Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Former Hacking Team supplier stops selling zero-day exploits on ethical grounds

Lucian Constantin | July 22, 2015
Italian surveillance software maker Hacking Team recently claimed that it hasn't lost any customers after the massive leak of its internal data two weeks ago. But it has lost at least one business partner: U.S.-based penetration testing specialist and zero-day exploit broker Netragard.

According to Desautels, the termination of EAP will not affect Netragard much, because the company's core business is penetration testing services, not brokering exploit sales.

However, the company remains in "strong favor" of ethical development, sale and use of zero-day exploits and might revive the EAP in the future if the market is correctly regulated and a legal framework is created to hold buyers accountable for how they use such technology, Desautels said.

The selling of zero-day exploits to government agencies or private companies has long been a topic of debate in the security community. Some critics argue that this practice makes everyone less safe because it incentivizes researchers to keep vulnerabilities secret from affected vendors, delaying potential fixes and giving malicious attackers time to discover the same issues on their own.

Others have compared selling zero-day exploits to selling cyberweapons and that also seems to be the interpretation of the U.S. Department of Commerce. In May, the DOC's Bureau of Industry and Security (BIS) proposed changes to an international arms control pact called the Wassenaar Arrangement that would require a special license to export intrusion software, Internet surveillance systems and related technologies.

Many companies from the security industry, independent researchers and even companies like Google, are against the DOC's proposal, primarily because its broad language could restrict their ability to research, report and defend against computer threats.

Netragard is also against using Wassenaar to regulate software exploits.

"It's important that the regulations do not target 0-days specifically but instead target those who acquire and use them," Desautels said. "It is important to remember that hackers don't create 0-days but that software vendors create them during the software development process. 0-day vulnerabilities exist in all major bits of software and if the good guys aren't allowed to find them then the bad guys will."

Other researchers share that opinion.

"The current BIS rules are so open-ended that they would have a powerful chilling effect on our industry," said Robert Graham, the CEO of security firm Errata Security, in comments submitted to the DOC. "The solution, though, isn't to clarify the rules, but to roll them back. You can't clarify the difference between good/bad software because there is no difference between offensive and defensive tools — just the people who use them."

"There is no solution that stops bad governments from buying 'intrusion' or 'surveillance' software that doesn't also stop their victims from buying software to protect themselves," Graham said. "Export controls on offensive software means export controls on defensive software. Export controls mean the Sudanese and Ethiopian people can no longer defend themselves from their own governments."


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.