Crowdfunding campaign to buy stolen NSA hacking tools from Shadow Brokers

If you don't have the kind of money laying around to buy into the Shadow Brokers June dump of the month club, yet still want to analyze the exploits so any possible zero-days can be patched, will you participate in the crowdfunding campaign to buy the NSA-linked hacking tools?

The idea of crowdfunding to raise enough money to buy NSA-linked hacking tools from the Shadow Brokers is picking up steam and making some people steam.

The price tag for getting hold of stolen Equation Group hacking tools is 100 Zcash. When I started the article about the Shadow Brokers revealing details about its June dump of the month subscription service, the cost of 100 Zcash was equal to $22,779. By the time I finished writing, it was equal to $23,251. As I start this article, 100 Zcash is equal to $24,128. By tomorrow, the first day to subscribe to the Shadow Brokers monthly dump service, Zcash will likely cost even more dollars. If you don’t have that kind of money, but want to partake in the spoils of the June dump, then maybe crowdfunding is the way to go?

At least that is what Hacker House’s Matthew Hickey and a security researcher gong by x0rz have proposed as the solution. They formed a Shadow Brokers Response Team, which a goal of “creating open and transparent crowd-funded analysis of leaked NSA tools” and launched a Patreon campaign to raise $25,000.

The campaign, dubbed “a harm reduction exercise,” states:

This patreon is a chance for those who may not have large budgets (SME, startups and individuals) in the ethical hacking and whitehat community to pool resources and buy a subscription for the new monthly released data.

Their hope is that by purchasing the stolen data and analyzing it, another attack like WannaCry can be prevented. But, oh my, some security experts are vehemently opposed to the idea and likened the crowdfunding effort to “enabling ‘cyberterrorists’,” negotiating with terrorists, or “funding evil.”

The Shadow Brokers did not reveal what data the group might dump in June, claimed to be undecided about it, but when first announcing the monthly dump subscription service, they said the dump could be:

  • web browser, router, handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and Central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

The Patreon reads:

As a harm reduction exercise it is important that any compromised parties are notified, vulnerabilities in possession of criminals are patched and tools are assessed for capabilities. We will release any and all information obtained from this once we have assessed and notified vendors of any potential 0days.

“We believe it is in the greater good to obtain these exploits and mitigate the risk presented by them,” the campaign adds.

The campaign launched yesterday and thus far has 24 patrons with a crowdfunded total of $2,225. The goal is to raise $25,000. If that goal is not met, the “bitcoin funds will be donated to a to a charitable organization campaigning for human and/or digital rights. Patreon subscribers will be refunded if the platform allows it (or we will not post to prevent a charge). We will split whatever maybe left over from this evenly between EDRI and the EFF. If you had money to spend on an exploit auction like this, giving it to charity should not be too objectionable for you.”

Of course, the Shadow Brokers might be playing everyone and not have anything left to dump. Conversely, the group might still have powerful NSA Equation Group-developed exploits. The NSA could just step up and tell all affected parties how it was exploiting their products, as it allegedly did when it told Microsoft, so the patches can be developed and deployed before the exploits are in the public domain. But let’s get real; that’s highly unlikely to happen.

Nevertheless, the Patreon floats the idea:

If the NSA are willing to inform us about what it is they have lost, the capabilities and vulnerabilities it has exploits for - so that we can make informed decisions to defend our networks then we will withdraw from this option. We need accurate guidance to be able to defend our networks and so far that guidance is not forthcoming from anywhere else.

While some people view pooled funding resources as a way to give the Shadow Brokers the least amount yet still get hold of the dump to get things patched, others are adamant that giving the group any money is morally wrong.

At the time of publishing, 100 ZEC (Zcash) had slightly decreased from $24,128 at the time I started the article to $23,662. If you don’t have that to spare for the June data dump monthly subscription, will you join the crowdfunding campaign?

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)