Comments on: Hacker’s eBay: Legitimate Marketplace or Organized Blackmail?

By: Chris Anton

Chris Anton — Thu, 10 Sep 2009 22:10:53 +0000

Cool …

By: DH

DH — Sat, 07 Jul 2007 22:10:10 +0000

Looks like this story has also been picked up by BBC:
http://news.bbc...ogy/6276474.stm

Getting way more coverage than it deserves, IMO. The site is rubbish and the idea doesn’t seem well thought out. Can’t see this one lasting long and expect to see it in the deadpool soon.

By: Kevin

Kevin — Sat, 07 Jul 2007 12:07:21 +0000

If the site is privately registered that means it’s most likely registered to an individual.

By: desik

desik — Sat, 07 Jul 2007 00:51:42 +0000

Jay,

What if those who seek to find bugs , good or bad, and the companies whose software they find bugs in simply agree to conspire against consumers.

Dont we have a right to know how vunerable we are?

By: Jay (living in First Life)

Jay (living in First Life) — Fri, 06 Jul 2007 22:32:00 +0000

I don’t see why this is such a bad idea but it would be more interesting to see this as a broker between people who find vulnerabilities and those that need to fix them (the developer of the software). With that in mind, I’m not sure an auction format is appropriate since there is really a monopsony (monopoly = one seller, monopsony = one buyer) and it doesn’t seem ethical to sell a vulnerability in Yahoo Messenger to say MSN.

By: desik

desik — Fri, 06 Jul 2007 20:41:07 +0000

The June 16 2007 issue of New Scientist ran a feature on this trade in vunerabilities and the bottom line was ‘vunerabilities are the raw materials of intrusion ‘ and the security of the internet depends on providing financial incentives for the good guys to hunt for vunerabilities and report them before the bad guys spot them .

As with any market though the distinction between the good guys and bad guys is gonna blur occasionally and New Scientist did a table of vunerability prices starting with $250,000 ( quoted by US Govt source ) for ’some exploits’, $50,000 for a Vista bug and $500 and T shirt being offered by the Mozilla Bug Bounty programme.

The interesting point though was the call for a transparent market in vunerabilities to give customers a better idea of how secure a program or app is.

By: Jason

Jason — Fri, 06 Jul 2007 19:01:47 +0000

Here’s a very in-depth post by Dancho Danchev basically debunking the entire business model, discussing the computer underground’s one with their International Exploits Shop, providing an interview with David Endler from the Zero Day Initiative(ZDI), and how the entire project wouldn’t have any effect on the exchange of zero day vulnerabilities in the computer underground. I tend to agree with his best point that even the MPack attack kit the got a lot of publicity got many people infected but was using over 6 months old vulnerabilities that were publicly known and already patched.

By: Joshua Woolever

Joshua Woolever — Fri, 06 Jul 2007 18:14:56 +0000

haha, that’s insane!

By: Jimmy Daniels

Jimmy Daniels — Fri, 06 Jul 2007 18:11:44 +0000

Well, the ip address the domain name returns says the server is in San Diego, at California Regional Intranet, Inc. Sounds like a state penn.

By: Andrew

Andrew — Fri, 06 Jul 2007 17:02:05 +0000

I actually wonder if the site is actually based in switzerland(because of that anonymous domain name info). Its pretty obvious why they say they are based out of switzerland, but I wonder if its true

By: Tech Tools

Tech Tools — Fri, 06 Jul 2007 16:12:51 +0000

Interesting.
It seems bringing this to a public market place may end up biting them in the ass. Somethings are just better off left underground.

By: Tim

Tim — Fri, 06 Jul 2007 14:54:58 +0000

Actually referring this site to eBay is a bit of a reach for me. Too small a user base, and nowhere close the potential to reach a large scale for many of the reasons listed in the comments. Of course after this post they will see a nice spike in traffic.

This site has serious limitations, and I think a real exchange would need to be underground and private (read illegal and hidden). I don’t see how this could make it as a legitimate site. Of course Switzerland probably wont do anything to shut it down, consider how long PiratesBay has been up, until perhaps it facilitates a major scandal.

It would be interesting to list some security flaws for the Swiss government on here and see what happens. Maybe then their government would care about IP. But otherwise it will probably stay open just not be too successful.

Very high margin business though. Zero advertising, Percentage of each sale, high ticket price for big exploits = big money to the owners, even if it is not very consistent. Definitely worth giving a shot if you had no morals.

By: Vijay Chakravarthy

Vijay Chakravarthy — Fri, 06 Jul 2007 14:31:47 +0000

I just opened my dictionary to look up the definition of irony:

Someone buys a vulnerability on WSLabi in order to hack into their systems, thus bringing the whole site to its knees.

By: Paul Bradish

Paul Bradish — Fri, 06 Jul 2007 13:59:33 +0000

If the site is privately registered that means it’s most likely registered to an individual. I can’t blame him for that, especially with this type of web site, but I wouldn’t trust him one bit either.

By: Nik Cubrilovic

Nik Cubrilovic — Fri, 06 Jul 2007 13:40:31 +0000

Flavio: that is domainsbyproxy, which is a service that lets you register domains ‘anonymously’

0day exploits have always existed. There are groups of researches who find vulnerabilities and disclose, while there are others who keep it to themselves (or within their groups) and use them for other purposes

The funny thing is, just the description of these exploits tells me enough about them that you could probably easily find them yourself and develop an exploit. I can’t believe they made the list of exploits public..

The Yahoo! Messenger exploit description tells you that user interaction is required, so it would be something like clicking on a link in a message, accepting a contact that is sent etc. and whatever it is, it is likely a bounds-checking issue

By: Drama 2.0

Drama 2.0 — Fri, 06 Jul 2007 13:36:40 +0000

I don’t know if this will succeed, but I’ve read reports that some of these exploits get sold for large sums of money so this is hardly the worst idea in the world given that it probably didn’t cost much to set the site up.

I think the biggest challenge this company will face is in trying to create a legitimate marketplace for an underground market. Legitimacy brings some level of transparency, which is not beneficial to most of the parties who have an interest in these transactions. It’s really no different than creating an open marketplace for stolen cars. Thieves and buyers would be foolish to use it.

By: Salvatore Iozzia

Salvatore Iozzia — Fri, 06 Jul 2007 12:40:19 +0000

very funny….

By: Flavio Rump

Flavio Rump — Fri, 06 Jul 2007 11:19:54 +0000

Their domain registration data is certainly interesting:

Registration Private
(480) 624-2599 Phone
(480) 624-2599 Fax
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
wslabi.com@domainsbyproxy.com

http://who.goda...prog_id=godaddy

Basically you don’t even know the names of the people who run the marketplace. Very trustworthy

By: Darren Stuart

Darren Stuart — Fri, 06 Jul 2007 11:04:46 +0000

One flaw to this is, the company could be raided by the police and all the naughty people that bought the hacks will be exploited so in that respect this is targeting the companies whos software is online and thus blackmail.

By: sputnick

sputnick — Fri, 06 Jul 2007 10:47:47 +0000

I’m a little puzzled why TechCrunch is giving these jokers publicity. I am sure there are hundreds if not thousands of startups out there more deserving of a review. If the site were hopping like mad and generating revenue, then maybe it would be a story. But it’s a teenage fantasy to begin with, plus it doesn’t even have listings. So where’s the story?

By: Gomzi

Gomzi — Fri, 06 Jul 2007 09:24:55 +0000

Haha (last para!!!)

Include one more word at the end…………..DEADPOOL