I’ve just recently returned from REcon 2012 and while I heard a couple people express that they had “heard” that some people were more disappointed with this year’s conference compared to prior ones, I personally really enjoyed it and felt it was the best one yet. I saw and enjoyed more of the lectures this year than I have in the past and seemed to have better interactions with the other conference attendees, better conversations, and generally enjoyed myself more than years past. Perhaps it was because this year Montreal wasn’t in the middle of a heat wave with no air conditioning in the hotel and the conference hotel didn’t catch fire (:
Posts Tagged ‘ExploitHub’
Tags:binary instrumentation, Canada, ExploitHub, Facedancer, GoodFET, IC, ida pro, IDA Toolbag, Integrated Circuit, Montreal, PE, Pin, Portable Executable, REcon, reverse engineering, scotch
Posted in conference, cryptography, observation, opinion, reverse engineering, security, security research, software, technology, travel | 1 Comment »
A few years ago, following the failure of WabiSabiLabi’s 0day auction site, I gave some thought to how to create a public marketplace for exploits that actually works. Obviously given the example of WabiSabiLabi and a little common sense that any vulnerability researcher worth their salt would know, you can’t have a public market for 0day vulnerabilities. As WabiSabiLabi quickly found out, by disclosing enough information about the vulnerability so that a potential customer can make a determination about whether or not to buy it, you’re likely giving up enough information about the vulnerability for them to find it themselves, given varying levels of time and effort. Thus, you can really only market 0day to trusted customers and when your marketplace is open to the public, your customers are most definitely not trusted and consists of various demographics who have lots of disposable time on their hands to go hunt down your vulnerabilities. So, what if we remove 0day from the equation entirely I thought? Could an open market for exploits of public vulnerabilities work? Would anyone actually buy such exploits? ExploitHub was born, and it turns out the answer is yes.