Auction File: Only Worth What Someone Is Willing To Pay (August 22)
Another update on the Shadow Brokers saga and following auction. For hackers who aren’t also MBA’s, some insight into auction markets for vulnerabilities.
From the post:
There are so many facets to the recent Shadow Brokers’ leak it can be a bit overwhelming. But the Shadow Brokers’ mess does highlight front and center the importance of the perceived value of exploits and vulnerabilities. It is impossible to ignore the value of the exploits when this whole situation is potentially about an auction of high-end vulnerabilities.
In each RBS blog update covering the leak, we have provided a quick update on the auction status, and the reality is that the auction itself isn’t going very well. The leaked data auction recently showed an increase to 1.74847373 BTC (about US$1017.47), jumping from 41 to 56 bids:
…
You may find all the marketing data gathered here useful but as far as this auction, I suspect this captures the reality of the situation:
…
If this auction really contains valuable 0-day exploits, then one would expect that this would be worth bidding on for sure. But the parameters of the auction are far from standard, and may be one of the many reasons that the auction isn’t proceeding quickly. Rather than a traditional auction where a losing bid means your bid is returned and you lose no money, any bid on this data is not refunded if you do not win. It is also important to note that many believe that this really isn’t about an auction at all, rather to make a statement.
…
There may be valuable 0-day exploits but it isn’t possible to value them sight unseen.
Noting that reassurances from someone who allegedly stole from the NSA, don’t fill me with a sense of confidence.
If there are 0-days the NSA concealed, that the Shadow Brokers reveal, that open up the banking industry like a gumball machine:
do you know the name for the agent for service of process at the NSA?
😉