On the Zero-Day Market

New paper: “Zero Progress on Zero Days: How the Last Ten Years Created the Modern Spyware Market“:

Abstract: Spyware makes surveillance simple. The last ten years have seen a global market emerge for ready-made software that lets governments surveil their citizens and foreign adversaries alike and to do so more easily than when such work required tradecraft. The last ten years have also been marked by stark failures to control spyware and its precursors and components. This Article accounts for and critiques these failures, providing a socio-technical history since 2014, particularly focusing on the conversation about trade in zero-day vulnerabilities and exploits. Second, this Article applies lessons from these failures to guide regulatory efforts going forward. While recognizing that controlling this trade is difficult, I argue countries should focus on building and strengthening multilateral coalitions of the willing, rather than on strong-arming existing multilateral institutions into working on the problem. Individually, countries should focus on export controls and other sanctions that target specific bad actors, rather than focusing on restricting particular technologies. Last, I continue to call for transparency as a key part of oversight of domestic governments’ use of spyware and related components.

Tags: , , ,

Posted on May 24, 2024 at 7:07 AM8 Comments

Comments

echo May 24, 2024 7:34 AM

The proposals about more government openness and more emphasis on import-export controls is good. In practice these are often flawed. More emphasis needs to be placed on positive public interest and also public benefit tests to discourage secrecy for the wrong reasons and also prevent banning activities which are of public benefit because they’re automatically caught up in blanket bans. With that in place you also need to revise broader policy to ensure where some activities are permitted you also need access and remedy. Failure to take either of these steps causes big headaches.

While you need politicians who “get stuff done” you also need to put the brakes on them so this is given due consideration or you get bad law being rammed through even when it contains known faults. That creates another set of headaches when attempting to revise or challenge the law. Politicians can become welded to their policy and fight tooth and nail refusing to accept it needs revision and it can drag on for years causing umpteen problems, expensive legal cases, and everyone their cat and their dog banging their head against the wall.

An education in legislative process, committees, and various common law and how this can be used and abused can help. Then there’s all the backchannels from vested interests whether they are state agencies or lobbyists and politicians egomania hiding behind “legal advice”. Also keep your eye on secondary legislation mechanisms. After legislation is passed they can be abused too.

It’s also nice to have a champion in politics so learn who to butter up and when to get a tame journalist to plant their scare stories!

Have fun!

noname May 24, 2024 8:21 AM

And what’s going on with the backlog at NIST’s National Vulnerability Database (NVD)?

Since Feb 12, 2024, 93% of the vulns added to NVD have not been analyzed or enriched with data so security professionals know what software has been affected.

Anonymous May 24, 2024 11:58 AM

@Moderator

Trying to gauge where these posts (or parts of them) fall for you on the additive to “unpleasant” spectrum, in line with “everyone is expected to be polite and respectful”

https://www.schneier.com/blog/archives/2024/05/personal-ai-assistants-and-privacy.html/#comment-437256

Nothing in what you’ve put up above has not already been said on this blog multiple times years ago in fact over a decade for some of it.

https://www.schneier.com/blog/archives/2024/05/on-the-zero-day-market.html/#comment-437289

That is why the likes of @noname and similar with questions should look at the EU portal designed to help people navigate through the EU AI Act, not foolishly given links to advertorials.

Let me know if you need clarification on the last one.

anonymous2 May 24, 2024 3:18 PM

@Anonymous
@Moderator

“Trying to gauge where these posts (or parts of them) fall for you on the additive to “unpleasant” spectrum, in line with “everyone is expected to be polite and respectful”

The comments are also expected to be honest and truthful as well, and whilst blunt they are neither rude nor impolite.

Both of the quotes you make were quite truthful and it’s interesting that you have not quoted them in context nor have you quoted others that are not truthful from other related posters.

Also you have not noted that in both cases they were responses to “off topic” comments that it’s been repeatedly suggested be put in the latest Friday Squid where they do not interrupt a new thread. A look through the archives on the Internet shows that @vas pup has been asked on more than one occasion not to post off topic on the current active threads and @Moderator in the past has deleted them.

So the next question that arises is why are you using the “Anonymous” handle? Yes they have become very common of late as can be seen since @echo started their nonsense. Further it’s clear some are changing them every thread.

So the follow on question that arises is “Are you a Sock Puppet or Bird of a feather” for @echo or @Winter because you are at best very one sided in your argument and popped up at the same time.

Vlad P said it's good to learn martial arts May 24, 2024 4:11 PM

I especially like a brief part mentioning the “Wassenaar Arrangement” and “dual use” technologies. (p738)
I have some accidental familiarity with a “dual use” military|civilian tech that can be used to harm or to help.
It’s been a troubling part of my life.

ResearcherZero May 25, 2024 5:56 AM

@echo

The fact that politicians convinced you to label yourselves progressive/conservative voters, demonstrates the ease with which they steer debate. They do not have to demonstrate any real policy or effective governance when they can simply bisect.

Why would they bother with any of your suggestions when they can lead you around by the nose and “blame” each other for being divisive? Easily distracting you.

It is theatre. You are all enthralled.
There is a new play for each weekly show.

It might well be the Seventies. Yet the structure of society has changed. You isolated yourselves into your “tribes”, marketing segments and PR demographics.

Flawed schemes are then rolled out at every election cycle. Funding is cut for other schemes, exacerbating the already existing problems… The governments change, but without addressing problems.

“I knew nothing,” says Post Office boss.

Followed by, “I fully accept now that the Post Office… the Post Office knew that. I completely accept it”

‘https://metro.co.uk/2024/05/22/paula-vennells-questioned-horizon-scandal-first-time-10-years-20886060/

Before they were sacked, forensic accountants uncovered specific dates and times that sub-postmaster accounts were remotely ‘corrected’ by Fujitsu.
https://news.sky.com/story/horizon-it-scandal-post-office-officials-knew-of-instruction-for-fujitsu-to-remotely-change-sub-postmaster-accounts-10-years-ago-leaked-recordings-say-13107171

Money taken from branch managers could have been part of “hefty numeration packages for executives”.

‘https://news.sky.com/story/post-office-boss-admits-money-from-horizon-victims-may-have-gone-into-executive-pay-13048987

ResearcherZero May 25, 2024 11:14 PM

Almost everyone who worked at Fujitsu on Horizon would claim that they were just doing their job. The same response was given by those working in the Post Office management team. Many others would say it.

The same excuse would also be common amongst those in the 0day business.

It is the same excuse any member of the public makes to excuse themselves. To ignore problems that may not even be related to their job. Working in the private sector, or public makes no real difference. They say nothing and they do nothing. Very few ever report a problem.
Even fewer people actually report a crime.

It does not matter what ideology or the religion which people share. Universally everyone is ready to slip a knife in the back of the other when the chips are down.

Most problems start small, with decisions made by ordinary people, long before they ever reach the level of government. Each and every time it is ignored it spreads.

People put the uncomfortable paperwork back into the box and pretend it never existed. The vast majority refuse to volunteer evidence when it could prevent others being hurt. Selfish self-interest is the primary motivation, often above the
welfare of the entire community. Family, friends, children, the elderly – all are left vulnerable by the very people that surround them. As security begins at home.

ResearcherZero May 25, 2024 11:40 PM

If you sell a zero-day, it could be your power grid, or medical equipment keeping a family member alive, eventually affected.
Perhaps in a response to the 0’Day’s use.

It’s not always direct cause and effect.
Big problems are a culmination of neglect.

We are all responsible for a portion of the world’s problems and the solutions.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.