A few years ago, following the failure of WabiSabiLabi’s 0day auction site, I gave some thought to how to create a public marketplace for exploits that actually works. Obviously given the example of WabiSabiLabi and a little common sense that any vulnerability researcher worth their salt would know, you can’t have a public market for 0day vulnerabilities. As WabiSabiLabi quickly found out, by disclosing enough information about the vulnerability so that a potential customer can make a determination about whether or not to buy it, you’re likely giving up enough information about the vulnerability for them to find it themselves, given varying levels of time and effort. Thus, you can really only market 0day to trusted customers and when your marketplace is open to the public, your customers are most definitely not trusted and consists of various demographics who have lots of disposable time on their hands to go hunt down your vulnerabilities. So, what if we remove 0day from the equation entirely I thought? Could an open market for exploits of public vulnerabilities work? Would anyone actually buy such exploits? ExploitHub was born, and it turns out the answer is yes.
Archive for February, 2012
On a recent trip to Orlando, I opted out of the full-body scan at AUS, as I always do at every airport security checkpoint. While waiting for my pat-down, I was lectured by the TSA gate agent about how safe they are, was subsequently questioned about my cellphone use as a radiation exposure comparison, and was subjected to repeated attempts to get me to change my mind and just go through the scanner.
A few years ago, the idea came up at our local AHA! meeting that our group should host an information security and/or hacking conference here in Austin, Texas. Some venue ideas were tossed around, some preliminary cost research done, but the idea never went much beyond that due to a number of reasons, foremost of which is that AHA! folk are very, very busy people, myself included. Back then, none of us simply had the time or resources to make such an undertaking happen. Fortunately, while I still don’t really have the time personally, I now have the resources in the way of paid staff that I can have plan and execute such an event, so mid-2011 or so I decided to do so.
It’s been quite a while since I’ve posted anything here other than the occasional conference report, and there are many more of those in draft form from the past two years that I didn’t even get around to finishing up and actually posting… This is due to a variety of reasons, some of which include a complete change in career focus a couple years ago involving going into business for myself, to having very little free time due to the myriad of things I’ve got going on. This however needs to change, as I need at least one outlet for my thoughts that isn’t constricted to 140 characters or the no-frills formatting that most of the social networks provide. That said, it is my intention to write here more often, beginning with this post and continuing with more to follow over the next few weeks, mostly about the various ventures I’ve begun or have become involved in over the past few years.