I wonder if there's a way to use civil legal proceedings to punish these exploit-trading firms. Maybe class action lawsuit representing victims of these exploits.
code is not considered to be a weapon by law in most countries. As soon as their country rules this, it's easy enough just to migrate to a region who doest care. This wont be stopped any time soon since all countries would need to adpot these laws in one go for it to be effective... yay interwebz :)
On another note i think it's silly ppl try to exploit apps on phone when it's well known how to access any device via simcard and/or lte chips >.> can just take screenshots of conversations, no need for decryption. >.> guess they like flushing money through the toilet lol.
Red team training, developing countermeasures and signatures, researching attack heuristics, and if "counter hacking" will ever be legalized (which there is some push to do so) then in the same manner as owning a gun legally shooting back.
Also FYI probably the first large scale broker of exploits was TippingPoint/HP (i don't remember if this thing started before or after HP acquired TippingPoint), they would buy exploits develop signatures for their IPS products then notify the vendors of the affected products and later disclose the vulnerability to the public.
http://www.zerodayinitiative.com
Being sued to death and possibly being hit with criminal charges as well.
If you are in a position to successfully (as in get your code reviewed, accepted, promoted and deployed) backdoor a product that is big enough to qualify for a bug bounty of even a $100,000 you are going to be paid well enough for the risk not to be worth while.
You cannot effectively ban market activity, see war on drugs. Only this time it's even more difficult because no physical goods are involved.
Also such prices are a good indicator of app security, you'd only want apps whose exploits cost north of "pocket money for a state actor", so IMO > 100 mn?!
> You cannot effectively ban market activity, see war on drugs.
I'm not saying you can ban market activity perfectly, but legalization certainly makes things easier, lowers prices, and increases activity.
> Also such prices are a good indicator of app security
Are they? Surely the price reflects the value of the exploit?
This would to a much greater extent reflect the user base of the app (high variation) than its relative security (lower variation; though the two would have an interactive effect). The larger the user base of the app the better, though more wealthy and insecure (e.g. rich retirees) would have more value to criminals, where as politically engaged young people would have much more value to governments and spies. I would think that the price would be a pretty noisy/poor indicator of the security of the app, relative to the user base.
> but legalization certainly makes things easier, lowers prices, and increases activity.
I agree partially that the fear of being caught is a disincentive. However, higher prices make less people buy it but more people offer it. In a way, illegal drugs with its high potential profits (due to higher risk) attract more dealers (and less consumers). This again puts pressure on the risk premium, so consumers benefit from more supply. So high prices are not really a solution IMO.
> price reflects the value of the exploit
I think it reflects both the reach (~ number of users weighed by their wealth and gullibility) and the "safety" (an open-source app, audited by some well-known company vs. some prototype closed-source app). Since the reach can be reasonably estimated, the safety can IMO also be estimated (as price / estimated reach). I am pretty sure we should not try to agree on a clear metric but I personally would find that info useful when choosing e.g. a messenger app or some piece of hardware (say a router)
Maybe because it increases the security significantly. Say a large government pays top $ for an exploit. Chances are pretty good that the vast majority of the black hats on the planet will not have it.
Additionally publicity generates incentive to fix the problem. More apps/OSs/libraries will try harder to be secure. Apps could start wearing high exploit bounties as badges of honor.
Much like how ransomware likely has increased security more and changed user behavior than an infinite amount of suggested security training. Some users even gasp ask about how to protect against ransomware and as a side benefit actually protect against mistakes, dying disks, and other flavors of malware at the same time.
Seems better to trot this kind of stuff out in the open than to hide your head in the sand and try to hide security problems from the public.
But why incentivize the weakening of secure systems? I honestly don't think that black hat hackers would find much utility in cracking an app like Signal (except maybe for street cred). Relatively few of it's users would be "soft targets" in terms of susceptibility to phishing, social engineering, weak passwords, lack of 2FA, etc.
Governments on the other hand would pay lots of money to increase their mass surveillance capabilities. Signal users are disproportionately young, sophisticated, and politically engaged.
Given that Signal's budget is raised from donations and grants, and is much more fixed than an open market to undermine it, how would such a market incentivize them to increase funding on security? It's already their top priority.
That's what first-party bug bounty programs do now.
The extra thing that a free market does is incentivises people to find weaknesses and sell them so that they can be maliciously exploited. When vulnerabilities are exploited instead of patched, secure systems are by definition weaker.
