IT IS a type of software sometimes described as “absolute power” or “God”. Small wonder its sales are growing. Packets of computer code, known as “exploits”, allow hackers to infiltrate or even control computers running software in which a design flaw, called a “vulnerability”, has been discovered. Criminal and, to a lesser extent, terror groups purchase exploits on more than two dozen illicit online forums or through at least a dozen clandestine brokers, says Venkatramana Subrahmanian, a University of Maryland expert in these black markets. He likens the transactions to “selling a gun to a criminal”.

Just a dozen years ago the buying and selling of illicit exploits was so rare that India’s Central Bureau of Investigation had not yet identified any criminal syndicates involved in the trade, says R.K. Raghavan, a former director of the bureau. Underground markets are now widespread, he says. Exploits empower criminals to steal data and money. Worse still, they provide cyber-firepower to hostile governments that would otherwise lack the expertise to attack an advanced country’s computer systems, worries Colonel John Adams, head of the Marine Corps’ Intelligence Integration Division in Quantico, Virginia.

via Cyber-security: The digital arms trade | The Economist.

“It’s like selling guns to criminals” – where have I heard something like that before?

Oh yes, here:

[…] people can now crack a system, using “crack“, without even being decent programmers. There is no rite-of-passage for these people, they may not even realize that there are laws which could stick them in jail for years.

Someone once broke into another system which I control, I discovered it, tracked them down, and they got fired. For what? This person wasn’t even a good programmer–they didn’t even know they could be traced. I didn’t feel very good about this firing–didn’t want them to be fired–I just wanted to stop them from breaking into my system. When I discussed this case with CERT, I made it clear that I didn’t want the perpetrators arrested since they did no damage, I just wanted them to stop. However, under present US law they committed a felony. Frankly, it did waste about $500 of my time. The CERT people tried to assuage my feelings: at least they didn’t get thrown in jail, because you didn’t press charges, they said.

A publically available raw “crack” is somewhat like throwing a pile of guns into a day care center. There isn’t even a “safety” on crack.

I want to make it clear that I am not trying to impose some sort of mandate onto the developers of “crack”. They have the right to produce and distribute whatever software they choose.

Instead, I am appealing to them to produce a piece of software which errs more on the side of usefulness than destructiveness.

That was in 1992, and the discussion continues at that link; and here we are again with sploitz and vulnz and 0days, oh my…

Sigh.

Some muppet is going to get their hands on the article and convince Governments to waste money on them, just wait and see; and attempts at “regulation” will follow.