10 comments

[ 3.5 ms ] story [ 41.4 ms ] thread
How is it legal for companies like this to sell these exploits? Aren't they only useful for destructive (and likely illegal) purposes? If they were actually about protecting their customers wouldn't they sell mitigation steps and home-grown patches instead of ready-made exploit kits?

I don't understand the exploit market very well, so maybe I'm missing something obvious here?

Security researchers do the work and MS wants the information for free. If MS really wants to fix the problem, let them pay. I don't see the problem with this.
The problem is that they do not sell vulnerabilities. They sell weaponized exploits. This is not the Zero Day Initiative.
Imagine if someone researched and sold exploits to anyone (“terrorists”, foreign governments, etc.) internationally which allowed illegal access to say, real-world bank vaults, nuclear military technology, or high security prisons. Theoretically, your same logic would be valid, but I'm fairly sure selling that kind of information on any one of those would be illegal. If not, than it should be!

It's an exaggerated example, but it seems to me that sometimes what is in the best interest of everyone as a whole outweighs the desire of some individuals to exploit the weaknesses of others for personal gain.

I have a hard time supporting any position that argues that the dissemination of information should be illegal. The U.S. government tried a variation of that through export restrictions of cryptography.

I'm not a particularly big fan of firms that sell vulnerabilities (full disclosure: I've never sold any vulnerabilities I've discovered), but I would be incredibly uncomfortable with the idea that there should be a litmus test for what information is safe to trade, and what isn't.

This would only apply to selling information on zero days.
their customers are western governments. that's why being an arms dealer is legal, too. start selling to the wrong side and you'll quickly find out how subjective the legal system is.
(comment deleted)
Someone should use this for something good: Jailbreaking Windows 8.

I detest the AppStore-modell and locked down devices and wish for many companies (like the one's Raymond Chen kind of complains about in his blog oldnewthings) to have a little revenge:

Why not have a setup-programm which also jailbreaks the Metro interface in order to e.h. overlay a VideoLan window on top of it or enable access to all kinds of blocked APIs (like real sockets)?