Zero-day exploits : Should the hacker gray market be regulated ? - Slate Magazine
▻http://www.slate.com/articles/technology/future_tense/2013/01/zero_day_exploits_should_the_hacker_gray_market_be_regulated.html
Faut-il réguler le « marché gris » des zero day exploits ?
Il existe des courtiers spécialisés en exploits. Mais, attention, on trouve de tout sur le marché. Pour celui-ci, qui vend les exploits entre 16 000 et 250 000 dollars, il ne vend pas à n’importe qui : uniquement à des (gentils) états-uniens.
Unlike other companies and sole traders operating in the zero-day trade, Desautels has adopted a policy to sell his exploits only domestically within the United States, rigorously vetting all those he deals with. If he didn’t have this principle, he says, he could sell to anyone he wanted—even Iran or China—because the field is unregulated. And that’s exactly why he is concerned.
et d’ailleurs, le même connait des méchants :
Desautels says he knows of “greedy and irresponsible” people who “will sell to anybody,” to the extent that some exploits might be sold by the same hacker or broker to two separate governments not on friendly terms.
Tiens, d’ailleurs, le paragraphe d’après un (méchant ? ce n’est pas précisé) Français (86% de ses ventes à l’exportation en 2011) :
The position Desautels has taken casts him as something of an outsider within his trade. France’s Vupen, one of the foremost gray-market zero-day sellers, takes a starkly different approach. Vupen develops and sells exploits to law enforcement and intelligence agencies across the world to help them intercept communications and conduct “offensive cyber security missions,” using what it describes as “extremely sophisticated codes” that “bypass all modern security protections and exploit mitigation technologies.”
Vupen’s latest financial accounts show it reported revenue of about $1.2 million in 2011, an overwhelming majority of which (86 percent) was generated from exports outside France. Vupen says it will sell exploits to a list of more than 60 countries that are members or partners of NATO, provided these countries are not subject to any export sanctions. (This means Iran, North Korea, and Zimbabwe are blacklisted—but the likes of Kazakhstan, Bahrain, Morocco, and Russia are, in theory at least, prospective customers, as they are not subject to any sanctions at this time.)
Certains trouvent que le problème est surfait : pas besoin de zero day exploit pour attaquer l’ordi d’un cadre ou d’un militant, une bonne vieille faille bien documentée suffit (quand ce n’est pas le comportement de l’utilisateur lui-même…)
Some claim, however, that the zero-day issue is being overblown and politicized. “You don’t need a zero day to compromise the workstation of an executive, let alone an activist,” says Wim Remes, a security expert who manages information security for Ernst & Young.
Faut-il réguler ? Attention, si les réglementations se durcissent sans augmenter les primes pour la révélation de faille, l’appât du gain poussera les hackers à déserter le marché gris au profit d’un marché noir qui ne demande qu’à se développer.