh. Does anyone know the number of updates necessary to make linux "secure" this year. That number nearly quadruples MS's number. So more secure or less in your face, take your pick.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Jul 2006 @ 11:03am

        Re: Re:

        What version/distro of linux in particular are you referring to? Sure, linux has a lot of updates but the vast majority of the updates are not security updates rather software bug fixes and such. Nothing near the amount of service packs and security updates MS has.

        link to this | view in chronology ]

  • identicon
    Wire Cramped, 14 Jul 2006 @ 1:34pm

    Ok back on topic

    If I as a programmer make a program that can be exploited on purpose. What if I send the exploit info to anonymous coward who then says he found the exploit and gets paid from my management as a thank you???

    Sounds like a new job to me! I agree dont pay them but reward them with a copy of the software. Gets them using it and doesnt make an industry out of it.

    Stop the MS bashing I can show you time and again where *nix and MAC have security holes the size of MS campus. To sit and think for a moment that one OS is better then the next is retarded. ALL digital information that is secure can be hacked and all the same info that is not secure can be hacked if you think your Linux is safe I will personally send you to sites dedicated to hacking *nix as its even easier to do. MAC = LINUX ro WINDOWS so your last people who can speak now.

    link to this | view in chronology ]

    • identicon
      Brian, 14 Jul 2006 @ 4:28pm

      Re: Ok back on topic

      I don't get paid for my security or alpha/beta-test work, however I usually do get to keep the software. Just counting single licenses, not multiple/unlimited licenses, I'm over the million dollar mark here and counting, although I certainly don't use it all on a daily basis. The work is challenging and, for me, fun.

      As for the bashing, I have to agree with an earlier poster. Among other things I'm a system engineer and have designed and written my own OS, database servers, and application suites over the last three decades. While no one has found a bug or security hole to date, it sure wasn't easy although coming from the mainframe world where zero defects is de rigueur sure helps. The design and mathematical validation easily took ten times longer than the actual coding and testing. So does the threat of federal time if you frag up {smile}. I do get to see the security notices march by day in and day out, naturally since systems security is one of my main focii these days. Windows is just a better target, so it gets most of the savaging. It also helps that the codebase for Linux is significantly smaller at the kernal level. Lastly, Windows incorporates a lot of applications into the OS that are not in Linux directly. Toss in Linux applications to the mix for vulnerabilities and the numbers get more comprable.

      Actually I get damned tired of this "my OS is better than your OS, nah, nah" BS. All of them are weak, Windows, Linux, and Mac, when it comes to overall (OS and applications) security. If I tried to get away with this crap when I was working for the government somebody would have died and they'd be considering whether it would be life in prison without the possiblity of parole or hanging.

      Ever wonder why there are life/nuclear critical exclusions in so many operating systems and applications license agreements? Your bug, you go to prison.

      link to this | view in chronology ]

      • identicon
        ubigcow, 16 Jul 2006 @ 7:05pm

        Re: Re: Ok back on topic

        ok, mabey they are all unsafe............but that doesn't mean that it is acceptible.

        link to this | view in chronology ]

  • identicon
    Sanguine Dream, 14 Jul 2006 @ 1:49pm

    Good idea

    I think it's a good idea to reward people that find exploits. What better way to protect against them? Thousands of users across the world have a better chance fully exploiting a product than the relatively small programming team that builds it. Kinda like in MMORPGs where the players are encouraged to report glitches (but I don't think there is a reward system).

    But definitely don't offer money but instead free copies of the software. That why they know they are using a secure product (because they are one ones testing it) and it builds trust with that developer.

    Only problem is if it became public (out in the open on the net) that you're doing this then you would treated as a narc.

    link to this | view in chronology ]

  • identicon
    Joe Snuffy, 14 Jul 2006 @ 3:09pm

    nice

    sounds like a good way to make money to me.

    link to this | view in chronology ]

  • identicon
    Mark, 14 Jul 2006 @ 5:31pm

    Considering the, ah, WARM response you usually get when bringing a vulnerability to the responsible party's attention, I can't really blame someone for swinging the other way on this. I mean, we were telling the school district, in high school, the district's computer was at risk. All it got us was time in The Chair. If the people most able to correct a problem aren't interested in fixing it, only labeling you for a criminal, they deserve the consequences of their decision.

    link to this | view in chronology ]

    • identicon
      ubigcow, 16 Jul 2006 @ 6:57pm

      Re: to marks comment

      I think They deserve the consiquences of they're actions, but not the rest of the population.

      that includes u

      link to this | view in chronology ]

  • identicon
    Techdirt, 14 Jul 2006 @ 7:50pm

    Delete post #26 as well, please.

    link to this | view in chronology ]

  • identicon
    fred mcmurry, 14 Jul 2006 @ 9:07pm

    Cut off their hands

    I think it's a great idea for these people to post themselves on eBay, or anywhere else. Now get somebody to find out where these people are, who they are, and cut off their hands, and jam them up their butts. These people are trash, they hurt many people, make life more difficult for all of us, could care less, even enjoy it. Five people get their hands cut off by some guy named Vinny and all the sudden being a dope doesn't seem like such a good idea.

    link to this | view in chronology ]

  • identicon
    Sean, 14 Jul 2006 @ 11:39pm

    Well...

    I've actually discovered a few faults with the Window OS myself. I almost always report them to Microsoft, even though I myself know I shouldn't. I think that if people have found flaws in something, do not create malware or bullshit like that, but rather find a way to fix it and then market that to major companies that still use Microsoft. It can be quite profitable.

    But all in all, this selling malware shit on e-Bay is fucked. I think these auctions should be shut down and the owner of the account IP banned. Even though IP bans really dont do much anymore with Proxies.

    link to this | view in chronology ]

  • identicon
    Andrew Strasser, 14 Jul 2006 @ 11:52pm

    It would help if we would step across borders on t

    We need to boost up our overseas ability to stop would be havens for malicious activity to stop. A much more important agenda than muzik downloads anyway....


    It has gotten out of control though I do agree that some credit should go to those who find glitches and fix the problems someone may be having.

    link to this | view in chronology ]

  • identicon
    Rob Maeurer, 15 Jul 2006 @ 2:36am

    Reward those who find it and do not exploit it

    These teenagers sit at their computers all day messing with Windows. They should get paid for their work as long as they do not publicly exploit the vulnerability. We all know some kid who does this all day. I plan on forwarding this newsletter to the kid I know who's geekier than me.

    link to this | view in chronology ]

  • identicon
    John Bamford, 15 Jul 2006 @ 6:28am

    Spelling....

    Interesting article. Surprised spell check didn't pick up "renumeration" as there is no such word. "Remuneration" is correct term. Picky I know but when you publish we look at it all.

    link to this | view in chronology ]

  • identicon
    unibomber, 15 Jul 2006 @ 1:55pm

    im gay !!

    link to this | view in chronology ]

  • identicon
    kilroy, 15 Jul 2006 @ 5:43pm

    yes we need to hold people accountable

    ... but according to the laws of which Country or State? How should we determine whos laws are the most just. And once we determine the criteria ... there can be only one punnishment DEATH!

    If the punishment were anything less it would not be serrious enough. However if Joe Script Kiddie or Bob Anonymous Hacker thought he was gonna fry for being a little bass turd would they be so willing to take their shot? Or would they find a new hobby or maybe get a real job ...

    link to this | view in chronology ]

  • identicon
    Johan, 15 Jul 2006 @ 7:41pm

    Did you change the headline of this article?

    Didn't this article used to have this headline?

    When They Said "Get It On eBay", I Doubt This Is What They Meant

    I just thought it's kinda odd to see this changed without any note on the page...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jul 2006 @ 8:57pm

    Post 36

    I agree with that 36. When THey Said doesn't make sense

    link to this | view in chronology ]

    • identicon
      Mackie928, 16 Jul 2006 @ 8:04pm

      Re: Post 36

      Have you heard or seen the old Ebay ads.."Get it on Ebay? It refers to the old ad, that you can get just about anything on Ebay.

      link to this | view in chronology ]

  • identicon
    gaurav, 15 Jul 2006 @ 10:52pm

    g

    ad

    link to this | view in chronology ]

  • identicon
    Ordinator, 16 Jul 2006 @ 8:49am

    Is this a Joke?

    and what's with the sub headline:

    "from the W32.this-space-for-rent.P@mm dept"

    link to this | view in chronology ]

  • identicon
    Tek'a, 16 Jul 2006 @ 12:18pm

    and what's with the sub headline:

    "from the W32.this-space-for-rent.P@mm dept"

    oh noez, teh scriptoz kidde1s f0und us

    link to this | view in chronology ]

  • identicon
    Mackie928, 16 Jul 2006 @ 8:13pm

    Tek'a & Ordinator...
    About the sub headline. When new exploits are found most anti-virus software makers give the exploits a name. Something that reflects the OS that it targets...W32. Then the exploit name...this-space-for-rent. Then I think it's the version...P@mm( this would P mutation or verison or such).

    link to this | view in chronology ]

  • identicon
    hee haw, 16 Jul 2006 @ 8:50pm

    Sounds like one of the kiddies is about to rat them out for doing this anyway under the table. So they are gonna try and bring it above board. Most of whats out their has been secretly sponsored by these same companies to keep them in biz.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.