Countdown to Zero Day

I recently chose to read “Countdown to Zero Day’’ by Kim Zetter for my Computer Ethics class. The professor had us choose a book (that fell into the scope of the class) and read it. I’m not here to review it, I’m here to share only one part of this interesting story. Namely chapter 7. A little programming knowledge here will help, and if you have any in depth knowledge of computers that can be of service as well.

This chapter talked at length about the implications of a market that I didn’t even realize existed. And that is the selling of software exploits. Software exploits are holes in software security. Weak patches that anyone can exploit, if they can find them. A completely secure computer system is not possible to obtain, but the security flaws must be found by people with advanced skills in computers. The number of viewpoints and perspectives in this chapter is quite impressive. Let’s first dissect this situation a little bit from the perspective of the companies who write the software that this market seeks to sell exploits on.

How might this affect them? These companies receive top dollar funds from their many customers and a large part of that income stems from the idea that their software is safe and secure. The military does not want to use software that has major known exploits. This would be like buying a lock that someone out there currently knows an easy way to get through it with no key. Worse, once someone finds a way around needing a key, he can then tell everyone exactly how to make that key. The metaphor starts to fall apart if you explore things here a a little more, but I digress. Businesses like Microsoft can lose a lot of money when people sell these exploits to the highest bidder. Even still, more and more businesses are forced in on the market. They figure “hey, if people are going to be selling these exploits, why don’t we pay the people who find them instead?”. And thus, bug bounties were born! Companies will pay anyone who finds a new security problem in there software/hardware systems can be paid for they’re work, and everyone wins right?

Well not all companies want to play so nicely. These people selling the exploits are the ones who need to be stopped, as they created this problem in the first place. But what would one of these people looking for exploits say in their defense? Well, it’s a lot of hard work looking for exploits. Many of these individuals would happily sell the exploits found if the developers of the system would be willing to buy them. But what if the exploits are worth tens of thousands on the grey market, but companies are not willing to pay that high of a premium for the exploits. After all, the software patch for any exploit only needs to be done whenever there is a new security threat detected. These security exploiters are creating a problem that wasn’t there, and then charging companies for the pleasure of breaking their lock. This sounds absurd. Wouldn’t it be much simpler if these exploits were never found to begin with?

It’s hard to tell. It’s not always 100% clear how problems such as this originate, and I find it’s best to live in the real world. Humanity won’t survive if we can’t find practical solutions to problems. People are going to create exploits. There is too much money and foreign interest for it not to. At least for the time being. The most practical way to solve this might just be that companies need to pay people when they find bugs. It might feel wrong to have to pay for a problem you didn’t create, but sometimes this is simply the cost of doing business. Either way, the businesses that fail to find practical solutions to these problems may find themselves going the way of the dodo.

My post really does not do this chapter justice. The writer also spent a lot of time talking about the implications of such markets to the government, and how foreign interests also play a large role in the game of zero day exploits. Read the book if you want to learn more. It provides a lot of context and background on the subject of the exploit market that really helps in understanding the complex situation at play here.

Related posts:

Headhunter spearfishing is a brand based out of South Florida that manufactures custom polespears, Hawaiian slings, carbon fiber pole spears, spearfishing t-shirts, spearfishing videos, and more…

buy research papers RESEARCH PAPER WRITING SERVICE Research Paper Writing Service These are 3 random pages from papers previously accomplished by the author that may reveal the author’s style…

We are a group of female VC investors based in London, who want to see more female entrepreneurs with the capital and network to build great businesses. That’s why we’ve set up FemaleFounders.vc. Our…