Las Vegas -- The U.S. government should pay 10 times the going rate for zero-day software flaws in order to corner the market and then make those vulnerabilities public to render them less potent for attackers, Black hat 2014 attendees were told yesterday.
That would reduce the overall threats against Internet traffic in general and cost less than the damage that actual exploits cause, says Dan Geer, who is the chief information security officer at In-Q-Tel, the venture capital arm of the Central Intelligence Agency.
This was one of several proposals he floated during his keynote address at the best attended hacker conference. He said several times that the ideas were his own and did not express anyone else's opinions.
His idea for the government to buy up all the zero-day vulnerabilities could have a significant impact on overall security assuming that most software isn't riddled with security holes. If the occurrence of flaws is dense, however, the scheme wouldn't work because software vendors would wind up spending all their time patching their products.
But if it turns out software vulnerabilities are relatively sparse, the flaws could be readily patched. "I believe they are sparse enough so if we corner the market, we can make a difference," Geer says.
At one time finding vulnerabilities was a pastime with the reward being bragging rights. Now finding flaws is a full-time job that guarantees that finders don't share their discoveries, hence a rise in the rate of zero-day attacks. The vulnerabilities can be sold for huge sums, drawing in researchers who find them and sell them for profit.
Offering 10 times the going rate would eventually attract most people with vulnerabilities to sell, regardless of their personal feelings about selling to the U.S., he says.
Another of Geer's proposals would have Windows XP open-sourced as a way to protect customers from being abandoned by Microsoft.
While Microsoft is not the only company that would be affected, he cited Microsoft as being among those companies that end support for their software despite the fact that they are still widely used. Though he didn't mention it by name, one example is Windows XP, which is still the operating system for about a quarter of PCs used on the Internet.
He says that abandoning updates for products used by vast numbers of customers should mean creators of the products should turn that function over to the public. It's unfair for vendors to officially end support for certain platforms for everyone but at the same time continue support for those customers who can afford to pay significantly extra for it, he says.
He acknowledged that the solution isn't perfect given the uncertainty of how well the open source community would support the software. "It's the worst option," Geer said, "except for all the others."
Another suggestion that aimed again at software vendors would make vendors liable for damage their products cause to customers who use them normally. That means legislators and courts would have to sort out what normal means, but it would end the vendors' getting a free pass for bad software, he says.
Vendors would be allowed to duck that liability if they made it possible for customers to turn off whatever pieces of the software they choose to as part of the licensing agreement. That wouldn't allow them to modify the code, just cut out parts of it they deemed unnecessary or that they just didn't trust, Geer says.
His proposal would let consumers protect themselves without violating software vendors' copyrights, he says, but "software vendors will yell bloody murder."
Geer says embedded software in common Internet devices such as home routers and sensors should either include remote management interfaces or have a limited lifetime. That way holes discovered in their software could be patched remotely via the management interface. If there is no management interface, the limited lifetime would ensure that the flaws would eventually be removed when the devices hit their end of life.
Geer addressed the issue of Net Neutrality by offering ISPs the right to charge more for faster services but only in return for accepting responsibility for the content they transport on their networks. ISPs that didn't take up the offer could still operate as common carriers providing a single level of service with a common price but without having to accept responsibility for the content of the traffic.
This story, "Black Hat keynote: U.S. should buy up zero day attacks for 10 times going rate" was originally published by Network World.