As long as there's software, that software will have security holes, and some people will pay money to find those holes. It's called the exploit trade, and it's one of the most misunderstood corners of the tech world. The right exploit can bring in a small fortune, and the people trading tend to be very secretive about who they're selling to. Whenever a new exploit pops up, like this week's newly discovered flaw in Java 7, the traders tend to show up in the press as the tech world equivalent of globe-trotting supervillains — rich, powerful, and living only to torment the upstanding developers of the world. Naturally, the truth is a bit more complex.
To clear the air, Buzzfeed caught up with Adriel Desautels, CEO of the security firm Netragard and occasional exploit trader, to explain why what he does isn't harmful — even if it could use a little more regulation. Here's what we learned.
It Always Has To Be Legal
We're in the business of protection. Whether you're a company or you're a public sector company, we protect people from threats. And in order for us to do what we're doing, it has to be legal. This market must be legitimate and it must be something that can be done ethically and within the confines of the law.
Your Computer Is the Most Dangerous Thing You Own
Think about this: If I go out and buy a brand new MacBook Pro or whatever, that computer can be used to do far more dangerous things than any single exploit. I can commit fraud. I can launch phishing attacks. I can write as many exploits as I want. I can launch denial-of-service conditions. I can control a botnet. I can steal credit-card information. I can run illegal porn rings or human trafficking or god knows what. You name it. It's limitless. With a laptop computer. But people don't sit there saying, "Oh my God, laptops are so dangerous, computers are so dangerous," because they know what computers can be used for. The reason people fear exploits is because they don't have a clue.
Most Malware Doesn't Use Exploits
People often think that the zero-day market somehow plays into malware and it does not and here's why. In 2011, only 6% of malware used any general kind of exploit. That means that over 90% of malware used socially augmented apps or social engineering to exploit human vulnerability. You've heard of the "ILOVEYOU" virus? If you think about what "ILOVEYOU" did, "ILOVEYOU" exploited human vulnerability. It took advantage of their stupidity. People said "oh my god, somebody wrote me a love letter" and then boom. Compromised. And then the first 50 people in my address book got the same thing. "Oh look at that, a love letter." I think it was something like 5 days and 10 million compromises. What does that say? There were zero exploits involved in that.
Here's another one: In 2011, 0.12% of all compromises were attributed to zero-day exploits. 99.88% of compromises were attributed to known vulnerabilities. 90% were attributed to vulnerabilities that were known for more than one year. So the real issue is, people are not protecting themselves from the current and the known vulnerabilities.
Be Careful Who You Sell To
Imagine if we sold a vulnerability to China for a SCADA system that affected nuclear power plants, and six months later there was a nationwide blackout. And somehow, the nationwide blackout was traced back to China, and the vulnerability that we sold to China was traced back to us. Imagine the blowback from that. That's just irresponsible. Ridiculous. That's what it appears VUPEN is doing. VUPEN and all these other guys, they'll sell to anybody they think is on the right side, and they're not concerned about the blowback. They're concerned about the dollars.
[For the record, VUPEN's official policy is to sell only to NATO member states. Netragard sells only within the United States.]
They're Always Shopping
[When we're buying] We provide developers with a list and we say, "these things are interesting. If you have anything that's on this list, then let us know because we'll probably buy it off you." So what usually happens is, somebody finds a zero-day we're looking for and they'll approach us, then we get them registered and vetted. The offer will either come from us or it'll come from a buyer that we're working with, depending on what the thing is.
There's a Thin Line Between a Good Pitch and Extortion
The issue is, we cannot approach software vendors because they will come after us saying, "you're trying to extort us." And we've seen that happen before. They will be hostile if we try to approach them, if we say, "hey, we found this awesome flaw in your technology, but we're not going to give it to you. You have to buy it off of us." We can't do that. Not legally. It would be cool if we could do it ethically and responsibly and say, "this exists; we'd like to sell it to you." But we can't do that because it's their technology and there's all kinds of blurred lines there.
You have to be airtight because there are no real laws around this. The laws that do apply aren't written for this. If you think about it, the Digital Millenium Copyright Act, that's a copyright law. That's designed to protect publisher's information and software and stuff like that. And yet people try to apply that to research. It doesn't apply. There are no laws around this. There are only lawyers who are trying to bend laws to make it fit.
They're Selling Bullets
It's my opinion that people who do what we're doing should have a license, and in order to get that license you should have to prove to some body that you are doing this ethically and responsibly within the confines of the law and with minimal risk of blowback. I hate using this analogy but it's as if we're selling bullets and any computer is the gun.
There's Always More Money In Evil
The sad truth is, there is a lot of money to be made here and if you do it illegitimately, you can make even more money. You can sell to the black market. You can sell to foreign governments. You can sell to terrorists and criminals. You can buy one exploit off a researcher and then sell it to 50 different people for $100,000 a pop, and all of a sudden you've made a killing. But it's not ethical, and no amount of money is worth risking my own family, my own security, my safety.