Kevin Mitnick Is Now Selling Zero-Day Exploits

[app103]

This gave me a really sick feeling in my stomach. 

As a young man, Kevin Mitnick became the world’s most notorious black hat hacker, breaking into the networks of companies like IBM, Nokia, Motorola, and other targets. After a stint in prison, he reinvented himself as a white hat hacker, selling his skills as a penetration tester and security consultant.

With his latest business venture, Mitnick has switched hats again: This time to an ambiguous shade of gray.

Late last week, Mitnick revealed a new branch of his security consultancy business he calls Mitnick’s Absolute Zero Day Exploit Exchange. Since its quiet inception six months ago, he says the service has offered to sell corporate and government clients high-end “zero-day” exploits, hacking tools that take advantage of secret bugs in software for which no patch yet exists. Mitnick says he’s offering exploits developed both by his own in-house researchers and by outside hackers, guaranteed to be exclusive and priced at no less than $100,000 each, including his own fee.

And what will his clients do with those exploits? “When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick tells WIRED in an interview. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”

Mitnick declined to name any of his customers, and wouldn’t say how many, if any, exploits his exchange has brokered so far. But the website he launched to reveal the project last week offers to use his company’s “unique positioning among security researchers and the hacker community” to connect exploit developers with “discerning government and corporate buyers.”

http://www.wired.com...g-zero-day-exploits/

from Versioning

[Renegade]

This gave me a really sick feeling in my stomach. 

-app103 (September 26, 2014, 08:44 AM)

I can understand why he'd do it. It's a kind of perverse revenge for that they did to him. It probably wasn't fun being thrown in a rape cage.

Still... it's perverse.

[KynloStephen66515]

An eye for an eye leaves everybody with less eyes.

[TaoPhoenix]

I'm not sure how long he'd even survive against the legal system doing this.

I just don't know enough about computer law.

A lot of those kinds of guys are out of reach, buried in Russia/your choice of 10 countries.

But Kevin Mitnick is in in our back yard.

Look what happened to that Dot-com guy. Or is music more important than security?!

[mwb1100]

It's like a real life Bond super villain business plan. And this is just the kind of phrase such a character might utter: “discerning government and corporate buyers”

[app103]

Others might wish to see it as him setting his own bounty price, to find exploits in software, selling them to the big developers responsible for that software so that they can fix the vulnerabilities.

But I don't see it that way.

My thought was him selling exploits to the DHS, NSA, and CIA, even if he ends up unknowingly doing it, by selling them to one of their umbrella corporations. And what do you think they would do with those exploits?

Seems less like revenge and more like greed, if you ask me.

[Deozaan]

Is that even legal? Seems like a good way to land himself back in prison.

[app103]

Is that even legal? Seems like a good way to land himself back in prison.

-Deozaan (September 26, 2014, 07:01 PM)

Selling exploits to the DHS, NSA, and CIA is perfectly legal. Selling exploits for products direct to the company that's responsible for them, such as selling exploits for Google products to Google, is perfectly legal, too. Anything else is a gray area, and it would all depend on who he sold it to and what they did with it. Sell the wrong thing to the wrong person, and he could be held responsible for what they do and charged as an accessory, if they do anything illegal with it.

[Innuendo]

app103 is following my line of thought here. Hacking is considered to be an act of terrorism under modern American law. It's just a matter of time before one of his clients does something illegal with what he sold them and he'll be looking down the barrel of being charged as a terrorist.

It's amazing how some of the smartest people can also be among the stupidest.

[TaoPhoenix]

It's amazing how some of the smartest people can also be among the stupidest.

-Innuendo (September 27, 2014, 10:39 AM)

Well, that phrasing bothers me a little. I prefer it as "IQ and wisdom are far from the same thing. "
So you get both halves of the spectrum - IQ off the charts but zero wisdom, and maybe Forrest Gump on the other. (After all, he somehow managed to meet Presidents, start a business, become a leader (when he had people following him while he ran), and more, and didn't really seem to have very many vicious enemies.

[Renegade]

app103 is following my line of thought here. Hacking is considered to be an act of terrorism under modern American law. It's just a matter of time before one of his clients does something illegal with what he sold them and he'll be looking down the barrel of being charged as a terrorist.

It's amazing how some of the smartest people can also be among the stupidest.

-Innuendo (September 27, 2014, 10:39 AM)

Hold on... He's selling to governments... By definition they cannot do anything "illegal". They're always right and moral and good and virtuous and puppy dogs and flowers and loveliness and virtue.

Are you suggesting that governments can be capable of criminal activity????

That's simply absurd!!!

Can a government be a terrorist?

Oh, I'm so shocked! It's just not possible!

Because...

This.

Yeah. Pretty much that.


I'm sure as heck not going to defend Mitnick. But I sure as heck won't defend or excuse his clients either.

[SeraphimLabs]

Just the fact that he is making a profit from exploiting other people's systems is very highly questionable- I would have to read through a few software licenses to see if that aspect is even legal.

But he might make a profit regardless, its just a question of legality and morality of this type of activity.