The trade in security exploits: Free speech or weapons in need of
Transcript of The trade in security exploits: Free speech or weapons in need of
![Page 1: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/1.jpg)
The trade in security exploits:Free speech or weapons
in need of regulation?
Christopher Soghoian
Presentation to VB2012, Sept 26, 2012
![Page 2: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/2.jpg)
First: a disclaimer
These opinions are my own, and do not reflect the official position of the ACLU.
(I've only been there 3 weeks)
![Page 3: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/3.jpg)
![Page 4: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/4.jpg)
![Page 5: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/5.jpg)
![Page 6: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/6.jpg)
“The government official said he was not allowed to name a price, but that I should make an offer.
And when I [set a price of $80k], he said OK, and I thought, 'Oh man, I could have gotten a lot more.
‘”
- Charlie Miller, Interview with SecurityFocus, 2007
![Page 7: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/7.jpg)
![Page 8: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/8.jpg)
“I don't think it fair that researchers don't have the information and contacts they need to sell
their research.”
- Charlie Miller, Interview with SecurityFocus, 2007
![Page 9: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/9.jpg)
“Legit” bug sale options in ‘99: Vendor bounties
$500 $500-1337
![Page 10: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/10.jpg)
“Legit” bug sale options in ‘99: subscription services
$500 – $20,000
![Page 11: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/11.jpg)
Community debate:
Responsible disclosure vs. full disclosure
![Page 12: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/12.jpg)
Alex Sotirov and Dino Dai Zovi, CanSecWest, 2009
![Page 13: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/13.jpg)
“Vendors have been getting a freebie for a while, why would I want to sit down and volunteer to
find a bug in someone’s browser when it’s a nice, sunny day outside?”
- Dino Dai Zovi, Interview with SC Magazine, 2009
![Page 14: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/14.jpg)
![Page 15: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/15.jpg)
![Page 16: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/16.jpg)
![Page 17: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/17.jpg)
What was “No More Free Bugs” really about?
Google and Microsoft will never be able to outbid the US Government.
![Page 18: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/18.jpg)
Fast forward: 2012
![Page 19: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/19.jpg)
![Page 20: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/20.jpg)
![Page 21: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/21.jpg)
![Page 22: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/22.jpg)
![Page 23: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/23.jpg)
He says he takes a 15% commission on sales and is on track to earn more than $1 million from the
deals this year.
“I refuse to deal with anything below mid-five-figures these days,” he says.
- The Grugq, quoted in Forbes, March 2012
![Page 24: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/24.jpg)
Chaouki Bekrar and the VUPEN team
![Page 25: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/25.jpg)
“We wouldn’t share this with Google for even $1 million.
We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
- Chaouki Bekrar, Interview with Forbes, Mar 2012
![Page 26: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/26.jpg)
“We don’t work as hard as we do to help multibillion-dollar software companies make their code secure.”
“If we wanted to volunteer, we’d helpthe homeless.”
- Chaouki Bekrar, Interview with Forbes, Mar 2012
![Page 27: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/27.jpg)
![Page 28: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/28.jpg)
![Page 29: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/29.jpg)
NATO Partners include:
Azerbaijan, Turkmenistan, Egypt, Morocco, Qatar and Pakistan.
ASEAN Members include:
Indonesia, Burma and Vietnam.
![Page 30: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/30.jpg)
![Page 31: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/31.jpg)
Simultaneous developments elsewhere
![Page 32: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/32.jpg)
Martin J. Muench
![Page 33: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/33.jpg)
![Page 34: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/34.jpg)
![Page 35: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/35.jpg)
![Page 36: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/36.jpg)
![Page 37: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/37.jpg)
Gamma Group sells FinSpy to governments only to monitor criminals and it is frequently used
“against pedophiles, terrorists, organized crime, kidnapping and human trafficking.”
- Martin Muench, New York Times interview, Aug 2012
![Page 38: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/38.jpg)
![Page 39: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/39.jpg)
![Page 40: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/40.jpg)
![Page 41: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/41.jpg)
![Page 42: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/42.jpg)
![Page 43: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/43.jpg)
Australia, Bahrain, Brunei, Czech Republic, Estonia, Ethiopia, Indonesia, Qatar, Latvia,
Mongolia, the Netherlands, Turkmenistan, United Arab Emirates and United States.
![Page 44: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/44.jpg)
![Page 45: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/45.jpg)
![Page 46: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/46.jpg)
![Page 47: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/47.jpg)
The exploit and surveillance industry has a bit of an image problem.
![Page 48: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/48.jpg)
![Page 49: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/49.jpg)
![Page 50: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/50.jpg)
The first rule of exploit selling is:
![Page 51: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/51.jpg)
Others keep talking though.
![Page 52: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/52.jpg)
“I do it for money, because I like it, and because most of the time I don't need to wear pants. I spend approximately no seconds of any day
worrying about the imaginary ethical implications of every little thing I do, and I am not particularly
unique.”
- Ben Nagy, post to ‘dailydave’, 2012
![Page 53: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/53.jpg)
“Given that a can of fizzy drink or a car battery can be abused and used as an implement of torture it is of no surprise to anyone if our
products can be abused too.”
- Martin Muench, email interview with ABC Radio (Australia), September 2012.
![Page 54: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/54.jpg)
![Page 55: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/55.jpg)
Regulate sales of exploits =Limit freedoms
![Page 56: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/56.jpg)
![Page 57: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/57.jpg)
Politicians will take an interest in exploit sales and call for regulation
![Page 58: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/58.jpg)
“I think that the zero-day exploit market should be regulated. We're selling bullets and computers
are the guns, there's no doubting that.”
- Adriel Desautels, post to ‘dailydave’, August 2012
![Page 59: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/59.jpg)
If the industry wants to avoid regulation, it needs to regulate itself.
![Page 60: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/60.jpg)
![Page 61: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/61.jpg)
![Page 62: The trade in security exploits: Free speech or weapons in need of](https://reader031.fdocuments.net/reader031/viewer/2022021210/620640c98c2f7b173005e4e7/html5/thumbnails/62.jpg)
If the Grugq remains the poster child for the industry, the response from Washington DC
and Brussels will not be pretty.