Kevin Mitnick isn’t known for being humble.
When Paul Ducklin reviewed the infamous convicted phone hacker’s Ghost in the Wires a few years ago, he noted that the book contained nary a word of contrition (granted, many readers disagreed with him on the need for any):
He doesn't apologise to the very many victims he abused, lied to and cheated; nor to those whose cellphone time he ripped off and whose identities he stole; nor to those outside his own circle whom he left in potentially serious trouble or whose lives he diminished by his self-obsessed criminality.
In fact, he doesn't really acknowledge his victims at all, and he gave me the impression that he's still proud of his time as a liar and a cheat.
So it probably shouldn’t surprise anybody that Mitnick, who post-prison reinvented himself as a skilled penetration tester, security consultant and social engineer, is now offering to sell zero-day exploits at the eye-popping opening price of $100,000 (£61,283).
Not a humble price!
As Wired reports, Mitnick last week unveiled a new branch of his security consultancy business called Mitnick’s Absolute Zero Day Exploit Exchange that will both develop zero-day exploits – i.e., tools that take advantage of as-yet unpatched software bugs – in-house, as well as buy them from developers.
The target customers, naturally, are those with deep pockets, such as corporations and government clients.
Will the US’s National Security Agency (NSA) become a client, if it isn’t already?
As it is, the Electronic Frontier Foundation has sued the NSA over hoarding of zero days, filing a Freedom of Information Act (FOIA) lawsuit to access documents showing how intelligence agencies choose whether to disclose zero days.
That came afer a April 2014 report from Bloomberg News that alleged that the NSA had secretly exploited the Heartbleed bug in the OpenSSL cryptographic library for at least two years before the public learned of the devastating vulnerability.
Mitnick told Wired that his firm’s zero-day exchange was quietly rolled out six months ago.
As far as clients go, he’s not naming names, not giving numbers for how many (if any) zero days have been sold, and isn’t inquiring into just what, precisely, buyers intend to do with these ticking time bombs.
Wired quotes him:
When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us.
Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.
Will his sales help governments to spy on us?
He says that no, governments aren’t necessarily his intended customers.
Rather, he’s setting his hopes on selling to penetration testers, antivirus firms, or even companies that might pay him to find holes in their own products.
After all, he says, he has his own, “unique history” with the US government, which imprisoned him for a total of five years – eight months of which were in solitary confinement due to fear of his supposed technology wizardry:
I'm not interested in helping government agencies spy on people. I have a unique history with the government. These are the same people who locked me in solitary because they thought I could whistle nuclear launch codes.
Whether any organization outside of a government body can afford his stiff price is one question. Another question is whether his firm’s relaxed customer policies will enable repressive regimes or even criminals to get hold of dangerous exploits.
But Mitnick told Wired that he’ll be screening his buyers, to ensure that he’s only selling to wholesome outfits:
I wouldn't consider in a million years selling to a government like Syria or to a criminal organization.
Customers want to buy this information, and they’ll pay a certain price. If they pass our screening process, we'll work with them.
At any rate, it’s not illegal to sell zero days – Mitnick’s throwing his hat into a ring that already includes several boutique vulnerability providers that sell subscriptions that reach as high as $2.5 million for a year of 25 zero-day flaws.
With these figures, it’s hard to imagine that bug-bounty programs can compete to purchase zero days – in fact, some industry watchers say they can’t.
But while it’s legal to sell zero days, and it obviously happens, is it the right thing to do, ethically speaking?
It’s a hot topic. Please share your own thoughts on it in the comments section below.
Image of Kevin Mitnick licensed under Creative Commons, courtesy of Flickr user campuspartycolombia. Photo taken by Julieta Feroz