christopher soghoian
TRANSCRIPT
![Page 1: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/1.jpg)
The trade in security exploits: Free speech or weapons
in need of regulation?
Christopher Soghoian
![Page 2: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/2.jpg)
First: a disclaimer
![Page 3: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/3.jpg)
![Page 4: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/4.jpg)
![Page 5: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/5.jpg)
![Page 6: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/6.jpg)
“The government official said he was not allowed to name a price, but that I should make an offer.
And when I [set a price of $80k], he said OK, and I
thought, 'Oh man, I could have gotten a lot more.‘”
- Charlie Miller, Interview with SecurityFocus, 2007
![Page 7: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/7.jpg)
![Page 8: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/8.jpg)
“I don't think it fair that researchers don't have the information and contacts they need to sell their
research.”
- Charlie Miller, Interview with SecurityFocus, 2007
![Page 9: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/9.jpg)
“Legit” bug sale options in ‘99: Vendor bounties
$500 $500-1337
![Page 10: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/10.jpg)
“Legit” bug sale options in ‘99: subscription services
$500 – $20,000
![Page 11: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/11.jpg)
Community debate:
Responsible disclosure vs. full disclosure
![Page 12: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/12.jpg)
Alex Sotirov and Dino Dai Zovi, CanSecWest, 2009
![Page 13: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/13.jpg)
“Vendors have been getting a freebie for a while, why would I want to sit down and volunteer to find a bug in someone’s browser when it’s a nice, sunny
day outside?”
- Dino Dai Zovi, Interview with SC Magazine, 2009
![Page 14: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/14.jpg)
![Page 15: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/15.jpg)
![Page 16: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/16.jpg)
![Page 17: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/17.jpg)
What was “No More Free Bugs” really about?
Google and Microsoft will never be able to outbid the US Government.
![Page 18: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/18.jpg)
Fast forward: 2012
![Page 19: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/19.jpg)
![Page 20: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/20.jpg)
![Page 21: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/21.jpg)
![Page 22: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/22.jpg)
![Page 23: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/23.jpg)
He says he takes a 15% commission on sales and is on track to earn more than $1 million from the
deals this year.
“I refuse to deal with anything below mid-five-figures these days,” he says.
- The Grugq, quoted in Forbes, March 2012
![Page 24: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/24.jpg)
Chaouki Bekrar and the VUPEN team
![Page 25: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/25.jpg)
“We wouldn’t share this with Google for even $1 million.
We don’t want to give them any knowledge that
can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
- Chaouki Bekrar, Interview with Forbes, Mar 2012
![Page 26: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/26.jpg)
“We don’t work as hard as we do to help multibillion-dollar software companies make their code secure.”
“If we wanted to volunteer, we’d help
the homeless.”
- Chaouki Bekrar, Interview with Forbes, Mar 2012
![Page 27: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/27.jpg)
![Page 28: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/28.jpg)
![Page 29: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/29.jpg)
NATO Partners include:
Azerbaijan, Turkmenistan, Egypt, Morocco, Qatar and Pakistan.
ASEAN Members include:
Indonesia, Burma and Vietnam.
![Page 30: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/30.jpg)
![Page 31: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/31.jpg)
Simultaneous developments elsewhere
![Page 32: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/32.jpg)
Martin J. Muench
![Page 33: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/33.jpg)
![Page 34: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/34.jpg)
![Page 35: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/35.jpg)
![Page 36: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/36.jpg)
![Page 37: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/37.jpg)
Gamma Group sells FinSpy to governments only to monitor criminals and it is frequently used “against pedophiles, terrorists, organized crime, kidnapping
and human trafficking.”
- Martin Muench, New York Times interview, Aug 2012
![Page 38: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/38.jpg)
![Page 39: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/39.jpg)
![Page 40: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/40.jpg)
![Page 41: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/41.jpg)
![Page 42: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/42.jpg)
![Page 43: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/43.jpg)
Australia, Bahrain, Brunei, Czech Republic, Estonia, Ethiopia, Indonesia, Qatar, Latvia, Mongolia, the
Netherlands, Turkmenistan, United Arab Emirates and United States.
![Page 44: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/44.jpg)
![Page 45: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/45.jpg)
![Page 46: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/46.jpg)
![Page 47: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/47.jpg)
The exploit and surveillance industry has a bit of an image problem.
![Page 48: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/48.jpg)
![Page 49: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/49.jpg)
![Page 50: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/50.jpg)
The first rule of exploit selling is:
![Page 51: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/51.jpg)
Others keep talking though.
![Page 52: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/52.jpg)
“I do it for money, because I like it, and because most of the time I don't need to wear pants. I spend approximately no seconds of any day
worrying about the imaginary ethical implications of every little thing I do, and I am not particularly
unique.”
- Ben Nagy, post to ‘dailydave’, 2012
![Page 53: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/53.jpg)
“Given that a can of fizzy drink or a car battery can be abused and used as an implement of torture it is of no surprise to anyone if our products can be
abused too.”
- Martin Muench, email interview with ABC Radio (Australia), September 2012.
![Page 54: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/54.jpg)
![Page 55: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/55.jpg)
Regulate sales of exploits = Limit freedoms
![Page 56: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/56.jpg)
![Page 57: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/57.jpg)
Politicians will take an interest in exploit sales and call for regulation
![Page 58: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/58.jpg)
“I think that the zero-day exploit market should be regulated. We're selling bullets and computers are
the guns, there's no doubting that.”
- Adriel Desautels, post to ‘dailydave’, August 2012
![Page 59: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/59.jpg)
If the industry wants to avoid regulation, it needs to regulate itself.
![Page 60: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/60.jpg)
![Page 61: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/61.jpg)
![Page 62: Christopher Soghoian](https://reader031.vdocuments.us/reader031/viewer/2022021210/620640c78c2f7b173005e4d8/html5/thumbnails/62.jpg)
If the Grugq remains the poster child for the industry, the response from Washington DC
and Brussels will not be pretty.