There’s a new company on the scene representing the obstacles companies like Apple, Google, and other operating system vendors have in keeping their platforms secure. That company is called Crowdfense. Based in the United Arab Emirates, Crowdfense is offering bounties up to US$3 million for zero day exploits (security flaws unknown to vendors). According to the company (via Vice‘s Motherboard), it will sell the exploits (only) to law enforcement entities.

And we know how well that works out.

Sidenote

Crowdfense. It’s a curious name. It could be intended as something clever like crowd d-fense. It probably is, really, but I can’t help but read it as crowd-fense, which seems more like crowd-fence. And then I wonder if that’s fence as in barrier or fence as in selling-stolen-goods. Again, I’m sure that’s not what’s intended, but it is right where my mind went.

But I digress. Terribly.

War Is Expensive

Here’s what I really wanted to talk about. There is a high stakes war going on. It’s out of sight, but happening all around us, a battle for the security of our devices. On one side are the bad guys, including criminals—both organized and petty—and state actors—both state-sponsored hackers and state intelligence outfits. And when I say state actors are bad guys, I mean when they work for a government other than your own—and sometimes for your own government, too, depending on your perspective and the nature of that government.

On another side are we, the users, who put ever more of our lives into our devices, which is why the bad guys want in in the first place.

On a third side are legitimate law enforcement agencies, some of whom work hand in hand with the state actors mentioned above. They very much want to get inside devices owned by criminals and suspects because those criminals keep their lives in their devices, too,

On a fourth side are the operating system vendors making the software that run our devices.

And in the shadowy insides of this four-sided battle are researchers. Black hats, gray hats, and white hats. These folks like to tinker and dig and poke and look for flaws in software, especially operating systems. Some of them work for security firms, and many more fool about on their own. And the white hats, as I noted on Thursday’s Daily Observations, deserve our thanks for reporting the flaws they find, either to the vendors or sometimes directly to the public.

Bounty, The Quicker Picker Upper

Now, white hats sometimes collect bounties from vendors. Microsoft pays up to $250,000 for some reports, though most rewards are much lower. Apple pays up to $200,000 for exploits. In 2017, Google paid out some $2.9 million—in 1,230 different rewards, so again, thousands of dollars per.

Now compare this to Crowdfense’s announcement. They’re launching with a $10 million fund and are paying up to $3 million per exploit out of the gate. And what will they then do with those exploits? Package them up and sell them in usable form to law enforcement and intelligence agencies, perhaps over and over, turning that investment into a profit.

And Crowdfense says they will be scrupulous about who they sell to. “Vetting customers is the most delicate part of our whole activity,” Crowdfense director Andrea Zapparoli Manzoni told Motherboard. There are plenty of other firms, however, far less zealous about who they sell to.

Math

In other words, there is an entire industry dedicated to finding, developing, and selling exploits to the highest bidder, sometimes whomever that highest bidder might be. Now, imagine you’re the type of person capable of discovering one of these exploits. While you’re imagining, do the math. I did some on the back of this napkin, and here’s what I found.

$3 million > Thousand of Dollars

Let me double check that.

::fetches the calculator::

::punches buttons with a clackety-clackety-clack::

Yep, that’s some solid math. Millions of dollars is definitely more than thousands of dollars.

Asymmetric Warfare

And this is the landscape companies like Apple, Google, Microsoft, Cisco, and a host of others find themselves in. Let me be clear, too, that the point of my piece is not to yell at the rich tech giants to pony up more money (though they will, eventually). As rich as those tech giants are, the world’s intelligence services have access to a lot more money, and organized crime is intensely rich, too.

Paying higher bounties is an ever-escalating battle, and I suspect the most it makes sense for vendors to do is pay enough that the white hats are rewarded enough to avoid the temptation that leads to the shadow world of Crowdfense, Zerodium, Cellebrite, Azimuth, and all the other brokers we’ve never even heard of.

This is, in essence, why we can’t have nice things. As long as the intelligence and criminal industries are funding this shadow market, there will be zero day exploits being deployed against we, the users. And while it’s hard to blame someone for wanting what amounts to a lot of money for their work, it makes me ever-so-thankful to those white hats who work on the light side of this system.