People will decry this, but I'd argue a free and open market for vulnerabilities would be a great thing. Here's why:

1) It would result in more vulnerabilities found

This is fairly axiomatic. An open market increases the price of vulnerabilities which in turn increases the number of vulnerabilities found (unless you want to argue the ability to find vulnerabilities is inelastic for some reason).

2) It would result in more vulnerabilities being disclosed to the proper authorities rather than malicious parties

This is more debatable, but since there should always be significantly more incentive on good actors to prevent the exploit (i.e. the software creators and/or community) than bad actors, the good actors should always win the bid. Indeed, one could argue that it is only the prevention of free negotiation in the sale of vulnerabilities is the reason an exploit is ever sold to bad actors (e.g. if I found a Windows vulnerability and told Microsoft $10m or else, I'm a criminal).

3) It would ultimately increase the quality of software

Given more vulnerabilities are found and more vulnerabilities would be disclosed to good actors, the quality of software increases.

I believe that 2) is essentially the Coase theorem (http://en.wikipedia.org/wiki/Coase_theorem), but I am only an arm-chair economist. Also, I'm not sure that what Mitnick is doing actually is a free and open market for vulnerabilities.

It amuses me to hear how middle-class people are baffled by the fetishization of criminality in hip-hop culture, when we fetishize the same type of assholes in our culture. Mitnick is a criminal and all the pro-hacking sympathies have been wasted on a very, very undeserving person. Funny how easily you can manipulate public opinion with the right PR and anti-government message. Everyone wants to be the rebel against "the system." Everyone seems to think they're the Ayn Rand hero amongst the idiots, when in reality, the rebels and the intellectually vain are easily co-opted politically. The rise of libertarianism in geekdom seems to fall under the same dynamic.

"Mitnick became a symbol of government oppression in the late 1990s, when he spent four and a half years in prison and eight months in solitary confinement before his trial on hacking charges. The outcry generated a miniature industry in “Free Kevin” T-shirts and bumper stickers."

I wonder if money could be made selling 'Fuck Kevin' shirts and bumper stickers now.

Incidentally, Fuck Kevin.

"My clients may use them to monitor your activities? How do you like them apples, Chris?" -- Mitnick to ACLU technologist, last line of article

Wow what a first class dick. He's implying that he will be glad to sell zero days to the government to illegally monitor ACLU activities (e.g. free speech, etc.)?

I've always thought it would be a just punishment for a neutral, but government arbitrated, third party to hold a highest bid auction for zero-day exploits, where the breached company has the opportunity to buy back their bad security at a market price. I feel as though making it public and legal would force larger targets to make better security decisions, instead of the current status quo of letting them off with tiny fines if anything at all.

“Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”

A glorified reseller and scumbag. Pathetic.

Well, this is what happens when researchers are snubbed by software vendors.

I don't agree with the attitude and sale of vulnerabilities, but if someone approaches the vendor and get the responses "this is not a vulnerability" or "why are you hacking our software, we're calling the authorities" this is where it ends up...

For those wanting to criticize Mitnick's actions, what I gather from the following quote is that there is an existing "industry" around finding, and selling these exploits...

"Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between."

Can anyone shed light on these "researchers" and how they sell their exploits now? Or is this just a friendly way of saying "we pay hackers for exploits and then blackmail vendors"?

My initial thought was "this should be illegal" - but if there's no market for exploits, security will remain poor. So, this sort of business is a bump on the road to global security, which I have some hope we're heading towards.

Either way, an exploit market is a grimy business, basically war profiteering. I wonder who is off-limits to sell to - certainly the Iranians, but who else, and who decides who is evil and who is good? People will die from some of these sales.

I think we'll see pervasive encryption and P2P (blockchain-based) applications that will push back tyranny a bit. There will be technological solutions to things like secret legal proceedings and warrantless wiretaps. And by pushing computation back out to decentralized nodes, there won't be such juicy targets to attack.

I'm old enough to remember this guy's moment in the sun by getting himself arrested. It was easy to fall into the "Free Kevin" mindset but now he's just trading on the name to make money. It's hard to keep that same "fuck the man" vibe when you become the man.

EDIT: I realize he's been trading on his name for a while now but I was cool with it when he was a "white hat".

So the same people who support Silk Road and black markets suddenly say, "Yeah, Fuck Kevin Mitnick!" because he's a capitalist and using essentially the same system to make some money??

... I think a lot of geeks might be burning their "free kevin" t-shirts.

So, who did he buy the 0days from?

I know he didn't find them himself. The boy can't code.

https://keenot.es/read/kevin-mitnick-is-celebrated-nobody

It's all very nice hoping that a free market for this kind of thing will improve security, but I don't see how that's going to happen. Government agencies are probably going to be his top customers... let's face it, they obviously have more funding for this kind of thing than they know what to do with, and it saves them having to do any hard work.

It's going to bring way way way more detriment than it is benefit, especially if his clients start looking at using semi-legal tactics to protect their investments.

The prevalence of 0-day exploits and the booming marketplaces for them are the biggest challenge for our industry today. The economic incentives mean that the worst vulnerabilities will increasingly be sold instead of responsibility reported. Why report it to the company in hopes of a 5k bounty, when the US gov will pay you 100X that for exclusive use? We're at a point now where everything has been compromised -- the network, every OS, every browser, every popular application. The software we all rely on can not be trusted to be secure from governments or well-funded organizations. Having unbounded access to every computer in the world is a frightening amount of power for any government or organization to hold. Until we find a way to change the economic incentives, I'm afraid the consolidation of power and the associated abuses are only going to continue. I have no idea how we fix this.

Isn't this blackmail?

"Pay us for all your secret vulnerabilities or we'll sell them to the highest bidder".

Basically, he is doing arm trade in 21st century.

It's disappointing to see that Kevin would sell exploits to a government body, but I don't otherwise see a problem with an exchange for exploits. I mean, they're going to get developed and sold eitherway, whether it's here, on some darknet forum, or whatever.

Not another story about this overrated dude.

Don't get me wrong, im sure hes a nice guy. But he hasn't demonstrated anything useful for 20+ years and it seems he is mainly making a living writing vague non-technical h4ax0r books and giving interviews. Hell, i think he cant even code.

As an off-topic note, I'd like to see if the font is showing up as poorly for anyone else as it is for me. The kerning is atrocious, and several rounded lower-case letters run into each other. This article is hard to read. ea, oa, ce...

If I were, say, some sort of Global Passive Adversary, I would try very hard to spy on Mitnick's communications. Then I could have all the vulnerabilities, and know who is buying and selling.

I wonder if maybe that has occurred to anyone.

I was surprised by the ACLU response given that sharing source code is very clearly free speech.

Is the ACLU of all groups really interested in stopping/censoring people from sharing ideas?

Why does anyone need to legitimately buy a zero-day?

His website look like very "Free Kevin" era, with Flash replaced by CSS tricks.

This again, reminds me that money can buy you anything... apart from a free CONSCIENCE.

At least this way large corporations will start paying more for their bounties.

t'would appear he cares about nothing and no-one, and has opted to use his powers for evil.

We shall have wait and see how that works out for him.

His website needs some work

Let me inturrupt this fascinating discussion for an important PSA:

All of you who don't produce 0 day: You don't get to have a say. Your opinion doesn't matter and you don't get a seat at the table, not even as an observer.

And now back to telling other people what to do with their work product...