Governments and Security Companies Conspire to Hide Spyware Exploits

The Electronic Frontier Foundation has written how large security companies seek to find the latest "zero-day" exploits for computer operating systems and Web browsers, which they then sell to leading governments and corporations for use as a 'spyware vector'.

The article is based on a Forbes magazine article:
Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits

They find that the biggest security researcher engaged in this market is VUPEN, a French company. They discuss how they do not want these exploits patched or even exposed, as their goal is to sell these to various governments who use them to install spyware on their citizens.

The article is here:
“Zero-day” exploit sales should be key point in cybersecurity debate

“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” VUPEN, which also “pwned” Microsoft’s Internet Explorer, bragged it had an exploit for “every major browser,” as well as Microsoft Word, Adobe Reader, and the Google Android and Apple iOS operating systems.

While VUPEN might be the most vocal, it is certainly not the only company selling high-tech weaponry on the zero-day exploit market. Established U.S. companies Netragard, Endgame, Northrop Grumman, and Raytheon are also in the business, according to Greenberg. He has also detailed a price list for various zero-day exploits, with attacks for popular browsers selling for well over $100,000 each and an exploit for Apple’s iOS going for a quarter million.

A friend of mine sent me a link to the EFF article, he works for Rockwell Intl., which makes components for the US space program, among other things. He tells me that he and his technology-related co-workers are often receiving (via mail and/or email) "bounty's" on any vulnerability they may find. I guess the idea is instead of fixing them, they would sell them to these security firms, which would in turn then sell them to governments or corporations to be exploited. A pretty despicable business model IMO.

Related article from EFF:
Dangerously Vague Cybersecurity Legislation Threatens Civil Liberties

I'm quite sure Microsoft did pretty much the same thing many many years ago

reply to post by TedHodgson

I think you are correct. If I remember rightly, the "rumour" went that Microsoft held back patches long enough so that the intelligence agencies could use the exploits for their own purposes. The ubiquity of WIndows meant that they could take their pick of some very large and visible corporations and entities on a global scale. I won't say Linux doesn't have the same problem but generally patches are released more quickly than Windows and you aren't reliant on a single vendor with a closed-source system.

Zero-days are very few and far between. The Stuxnet virus had four, when most viruses have one if they are very well written.

reply to post by Blackmarketeer