Portfolio 2 - Criteria B

There are many trends and developments made that have been made in the recent years that help minimize the threat of zero-day attacks. One of these developments is simply called ‘zero-day protection’. This is simply the ability to protect against zero-day exploits. It entirely relies on knowing when a particular venerability is going to occur ahead of time, therefore creating signatures in case of any attempt to take advantage of the vulnerability.

In addition, buffer overflow is another development that has been created to limit the effectiveness of zero-day memory corruption risks. It is a programming error that has a few factors behind it, one of them being a possible breach in the security system. Latest operating systems have these zero-day protections built-in in them, such as Mac OS X, Microsoft Windows Vista, Linux, UNIX, and Sun Microsystems Solaris.

Adding onto that, the legitimate trade programs of zero-day code software encourages the talented hackers to use their skills to help detect dangers and improve security of loopholes instead of taking advantage of it.

On the contrary, these protections are not guaranteed. A worm good enough could manage to fit itself through a small time window between the discovery of vulnerability and the release of a new worm trying to take advantage of it.

Portfolio 2 - Criteria A

This portfolio addresses the issue of buying and selling zero-day (zero-hour) code software of loopholes in the black market. Zero-day code software is the missing ingredient that a talented hacker would need to actually steal the information that they have managed to breach into. This is simply because they only know how to get to the data, but understanding it isn’t their area of expertise. Hence, this makes zero-day code software a problem that involves business, since it is mainly used to steal information such as credit card and banking information. Referring to the article which quotes a hacker saying “online payment systems such as PayPal, which can provide users with more anonymity that bank transfers, have given the black market an enormous boost by providing sellers with an anonymous way to collect”.

Zero-day code, however, has a positive side to it. “The practice is so widespread it’s even spawned a legitimate market”, states the article. Some legitimate researchers register for programs, such as Zero Day Initiative, to sell their discoveries to security companies and software vendors eager to improve their services and products. Looking at the negatives, zero-day finally gives hackers that chance to get through the recently increased sophistications that have been made in firewalls and many other computer protection methods. Leading online fraud and theft to increase.

The act of theft and fraud is an ethical issues related to zero-day code software. And another ethical issue connected to zero-day code is obtaining software, music, movies etc. before their official release date by taking advantage of zero-day exploits and stealing the wanted files.  These ethical issues are significant due to their big negative effects on the both the business world and society.

Chosen Article

Black Market In Bad Code

January 21, 2008

Time is the hacker's enemy. The countdown starts as soon as a hacker learns about a security loophole that makes an Internet site vulnerable to a break-in. Security and software firms have, by and large, succeeded in shortening this period, but hackers have responded in kind. They've created a brisk underground market for buying and selling "zero day" code–software that can be used instantly to exploit an as-yet-unsecured loophole.

Zero-day code is a reaction to the increased sophistication of firewalls and other computer protections. Many individuals and groups wanting to commit online fraud or theft no longer possess the skills needed to compromise computers. Likewise, many talented zero-day programmers lack the know-how to turn a computer intrusion into cash by, say, laundering money stolen from corporate pension-payment systems. Zero-day code bridges these two talent pools. It can be used to steal credit-card and banking information and install malicious software. "There are a lot of slow-burners out there that are generating large amounts of income and trying to remain under the radar," says Steve Santorelli, a former Scotland Yard computer-crime investigator now at Team Cymru, a Seattle computer-security consultancy to corporations and law-enforcement agencies. Online payment systems such as PayPal, which can provide users with more anonymity than bank transfers, have given the black market an "enormous" boost by providing sellers with an anonymous way to collect, says a Romanian hacker who would agree to be identified only by his online name, flo_flow.

This division of labor is making hacking a more productive industry. The market harnesses the expertise of hackers who have qualms about committing certain types of fraud or theft but are willing to sell zero-days to others who do the dirty work. Prices can reach tens of thousands of dollars for code that exploits vulnerabilities in widely used Internet browsers and PC operating systems, and Web-server software.

Many of the big-ticket sales pass through brokers with a reputation for honoring agreements. Some act as escrow agents, collecting purchase money and providing it to sellers (minus a commission) only after confirming that zero-days work. One broker in Bangkok, who spoke to NEWSWEEK on condition of anonymity because his work is illegal, says there is a "very, very large network" of middlemen. Some, including himself, broker licensing deals whereby sellers receive a monthly fee until security firms or software vendors discover and patch the vulnerability.

The practice is so widespread it's even spawned a legitimate market. Last July, the Swiss security firm WabiSabiLabi opened a legal online zero-day auction. Chief technology officer Giacomo Paoni says that more than 1,000 legitimate researchers have registered to sell their discoveries to security companies and software vendors eager to improve their services and products. TippingPoint and iDefense, two American firms, purchase zero-days from researchers to enhance their own security offerings.

These firms argue that by buying zerodays, they're keeping loopholes from criminals, thereby improving security. Critics say the practice only encourages the development of dangerous software–and who's to say how many buyers are hackers working incognito? There may not be many options to playing along: it's virtually impossible to stop trading by shutting down illicit marketplace Web sites and forums, says Mikko Hypponen, a computer-security expert in Helsinki who conducts training workshops for the Finnish Army. "They simply pop up somewhere else."

More Stocks

I have also chosen to buy stocks for Apples, Dell, and General Electric, in addition to my previous choice of E-Bay.

Stock Market

Ebay was my stock choice (the symbol is EBAY). It is currently at the price of $30.44. The reason I chose it was because it is at a low price, since I am looking to make money in a time period of approximately two months. It has a typical decreasing trend, however, it's expected to start rising again.

Criterion B

IT systems involved with music piracy are components such as the Internet, P2P networking, and programs. The Internet is a very important component when it comes to music piracy, because it’s the root method to illegal file and music sharing. Another important component, which is dependent of the Internet, is P2P (peer-to-peer) networks, this work by making use of the diverse connectivity between the people using the Internet, rather than using the traditional resources, where very little servers provide the core value to a service or application. These networks are useful for sharing purposes, which makes it easier for people to share music on the Internet. The programs, which are the gateway to accessing P2P networks, are very simple applications, which anyone can download for free from the Internet. All they do is just work with P2P networks and allow people to download and upload files on them.

There have been many technological developments that have lead to this IT system. For example, high speed Internet has helped a lot in developing file sharing, because people can now share their files from home at very high speeds, instead of waiting long periods of time like they used to with dial-up Internet! Also, the programs now are much safer to use, since they have much less viruses than you used to, so they are much more trusted now.

In the future, they will probably develop even faster Internet, where people can share their files and music at even faster rates. They will also probably develop better, safer, and more user friendly programs for people to share their files on P2P networks.

Criterion A

This portfolio addresses the widely spreading issue of music piracy and its effect on the music industry. An example of this issue in society today is that some universities are not allowing students from illegally downloading music.

The IT system involved with issue is the abuse of the Internet, and the file sharing programs that are open to everyone who has access to the Internet. This IT system is important to society because a great majority of the world’s population depends on the Internet for a lot of things, whether its business, school work, entertainment, communication, and a lot of other things.

Society is affected by this IT system in positive and negative ways. A positive social effect related to this is that people don’t have to pay money for their music, especially if they don’t agree with how they are priced. However, a negative ethical effect related to this issue is that musicians and record companies don’t get the money that they deserve for the work they have accomplished.

The future direction of people in society will be determined by the choices made about this issue, for example; if file-sharing programs such as torrent programs will be completely banned and blocked, it will be much harder for the average person to steal music.