Telstra has revealed the addition of almost one million new mobile services in the six months to December 2011, but Sensis revenues plummeted 24 percent in 12 months.
The motivation for creating malware has switched from fame to money, and a Swiss operation thinks security researchers are ready to make a similar transition.
WSLabi has set up a marketplace allowing security researchers to sell the fruits of their labours without accepting whatever 'bounty' (if any) the corresponding developer offers, or having to resort to the black market.
"[A]lthough there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited," said Herman Zampariolo, CEO of WSLabi.
Buyers and sellers of information will be required to identify themselves to WSLabi, but nicknames will be used by the parties.
Sellers can choose between a straight auction, exclusive sale at a fixed price, and non-exclusive sale at a fixed price. WSLabi officials say they will help security researchers determine the method that should maximise their returns.
The company also says it will verify submitted vulnerabilities in its own testing labs, and will vet prospective buyers "so that the risk of selling the right stuff to the wrong people is minimized."
The auction site has been running for almost a week. Four vulnerabilities are on offer (Linux kernel memory leak, Yahoo Messenger remote buffer overflow, Squirrelmail GPG plugin command execution, and MKPortal SQL injection), but only one bid has been made on the Linux and Squirrelmail issues. The €600 bid for the Squirrelmail vulnerability is well below its "buy now" price of €1750.
WSLabi will not charge a commission during the first six months of operation. According to CNet, it intends to levy a 10 percent fee on buyers and sellers.
WSLabi's marketplace raises two main issues.
Firstly, is it right that researchers are compensated for their efforts at a market-determined price (as are the programmers that create the vulnerable software in the first place), or is this a form of extortion? Should vulnerabilities in commercial software be treated differently to those in open source and other non-commercial projects?
Secondly, can the company be relied on to exercise due diligence in checking the identities and backgrounds of buyers and sellers? The New York Times quoted David Perry, director of education at Trend Micro as saying "who is to judge if the buyer on this auction is a criminal, or a hostile foreign government, or what? There are well known and well established methods to bid on an auction anonymously. Like the cartoon said, 'On the Internet, nobody can tell you’re a dog.'"
David Bass
| For the fourth year in a row, IDC has placed content security provider Websense (NASDAQ: WBSN) at the top of the IDC Worldwide Web Security 2011 –…
How to Make Business Discovery Work for Your Business
Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more
Try an easy-to-use set of web-enabled
tools for business-class productivity services. Office 365 provides
anywhere-access to email, important documents, contacts, and calendars
on almost any device.
LATEST HEADLINES FROM YOUR IT
