Now that I have your attention, you can quit reading since this is mostly an excuse to link to Phreakonomics (which is far more interesting than what follows here) and to one-up Dale’s last blog. Most interesting, was a quote from dailydave:

“There’s not an infinite supply of bugs, just lots of them. Like oil or “sea bass”. Eventually you run out. We’re pretty near this point on Linux - the cost for writing a remote exploit for bob_ftp server.exe on Windows is about 500 bucks. The cost of doing the same against a modern Linux is 50K. It’s doable, but it’s a 10 month investment and by the time your finished product comes out the other end, the bug has been found by someone else and it’s patched.”

But seriously, I’ve always wondered what sort of premium one could get from 3Com’s Zero Day Initiative for a previously unknown exploit against a highly obscure protocol on a unpatchable device that controls a dangerous physical process? How much more (or less) than, let’s say, a Linksys AP, a Cisco IP Phone, a Juniper M-series router? Not that I have any SCADA 0-days or would I share them with the fine folks up on 360, but it is interesting to think about, especially in light of the recent Excel 0-day on eBay.

For years (or so I’ve heard) there has been an underground economy for compromised routers. Connect to IRC and Voila! get enable access on a 7200 of choice! Or army’s of bot-nets to remail SPAM or lauch a DoS attack against a competitor or whoever you want. Or so the story goes… The gleam in the eye of folks telling has always left me uneasy.

Would there really be a market for trading SCADA product vulnerabilities or specific weaknesses operational control systems? Where would the bidding start? We just don’t know. It all points back to lack solid threat data: who or what should really keep us up at night? If we knew, would we do anything differently?