From Black Market To Free Market

Frustrated computer-security firms are offering to buy tips from the very hackers who bedevil them

The Russian hacker known as "Bit" had something valuable to sell. He had spotted a defect in Microsoft Corp.'s (MSFT ) Internet Explorer Web browser that makes it vulnerable to attack -- and figured out how to exploit it. In an underground chat room frequented by virus writers, Bit made his pitch. "I'm selling a zero-day exploit for Internet Explorer," read the ad posted at on July 16. The price? $300.

Bit has plenty of places to peddle his wares. is just one storefront in a massive underground trade in computer vulnerabilities -- the flaws in software that malicious hackers love to exploit. Organized crime pays top dollar for information that helps it break into corporate databases and pilfer people's identities, say security analysts. The data are plentiful. Like Bit, hundreds of hackers barter tips at on how to crack technology from Microsoft's Windows XP to the Symbian operating system used in millions of mobile phones.


Now there's a new twist. A handful of computer-security firms are creating legitimate markets in hacker intelligence and offering to buy tips from some of the very people who bedevil them. The markets are controversial, since they reward hackers for uncovering computer loopholes and, to some outsiders, look like the payoffs of a protection racket. But security firms argue that this free-market approach will give them critical information so they can boost protection for their clients.

Next week security outfit TippingPoint (COMS ) will launch its market in vulnerabilities, called Zero Day Initiative. The term "zero day" refers to the goal of some hackers to exploit software flaws before the software's maker has any notice to fix them. As part of the program, TippingPoint will offer the equivalent of frequent-flier points for hackers. Repeat contributors can amass points that generate bonuses of as much as $20,000. "If the information comes from somebody who would have otherwise sold it on the black market, it's a great thing," says Marc Willebeek-LeMair, chief technology officer at 3Com Corp. (COMS ), which owns TippingPoint. "This is the way of the future."

It's all part of a fresh effort by the tech industry to come to grips with hackers. Technology defenses alone can't stop the rising flood of computer viruses, break-ins, and fraud. So some tech companies are beginning to try to develop relationships in the hacker community. The goal is to secure the help of responsible hackers known as White Hats, fight off the malicious Black Hats, and win over those who are in between. "Understanding the people behind the keyboard, the mouse, and the code-writing is really important to mitigating their attacks," says Daniel J. Larkin, chief of the FBI's Internet Crime Complaint Center.

The importance of hacker relations was underscored recently when Cisco Systems Inc. (CSCO ) got into an ugly dispute at the Black Hat conference in Las Vegas, an annual gathering of security experts and hackers. A security researcher, Michael Lynn, had planned to give a presentation on weaknesses in Cisco's Internet Operating System to help Cisco customers protect themselves. But Cisco and Lynn's employer, Internet Security Systems Inc. (ISSX ), cut a deal to stop the talk. Lynn resigned and gave the talk anyway on July 27. Cisco slapped him with an injunction the next day that demanded the names of "anyone to whom he disclosed...sold, or offered to sell...any Cisco code or any vulnerabilities."

It was tantamount to declaring war on hackers. "They were too heavy-handed, and now the hacker community is pissed off at them," says Kevin D. Mitnick, a notorious computer whiz who was jailed for hacking and has since set up his own computer-security consultancy. Ever since the suit, an army of programmers has been working to break Cisco's technology, security experts say. Cisco says it is rethinking its policy of having only ad-hoc interactions with hackers. "We're talking internally about what we should be doing beyond what we're already doing," says Robert Gleichauf, chief technology officer of Cisco's security-technology group. Lynn could not be reached for comment.

Microsoft may be at the other extreme. Because of its Windows monopoly and history of bullying rivals, the giant has been a favorite target of hackers and has long viewed them with disdain. But now the company is actively cultivating people in the community. At the same Las Vegas conference where Cisco got into its public spat, Microsoft threw a party at Pure, the glitzy nightclub in Caesars Palace (HET ), and opened the bar to more than 450 security researchers and solo hackers. "One alternative is to take an acrimonious relationship. Another is to recognize that these people are passionate about security," says Kevin Kean, director of security response at Microsoft. "The party is an honest attempt to develop that community."


That's just one part of Microsoft's charm offensive. In March the Redmond (Wash.) firm hosted a two-day Blue Hat Summit (the event's name refers to Microsoft's blue logo). The meeting allowed hackers to hobnob with senior executives such as Windows czar James E. Allchin. Another summit is scheduled for October.

The industry's tactics seem to be winning over some of its intended targets. Dan Kaminsky, a 26-year-old self-professed hacker who runs his own security outfit, DoxPara Research, from his home in Seattle, says the likes of Microsoft have typically shunned him and his hacker friends. But in March he was invited to speak at the Blue Hat Summit. Now he's intrigued by the Zero Day Initiative. He says the hacker community is buzzing with hope that ZDI will snare some of the most dangerous code from the dark corners of the Web. "The best way to stop a security problem is to know how it's being written," says Kaminsky. "You have to get the developers inside the walls."

TippingPoint has developed its program with great care. To keep out hackers who may exploit the market, the company requires all participants to provide photo IDs and undergo background checks. It will also only make payments for the vulnerabilities via Western Union Financial Services Inc. (FDC ) or bank transfers, not online money transfers, which allow identities to be masked.


The program is designed to look like a frequent-flier program. There are four levels of privileges: bronze, silver, gold, and platinum. In addition to a $20,000 bonus, platinum-level hackers can get triple reward points for each new flaw they discover that year. At ZDI's kickoff party, 750 people attended. "There is this wealth of unharnessed research out there," says 3Com's Willebeek-LeMair. "By putting a program around it, we can make sure it is used in the right way."

Early evidence suggests that such markets can deliver results. The Reston (Va.) security firm that pioneered paying for vulnerabilities in 2002, iDEFENSE, says 200 hackers in 30 countries have exposed 1,100 security holes so far. That adds up to about 350 a year, compared with a total of 3,780 viruses found last year, according to Carnegie Mellon University's government-backed Computer Emergency Response Team (CERT). iDefense says it won't work with any hackers that it knows have done harm.

One of the converts is Vladimir Dubrovin. The Russian security guru posts information about software flaws on his own Web site, after informing tech companies. Now, as a member of iDEFENSE's bugs-for-bucks program, he also makes cash from his work -- and keeps data about unpatched flaws out of the hacker world. "Getting money for changing disclosure policy is as good as any choice," he says.

Still, paying a ransom for tips makes many in the security community queasy. They worry the practice could spawn even more Black Hat hackers eager to cash in and could expose software holes faster than tech firms are able to fix them. Most chilling: Hackers who participate could play both sides of the street, collecting information on vulnerabilities for malicious use at the same time they offer up a few tips. "Any company has to be concerned if they are giving money to people they know are trying to do bad," says Gene Hodges, president of security software maker McAfee Inc. (MFE ) "I don't believe there are any circumstances where that's right, and any companies doing it should reconsider."

By Brian Grow and Steve Hamm, with Jay Greene in Seattle and Sarah Lacy in San Mateo, Calif.

    Before it's here, it's on the Bloomberg Terminal.