[BreachExchange] Crowdfunding campaign to buy stolen NSA hacking tools from Shadow Brokers

Destry Winant destry at riskbasedsecurity.com
Wed May 31 23:14:30 EDT 2017


The idea of crowdfunding to raise enough money to buy NSA-linked
hacking tools from the Shadow Brokers is picking up steam and making
some people steam.

The price tag for getting hold of stolen Equation Group hacking tools
is 100 Zcash. When I started the article about the Shadow Brokers
revealing details about its June dump of the month subscription
service, the cost of 100 Zcash was equal to $22,779. By the time I
finished writing, it was equal to $23,251. As I start this article,
100 Zcash is equal to $24,128. By tomorrow, the first day to subscribe
to the Shadow Brokers monthly dump service, Zcash will likely cost
even more dollars. If you don’t have that kind of money, but want to
partake in the spoils of the June dump, then maybe crowdfunding is the
way to go?

At least that is what Hacker House’s Matthew Hickey and a security
researcher gong by x0rz have proposed as the solution. They formed a
Shadow Brokers Response Team, which a goal of “creating open and
transparent crowd-funded analysis of leaked NSA tools” and launched a
Patreon campaign to raise $25,000.

The campaign, dubbed “a harm reduction exercise,” states: This patreon
is a chance for those who may not have large budgets (SME, startups
and individuals) in the ethical hacking and whitehat community to pool
resources and buy a subscription for the new monthly released data.

Their hope is that by purchasing the stolen data and analyzing it,
another attack like WannaCry can be prevented. But, oh my, some
security experts are vehemently opposed to the idea and likened the
crowdfunding effort to “enabling ‘cyberterrorists’,” negotiating with
terrorists, or “funding evil.”

The Shadow Brokers did not reveal what data the group might dump in
June, claimed to be undecided about it, but when first announcing the
monthly dump subscription service, they said the dump could be:

- web browser, router, handset exploits and tools
- select items from newer Ops Disks, including newer exploits for Windows 10
- compromised network data from more SWIFT providers and Central banks
- compromised network data from Russian, Chinese, Iranian, or North Korean
  nukes and missile programs

The Patreon reads: As a harm reduction exercise it is important that
any compromised parties are notified, vulnerabilities in possession of
criminals are patched and tools are assessed for capabilities. We will
release any and all information obtained from this once we have
assessed and notified vendors of any potential 0days.

“We believe it is in the greater good to obtain these exploits and
mitigate the risk presented by them,” the campaign adds.

The campaign launched yesterday and thus far has 24 patrons with a
crowdfunded total of $2,225. The goal is to raise $25,000. If that
goal is not met, the “bitcoin funds will be donated to a to a
charitable organization campaigning for human and/or digital rights.
Patreon subscribers will be refunded if the platform allows it (or we
will not post to prevent a charge). We will split whatever maybe left
over from this evenly between EDRI and the EFF. If you had money to
spend on an exploit auction like this, giving it to charity should not
be too objectionable for you.”

Of course, the Shadow Brokers might be playing everyone and not have
anything left to dump. Conversely, the group might still have powerful
NSA Equation Group-developed exploits. The NSA could just step up and
tell all affected parties how it was exploiting their products, as it
allegedly did when it told Microsoft, so the patches can be developed
and deployed before the exploits are in the public domain. But let’s
get real; that’s highly unlikely to happen.

Nevertheless, the Patreon floats the idea: If the NSA are willing to
inform us about what it is they have lost, the capabilities and
vulnerabilities it has exploits for - so that we can make informed
decisions to defend our networks then we will withdraw from this
option. We need accurate guidance to be able to defend our networks
and so far that guidance is not forthcoming from anywhere else.

While some people view pooled funding resources as a way to give the
Shadow Brokers the least amount yet still get hold of the dump to get
things patched, others are adamant that giving the group any money is
morally wrong.

At the time of publishing, 100 ZEC (Zcash) had slightly decreased from
$24,128 at the time I started the article to $23,662. If you don’t
have that to spare for the June data dump monthly subscription, will
you join the crowdfunding campaign?

More information about the BreachExchange mailing list