posted on Mar, 30 2012 @ 06:52 PM
The Electronic Frontier Foundation has written how large security companies seek to find the latest "zero-day" exploits for computer operating
systems and Web browsers, which they then sell to leading governments and corporations for use as a 'spyware vector'.
The article is based on a Forbes magazine article:
Zero-Days: A Price List For Hackers' Secret Software Exploits
They find that the biggest security researcher engaged in this market is VUPEN, a French company. They discuss how they do not want these exploits
patched or even exposed, as their goal is to sell these to various governments who use them to install spyware on their citizens.
The article is here:
“Zero-day” exploit sales should be key
point in cybersecurity debate
“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge
that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” VUPEN, which also “pwned”
Microsoft’s Internet Explorer, bragged it had an exploit for “every major browser,” as well as Microsoft Word, Adobe Reader, and the Google
Android and Apple iOS operating systems.
While VUPEN might be the most vocal, it is certainly not the only company selling high-tech weaponry on the zero-day exploit market. Established U.S.
companies Netragard, Endgame, Northrop Grumman, and Raytheon are also in the business, according to Greenberg. He has also detailed a price list for
various zero-day exploits, with attacks for popular browsers selling for well over $100,000 each and an exploit for Apple’s iOS going for a quarter
A friend of mine sent me a link to the EFF article, he works for Rockwell Intl., which makes components for the US space program, among other things.
He tells me that he and his technology-related co-workers are often receiving (via mail and/or email) "bounty's" on any vulnerability they may
find. I guess the idea is instead of fixing them, they would sell them to these security firms, which would in turn then sell them to governments or
corporations to be exploited. A pretty despicable business model IMO.
Related article from EFF:
Dangerously Vague Cybersecurity Legislation Threatens Civil