Network News

X My Profile
View More Activity

Software Vulnerability Auction Stokes Researchers

Last week, a number of news outlets spotlighted a Swiss Internet start-up -- curiously named "WabiSabiLabii" (pronounced "wobby-sobby-lobby") -- that is trying to establish an eBay-style auction site for software security vulnerabilities. I held off in covering this important story because I wanted to gauge the level of interest from members of the security research community. Today, washingtonpost.com ran a story I wrote that presents some of their reactions to the new service.

Some recent news, incorporated into the story, shows that some in the research community already are injecting some creative disruption into the nascent marketplace:

"Ironically, one inherent threat to each seller and to the auction house itself is the information contained in WabiSabiLabi's listings. Within hours of posting basic details about the four flaws on its auctions page, hackers on two different security research forums claimed to have located two of the vulnerabilities up for auction, posting computer code to back up their claims.

"[WSLabi CEO] Zampariolo confirmed that one of the vulnerabilities publicly reported by researchers indeed was the exact same as a flaw being auctioned on the site -- a bug in an add-on component of an open source e-mail application called "SquirrelMail" -- and that it had since been patched by the vendor. However, he said the site is preparing to start an auction on a new flaw found in the newest, patched version of SquirrelMail.

"The second auction researchers claimed to have foiled was instructions for exploiting a known vulnerability in the Linux operating system. The instructions hackers posted online for exploiting that flaw were similar to the exploit currently up for auction, WabiSabiLabi technicians told washingtonpost.com in an e-mail.

"The company is touting both incidents as an example of how their service will serve to make software users safer in the long run."

Read more: Site Plans to Sell Hacks to Highest Bidder.

By Brian Krebs  |  July 12, 2007; 9:00 PM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: New QuickTime Version Mends Eight Flaws
Next: Important Updates for Adobe Flash, Sun's Java

Comments

Not so curiously named-- http://en.wikipedia.org/wiki/Wabi-sabi

Posted by: Aneel | July 13, 2007 10:27 AM | Report abuse

I doubt they are going to add anything of great value. There are so many exploits now that the only thing you should do is adopt a policy of default deny / don't install and allow /install only what is absolutely necessary. See Marcus Ranum's "Six Dumbest Ideas". Every time you fall for them you get whacked. SquirrelMail? I don't use it. There are thousands of more apps in the same category. I wish them well.

Posted by: hhhobbit | July 15, 2007 9:42 PM | Report abuse

This just highlights the root problem with the software development industry -- the ability to blinker ourselves into believing that although security vulnerabilities (and indeed other kinds of consumer-impacting bugs) are bad, they're not bad enough to force practice change in the people creating the software itself.

Why is it acceptable for companies to be putting software on the shelves (albeit virtual shelves) that haven't been through rigorous attack reviews?

OK, so I'm not a impartial reviewer (I'm the CTO of Klocwork, a company in the static analysis space that provides for a level of automated security and quality review), but it just strikes me as asinine that we would continue to allow caveat emptor to rule the world of software purchase and use, when software is so critical to everything we do.

Don't install package X might be a completely valid approach for the knowledgeable (let's face it, there's a ton of stuff I refuse to install), but instead of causing the industry to wake up and smell the coffee, it's still inviting the kind of elitist nonsense you see shown by the commenter above. It might be dumb to install known-broken software, but why is it acceptable for that software to have been released in its fundamentally broken form? This isn't just "oh it doesn't work"... it's "use it and your PC is toast." That's not a problem for the consumer, it's a fundamental liability on the behalf of the producer, and in any other sector that producer would be in court right quick.

Posted by: Gwyn Fisher | July 18, 2007 12:10 PM | Report abuse

This just highlights the root problem with the software development industry -- the ability to blinker ourselves into believing that although security vulnerabilities (and indeed other kinds of consumer-impacting bugs) are bad, they're not bad enough to force practice change in the people creating the software itself.

Why is it acceptable for companies to be putting software on the shelves (albeit virtual shelves) that haven't been through rigorous attack reviews?

OK, so I'm not a impartial reviewer (I'm the CTO of Klocwork, a company in the static analysis space that provides for a level of automated security and quality review), but it just strikes me as asinine that we would continue to allow caveat emptor to rule the world of software purchase and use, when software is so critical to everything we do.

Don't install package X might be a completely valid approach for the knowledgeable (let's face it, there's a ton of stuff I refuse to install), but instead of causing the industry to wake up and smell the coffee, it's still inviting the kind of elitist nonsense you see shown by the commenter above. It might be dumb to install known-broken software, but why is it acceptable for that software to have been released in its fundamentally broken form? This isn't just "oh it doesn't work"... it's "use it and your PC is toast." That's not a problem for the consumer, it's a fundamental liability on the behalf of the producer, and in any other sector that producer would be in court right quick.

Posted by: Gwyn Fisher | July 18, 2007 12:12 PM | Report abuse

Hi all!
Find a real sex partner for tonight
http://realpartner.bravehost.com
G'night )))

Posted by: wourorcoubret | July 31, 2007 11:45 AM | Report abuse

Really, I don't think that it will work, such problems were in software development industry for ages.
http://alierra-software.com/services.html

Posted by: Sally, project manager | August 28, 2007 12:03 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company