When there's demand for a product or service, supply will follow if it's profitable(1) to sell. Banning something, or shaming people away from doing it, doesn't eliminate demand. Supply reduces, cost increases. If costs gets too high, demand vanishes, and so does supply. It functions like any other market would.

To squash a market entirely requires extremely strict laws, punishment, and enforcement. Even then, it's impossible to destroy some markets if enforcement cost is too high, or is incompatible with the rules of a society (e.g. it's un-Constitutional).

For example, the U.S. spends billions each year on the war on drugs, and yet there's someone sitting right next to me in a coffee shop I could probably buy some off of right now. If $500 billion was spent yearly on enforcement, and police could do random searches of persons and property at any time without warrant, drugs would dry up. But at what cost? The loss of many of our rights, plus extremely high taxes, followed by an inefficient society spending so many resources on, well, "You can't stick that pill in your mouth." We'd become a military state with little else to offer, stagnating while the rest of the world surpasses us.

Black markets can be risky to engage in. If the risk of getting caught buying or selling an exploit was, say, 24/7/365 physical torture for 10 years, most people probably wouldn't do it. But a few would remain if it is worth the risk to them, or if they fail to assess risk (e.g. they don't comprehend it, or they ignore it; "It won't happen to me!"). The black market would "harden".

Mexican drug cartels hardened with guns, violence, secrecy, corruption, torture and death. You can theoretically calculate how many humans died in Mexican drug wars, per-joint you smoked, in 2011. That cost was built into the price you paid for the drugs. This "death cost" goes away if you legalize it.

So you're absolutely right; markets for software exploits will not go away unless it becomes unprofitable, or not worthwhile. Right now there are few, if any laws, banning it (asides from extortion, treason laws, etc...). Since many are vocally against it, they only have a few options to "prevent" it. Shame those who do it, buy them out ($$$), race them (white hats), or propose legislation to ban it (good luck). This market is likely here to stay for some time. If it remains legalized and becomes accepted by the general community, more people would do it, prices would come down, and so would earnings.

(1) Profitability can be defined as anything the supplier receives in return for their product/service which they deem "worth" something. It doesn't have to be money, but could be good feelings, increased social capital, learned knowledge, etc...

> Mexican drug cartels hardened with guns, violence, secrecy, corruption, torture and death. You can theoretically calculate how many humans died in Mexican drug wars, per-joint you smoked, in 2011. That cost was built into the price you paid for the drugs. This "death cost" goes away if you legalize it.

For the record, you can do this with any product from any industry where fatalities ever occur during production and distribution. For example, the cost of teamster's deaths during delivery has been factored into the cost of products for hundred(s?) of years. Whether that death occurred because of overwork, robbery, or modern day road accidents, it's been accounted for.

People die of heatstroke farming the food you eat and the coffee you drink. And people die getting you the weed you smoke. I'd like to see data comparing them.

You're right, but saying "someone else would do it if I didn't" is a pretty weak rationalization. They're making themselves rich at the expense of everyone else. They're a leech on society.

> They're making themselves rich at the expense of everyone else. They're a leech on society.

No they're not, on both counts. They're not making themselves rich at the expense of everyone else. Their major customers are governments, who are in no rush to make their own purchasing patterns illegal. They're taking part in an active established market. Immunity have been doing this publicly for over a decade, with the difference being that anyone can buy Canvas.

The simple solution (which works in favour of the exploit dealers too btw) is to use a layered approach to defences that make it more expensive to develop an exploit. That's what Microsoft have been doing since Vista. There are now so many hurdles you have to jump through for a server-side remote code execution bug that for most people it's just not worth it (given that you'll have to chain exploits more often than not to bypass protective measures), which is partly why client side bugs are becoming more common.

Eh. Two much more important factors militating for clientside exploits:

* The client-side attack surface is, probably by many orders of magnitude in any metric you care to use, more complex than the serverside attack surface. Look at the kinds of libraries that have been long-term thorns in the sides of developers and security teams --- image codecs, font libraries, compression --- a big chunk of everything that goes on your computer screen can be influenced by attackers.

* The client-side attack surface includes multiple programming languages hooked up to anonymous content (the most important being Javascript), and so clientside exploits have significantly better tools to work with.

Not to take anything away from your point; I'm glad you're injecting some sanity onto these threads.

You're absolutely right on both counts, and thanks for the comment.

On a related note re: client vs. server. Taking a recent incident that was in the news, when the Brits pwned a pro AQ forum. From that vantage point, the best thing they can do is to target the admins, moderators and heavy users -- with client sides. Probably more than one, since it is unlikely that a single exploit would be effective against each of the targets. The valuable intel is going to come off those user's boxes, not off some semi-anonymous VPS shard. Logs of Tor exit nodes, googlebot, and proxies reveal nothing interesting. From a certain perspective, it makes sense that there just isn't much value to be had from servers, and so there's reduced incentive to pay high prices for server exploits.

Not to mention that gaining access to that server would probably be fairly simple given the atrocious security standards of most web hosting companies. CPanel, pilfered ssh key, SQLi, PHP bugs in the forum software, rent a VPS on the same host and LPE... I hardly need to tell _you_ how many alternative (cheap) ways exist to gain access to the server. (And this is assuming that they aren't running their own colo's and web hosts a la http://www.schneier.com/blog/archives/2008/10/clever_counter...)

Given the relative ease of access to servers, the poor quality of intel stored on them, and its no wonder that the market focus is on client sides. Finally, its worth mentioning that most (all?) of the servers with interesting data on them are in the legal jurisdiction of the US (just ask Kimble, ha!). Accessing that data requires a sternly worded letter on official letterhead-- not an exploit.

So, not to detract from either of your' points; but there is another angle to add to the mix.

Well, client-side attacks are great because they typically rely on the naivete or indifference of the user. And the client-side attack surface is typically protected to a lesser degree than a server. A well orchestrated spearfishing attack is tough to defend against, even for a security conscious user. The attack surface is just so large.

However, the meat on the bones is really on the servers. If someone pops my desktop at work, they won't find much valuable data. But they will be able to keylog me, grab admin password hashes, arp-spoof etc. Still, no data. But what they will get enables them to access our company files and databases in short order.

In essence, client-side attacks in the corporate world are definitely targeted at server data, while in the consumer world, they're targeted towards identity theft or botnet creation.

This is the gov world though, where the interesting information is things like your address book, your emails (the content as well as the senders/recipients), your private keys and passwords, etc. etc. Client sides provide direct access to those things (or at least, a means of obtaining them).

There are very few governments that care about what is on your company file server or in your company databases. (Ignoring the elephant in the room on that one.)

Law enforcement agencies keep huge Access databases of the contacts they extract from cell phones taken from criminals. They share this intel with each other via email (I know, I know...). They can discover a great deal about who is involved in an activity and where they are on the totem pole from just this data. Its even possible to identify people by correlating the content of the "name" field and using the phone number is a unique ID. Criminals tend to have poor OPSEC.

I don't think it's safe to assume that government simply means spying on individuals for national security reasons. Governments engage in corporate espionage all the time, and not just China.

In a way, these "leeches" are providing free pen-testing, and publicizing the fact that software is cheap to exploit. If this drives the markets to invest in security software, I think it's a net win.

Could you explain your reasoning a bit more? I am not following from "individual invests thousands of hours into their passion; some are compensated for their work by people who value their skills; those individuals are leeches on society". I think there is a step or twenty in there that you could expand.

They making a explicit decision to reap a larger payday by selling the exploits to governments or other companies rather than disclosing it to the original application authors for the standard bug reward.

The sellers have no way of determining how the exploits will be used. The mere fact that buyers are willing to spend so much on an exploit indicates they are not just collecting them out of idle curiosity. Even we could completely trust the buyers to not misuse or share information about the exploit, the original bug remains unpatched for others to independently discover and exploit.

The sellers are willing to inflict damage on everyone else so they can benefit. That sounds like leeching to me.

> They making a explicit decision to reap a larger payday by selling the exploits to governments or other companies rather than disclosing it to the original application authors for the standard bug reward.

I don't know you but I get the impression that you've never gone through the bug reporting process from a bug hunter's perspective. Some places do offer bug bounties, and of course you have the usual ZDI, pwn2own etc. that you can go through, but from my own personal experience I've been ignored, threatened with legal action and dragged into a quagmire of free IT support because the manager handling the bug won't let me speak to a developer and doesn't understand the bug amongst other things.

On the other hand, finding a bug isn't hard, but developing a reliable weaponised exploit that works repeatably against multiple targets can be a heck of a lot more work.

My own personal view when it comes to disclosure is 'finders keepers'. It's my bug, I found it. It's not worth my time weaponising it to sell on the black market and it's too high risk for me personally to be associated as being active in it, it's only worth weaponising to the point where I can use it in future on pentests and help customers implement workarounds.

> The sellers are willing to inflict damage on everyone else so they can benefit. That sounds like leeching to me.

s/sellers/buyers/

s/sellers/vendors/ ... lets not forget who created the bugs in the first place, then failed to find and removed them, and finally shipped a dangerously malfunctioning product! (Alien Invaders from Mars -- http://www.antipope.org/charlie/blog-static/2010/12/invaders...)

[edit: more pithiness]

Responsible disclosure (where the vendor is notified first) has proven to be an unmitigated disaster. Vendors simply ignore the vulnerability report as long as possible. The only way vulnerabilities get addresses is when a PoC is created and publicized.

Buyers of exploits (at least those who aren't blackhats/criminal enterprises) generally intend to use them for their security services/applications. They have to have the latest exploits otherwise they can't protect their clients.

If someone is willing to spend (e.g.) $1,000,000 on an exploit on the black market, but the software developer is only paying $50 (or nothing!) for people to report exploits, don't you think that something is wrong with this picture?

That's because the costs of a security vulnerability are externalized.