Comments on: Is it ethical to sell zero day exploits? https://www.emsisoft.com/en/blog/10518/is-it-ethical-to-sell-zero-day-exploits/ Straight-talking security advice from the Malware Experts Fri, 18 Nov 2022 12:13:55 +0000 hourly 1 By: Sarah Reid https://www.emsisoft.com/en/blog/10518/is-it-ethical-to-sell-zero-day-exploits/#comment-785875 Sat, 20 May 2017 15:23:00 +0000 http://blog.emsisoft.com/?p=10518#comment-785875 I’m selling Yahoo, Google and Hotmail stored xss that steal emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!
Email me cybertoks@gmail.com

]]>
By: RSRazer https://www.emsisoft.com/en/blog/10518/is-it-ethical-to-sell-zero-day-exploits/#comment-433636 Tue, 05 May 2015 23:45:00 +0000 http://blog.emsisoft.com/?p=10518#comment-433636 In reply to Peter Thompson.

Not arguing that, I completely agree. Jailbreaking for example is only an issue because the companies are so scared of piracy they lock out everyone. Give a guy control over how he makes his device function e.g. the ability to change icons, and give the homebrew fanatics a limited to their registered device freedom to develop only allowing distribution once approved on the target platforms store. this allows homebrewers the tinkering freedom along with an opportunity to make a coin off of worthy apps. As it stands, jailbreaking is technically both legal* and illegal* at the same time as of current rulings and law. this discrepancy can cause legal issues and allow innocent modders to get convicted and guilty hackers to go free depending on the trial.This is one of many cases where the law needs to be scrapped and rewritten to cover things properly and avoid issues such as the example I made.

*Legal because a few jailbreaking court cases were ruled in favor that one has the right to modify their device as they own it.

*Illegal because it is illegal to circumvent copy protection/DRM period.

]]>
By: Peter Thompson https://www.emsisoft.com/en/blog/10518/is-it-ethical-to-sell-zero-day-exploits/#comment-425647 Sun, 19 Apr 2015 19:49:00 +0000 http://blog.emsisoft.com/?p=10518#comment-425647 The law then should change. Seems a lot of laws related to online stuff are outdated – the law about copying music has only just been changed to make it clear its legal to backup legally obtained music and place legally obtained music onto a device e.g. iPod.

We need an overhaul so the tech world is up to date law wise

]]>
By: RSRazer https://www.emsisoft.com/en/blog/10518/is-it-ethical-to-sell-zero-day-exploits/#comment-424456 Thu, 16 Apr 2015 06:52:00 +0000 http://blog.emsisoft.com/?p=10518#comment-424456 In reply to sswallen.

Unfortunately, no. Good encryption has proved a possible solution, but take a page from Sony: Human error on their end cost all units on version 3.55 and below, or units capable of being manually downgraded to 3.55 to be permanently exploited. damage includes piracy, mods while playing online and homebrew (though the later I don’t find to be malicious. I actually think you as a consumer have a right to run your own code on your on device without having to get permission just because of a label like sony or nintendo. The reason your loced is fear of piracy, money makingwithout them getting a dime, and they make a mint off of development kits. for example, the development kit for the nintendo 3ds prices are:
73056 PARTNER-CTR DEBUGGER $2,620

73058 PARTNER-CTR DEBUGGER/CAPTURE (Dual Functionality) $3,950
73065 Nintendo 3DS (Development only) “Panda” USA $324
73066 Nintendo 3DS (Development only) “Panda” EU $324
73067 Nintendo 3DS (Development only) “Panda” AUS $324
73062 Flash Card, 16 Gbits (2 GBytes) CTR $85
73063 Backup Memory, 1Mbit (128 KBytes) Flash CTR $8.35
73064 Backup Memory, 4Mbits (512 KBytes) Flash CTR $10.65.
These may seem odd for a non tech, but basically my best setup if I purchased would be $3,950+$324+$170+$10.65 = 4454.65. This does not include the fact that you must already know how to fluently program, and the cost to even get accepted to develop, or the process to get accepted. $4500 just to make a simple pong game? This is mainly why game consoles are hacked. Unfortunately, piracy is generally a side effect.
Now imagine if programmers had to get permission from Microsoft or Apple for every little program they create? SDK’s would run in the hundreds of thousands! it is unfeasible. This is why there is sometimes good in exploitation, so that companies cannot force control over the device you own). All it takes is a leak of the private keys and all security collapses. As for exploits, many are ToCToU or time of check to time of use. this is an almost impossible thing to fix as it is called a race condition. A hacker has to have deep understanding of the machine to successfully exploit it, but it is not fixable completely and will always be a possible entrypoint. as with any product, digital or physical, it is impossible to make it un-hackable aside from keeping it to yourself.

]]>
By: sswallen https://www.emsisoft.com/en/blog/10518/is-it-ethical-to-sell-zero-day-exploits/#comment-319436 Sat, 15 Nov 2014 02:02:00 +0000 http://blog.emsisoft.com/?p=10518#comment-319436 Can we please stop this madness! I don’t care how it’s done but please stop it!

]]>
By: Steve https://www.emsisoft.com/en/blog/10518/is-it-ethical-to-sell-zero-day-exploits/#comment-318225 Sat, 15 Nov 2014 01:24:00 +0000 http://blog.emsisoft.com/?p=10518#comment-318225 In reply to RSRazer.

Implementing some sort of check is an interesting idea. It is probably impossible to stop curious minds from digging around, but attaching fines/punishments to certain types of distribution would definitely act as a deterrent.

]]>
By: Steve https://www.emsisoft.com/en/blog/10518/is-it-ethical-to-sell-zero-day-exploits/#comment-318222 Sat, 15 Nov 2014 01:09:00 +0000 http://blog.emsisoft.com/?p=10518#comment-318222 In reply to alphaa10000.

That last question is an important one because if something goes wrong and people lose money and there’s someone to blame… well, then that someone is going to be expected to pay people back.

]]>
By: Peter Thompson https://www.emsisoft.com/en/blog/10518/is-it-ethical-to-sell-zero-day-exploits/#comment-317617 Thu, 13 Nov 2014 17:55:00 +0000 http://blog.emsisoft.com/?p=10518#comment-317617 Surely by selling the information on to someone else with the knowledge that the buyer will then use this information illegally they are then helping to break the law. Someone supplying legal weapons knowing they were going to be used illegally would probably be a crime and you could class a flaw as a kind of weapon in the wrong hands

]]>
By: Steve https://www.emsisoft.com/en/blog/10518/is-it-ethical-to-sell-zero-day-exploits/#comment-317193 Thu, 13 Nov 2014 04:21:00 +0000 http://blog.emsisoft.com/?p=10518#comment-317193 In reply to Philip.

Thanks, Philip. You can find a bit more about FinFisher here: emsi.at/ffish

]]>
By: alphaa10000 https://www.emsisoft.com/en/blog/10518/is-it-ethical-to-sell-zero-day-exploits/#comment-316684 Wed, 12 Nov 2014 08:35:00 +0000 http://blog.emsisoft.com/?p=10518#comment-316684 Zero-day exploits exist because software is too complex to be known and understood completely and managed perfectly by its publisher.
If most software can be found with some security fault unknown to its publisher, that reduces the element of control– and implicitly, the responsibility– traditionally associated with a product creator / inventor.
Although the days of software publishers sending out letters of apology on their discovery of a coding error are long past, this urgently raises the question– if software is no longer under the exclusive control of the publisher, what is the product for which we pay?
A “best effort”?
If a bank buys security software on such a basis, who is to blame when something goes wrong, and people lose money?

]]>
By: Philip https://www.emsisoft.com/en/blog/10518/is-it-ethical-to-sell-zero-day-exploits/#comment-316663 Wed, 12 Nov 2014 04:32:00 +0000 http://blog.emsisoft.com/?p=10518#comment-316663 Privacy International in October 2014 made a criminal complaint to the National Cyber Crime Unit of the National Crime Agency, urging the immediate investigation of the unlawful surveillance of three Bahraini activists living in the U.K. by Bahraini authorities using the intrusive malware FinFisher supplied by British company Gamma.

Moosa Abd-Ali Ali, Jaafar Al Hasabi and Saeed Al-Shehabi, three pro-democracy Bahraini activists who were granted asylum in the U.K., suffered variously from years of harassment and imprisonment. Investigation and analysis by human rights group Bahrain Watch showed that while
Moosa, Jaafar, and Saeed were residing in the U.K., Bahraini authorities targeted the activists and had their computers infected with the surveillance Trojan FinFisher.

The complaint argues that the actions of the Bahraini authorities qualifies as an unlawful interception of communications under section 1 of the U.K.’s Regulation of Investigatory Powers Act 2000. By selling and assisting Bahraini authorities, the complaint argues that Gamma is liable as an accessory under the Accessories and Abettors Act 1861 and/or encouraged and assisted the offence under the Serious Crime Act 2007.

( Two PCs were infected and a Apple computer system was infected. They turned up at a meeting in their own country and was arrested. They have been given multiple life sentences and will never see the light of day again. All for the lack of an interactive firewall and an up-to-date virus scanner and a basic understanding of PC security ).

]]>
By: Dan https://www.emsisoft.com/en/blog/10518/is-it-ethical-to-sell-zero-day-exploits/#comment-316522 Wed, 12 Nov 2014 00:08:00 +0000 http://blog.emsisoft.com/?p=10518#comment-316522 I agree with the sentiments that unauthorized research may involve copyright issues re OS layers/ops, that not all “exploitable” opportunities can be twisted to malicious purpose, and that it is wrong to sell those exploits which are malicious to anyone at-large; even when encountering a virus or exploit in the wild, rather than copy it to study it myself I upload to places like VirusTotal, and allow software such as HitManPro or Emsisoft to remove/send reports on same (where remote-control isn’t the exact issue…for that kind of to me rare find, I usually inform governmental agencies).

]]>