http://tlf.disqus.com/The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.enSun, 17 Dec 2006 23:00:35 -0000http://techliberation.com/2006/12/16/ebay-for-black-hats/#comment-1449026<p>There's a very real miscreant economy, and many things, including exploits, access to botnets for DDoS (useful for extortion, etc.), and so forth are bought and sold daily. I've never heard of an exploit going for $50K, but they do go for amounts into the thousands.</p><p>I've never heard of anything like an 'eBay' for miscreants', most of the transactions are negotiated over IRC and IM, AFAIK.</p>Roland DobbinsSun, 17 Dec 2006 23:00:35 -0000http://techliberation.com/2006/12/16/ebay-for-black-hats/#comment-1449028<p>Who says auction system? There are ways of doing auctions without software, you know :) Anonymized chat room (which they are already very good at doing anonymously/untraceably, to control the botnets) + chatters saying 'I'll bid X' 'Do I hear X+1?' 'X+1!' You know, the old fashioned way :)</p>Luis VillaSun, 17 Dec 2006 07:08:05 -0000http://techliberation.com/2006/12/16/ebay-for-black-hats/#comment-1449027<p>I have to agree with Tim. I find it hard to believe that people who have the programming knowledge to engineer exploits to operating systems would trust any type of online auction system. Seems like a nice plot for a novel though.</p>DavidSat, 16 Dec 2006 23:22:25 -0000http://techliberation.com/2006/12/16/ebay-for-black-hats/#comment-1449029<p>Right, but doesn't putting your exploit up for auction substantially increase the chances of getting caught? I can believe that these exploits could be worth 50 grand, but I wouldn't think an online auction would be the way you'd sell them.</p>Tim LeeSat, 16 Dec 2006 22:10:45 -0000http://techliberation.com/2006/12/16/ebay-for-black-hats/#comment-1449030<p>I've heard of such things for earlier versions of Windows before, including some reputable/documented stories of auctions of botnets. Their existence shouldn't be too surprising- get that zero day exploit, and you can get yourself a very profitable botnet. Given the reputed cash flow for some of the spam kings, $50K doesn't sound implausible. And of course they are already in deep legal trouble if caught, so an additional charge wouldn't scare them very much.</p><p>The only part of this that sounds implausible is that it is for Vista- there is no commercial value in hacking into undeployed systems. But maybe they'll just stockpile it.</p>Luis VillaSat, 16 Dec 2006 19:39:42 -0000