Black Hat keynote: U.S. should buy up zero day attacks for 10 times going rate

Dan Greer has other suggestions to improve cyber security that will make software vendors ‘yell bloody murder'.

Las Vegas -- The U.S. government should pay 10 times the going rate for zero-day software flaws in order to corner the market and then make those vulnerabilities public to render them less potent for attackers, Black hat 2014 attendees were told yesterday.

That would reduce the overall threats against Internet traffic in general and cost less than the damage that actual exploits cause, says Dan Geer, who is the chief information security officer at In-Q-Tel, the venture capital arm of the Central Intelligence Agency.

This was one of several proposals he floated during his keynote address at the best attended hacker conference. He said several times that the ideas were his own and did not express anyone else's opinions.

His idea for the government to buy up all the zero-day vulnerabilities could have a significant impact on overall security assuming that most software isn't riddled with security holes. If the occurrence of flaws is dense, however, the scheme wouldn't work because software vendors would wind up spending all their time patching their products.

But if it turns out software vulnerabilities are relatively sparse, the flaws could be readily patched. "I believe they are sparse enough so if we corner the market, we can make a difference," Geer says.

At one time finding vulnerabilities was a pastime with the reward being bragging rights. Now finding flaws is a full-time job that guarantees that finders don't share their discoveries, hence a rise in the rate of zero-day attacks. The vulnerabilities can be sold for huge sums, drawing in researchers who find them and sell them for profit.

Offering 10 times the going rate would eventually attract most people with vulnerabilities to sell, regardless of their personal feelings about selling to the U.S., he says.

Another of Geer's proposals would have Windows XP open-sourced as a way to protect customers from being abandoned by Microsoft.

While Microsoft is not the only company that would be affected, he cited Microsoft as being among those companies that end support for their software despite the fact that they are still widely used. Though he didn't mention it by name, one example is Windows XP, which is still the operating system for about a quarter of PCs used on the Internet.

He says that abandoning updates for products used by vast numbers of customers should mean creators of the products should turn that function over to the public. It's unfair for vendors to officially end support for certain platforms for everyone but at the same time continue support for those customers who can afford to pay significantly extra for it, he says.

He acknowledged that the solution isn't perfect given the uncertainty of how well the open source community would support the software. "It's the worst option," Geer said, "except for all the others."

Another suggestion that aimed again at software vendors would make vendors liable for damage their products cause to customers who use them normally. That means legislators and courts would have to sort out what normal means, but it would end the vendors' getting a free pass for bad software, he says.

Vendors would be allowed to duck that liability if they made it possible for customers to turn off whatever pieces of the software they choose to as part of the licensing agreement. That wouldn't allow them to modify the code, just cut out parts of it they deemed unnecessary or that they just didn't trust, Geer says.

His proposal would let consumers protect themselves without violating software vendors' copyrights, he says, but "software vendors will yell bloody murder."

Geer says embedded software in common Internet devices such as home routers and sensors should either include remote management interfaces or have a limited lifetime. That way holes discovered in their software could be patched remotely via the management interface. If there is no management interface, the limited lifetime would ensure that the flaws would eventually be removed when the devices hit their end of life.

Geer addressed the issue of Net Neutrality by offering ISPs the right to charge more for faster services but only in return for accepting responsibility for the content they transport on their networks. ISPs that didn't take up the offer could still operate as common carriers providing a single level of service with a common price but without having to accept responsibility for the content of the traffic.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityBlack Hat 2014intel

More about In-Q-Tel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place