> They're making themselves rich at the expense of everyone else. They're a leech on society.
No they're not, on both counts. They're not making themselves rich at the expense of everyone else. Their major customers are governments, who are in no rush to make their own purchasing patterns illegal. They're taking part in an active established market. Immunity have been doing this publicly for over a decade, with the difference being that anyone can buy Canvas.
The simple solution (which works in favour of the exploit dealers too btw) is to use a layered approach to defences that make it more expensive to develop an exploit. That's what Microsoft have been doing since Vista. There are now so many hurdles you have to jump through for a server-side remote code execution bug that for most people it's just not worth it (given that you'll have to chain exploits more often than not to bypass protective measures), which is partly why client side bugs are becoming more common.
Eh. Two much more important factors militating for clientside exploits:
* The client-side attack surface is, probably by many orders of magnitude in any metric you care to use, more complex than the serverside attack surface. Look at the kinds of libraries that have been long-term thorns in the sides of developers and security teams --- image codecs, font libraries, compression --- a big chunk of everything that goes on your computer screen can be influenced by attackers.
* The client-side attack surface includes multiple programming languages hooked up to anonymous content (the most important being Javascript), and so clientside exploits have significantly better tools to work with.
Not to take anything away from your point; I'm glad you're injecting some sanity onto these threads.
On a related note re: client vs. server. Taking a recent incident that was in the news, when the Brits pwned a pro AQ forum. From that vantage point, the best thing they can do is to target the admins, moderators and heavy users -- with client sides. Probably more than one, since it is unlikely that a single exploit would be effective against each of the targets. The valuable intel is going to come off those user's boxes, not off some semi-anonymous VPS shard. Logs of Tor exit nodes, googlebot, and proxies reveal nothing interesting. From a certain perspective, it makes sense that there just isn't much value to be had from servers, and so there's reduced incentive to pay high prices for server exploits.
Not to mention that gaining access to that server would probably be fairly simple given the atrocious security standards of most web hosting companies. CPanel, pilfered ssh key, SQLi, PHP bugs in the forum software, rent a VPS on the same host and LPE... I hardly need to tell _you_ how many alternative (cheap) ways exist to gain access to the server. (And this is assuming that they aren't running their own colo's and web hosts a la http://www.schneier.com/blog/archives/2008/10/clever_counter...)
Given the relative ease of access to servers, the poor quality of intel stored on them, and its no wonder that the market focus is on client sides. Finally, its worth mentioning that most (all?) of the servers with interesting data on them are in the legal jurisdiction of the US (just ask Kimble, ha!). Accessing that data requires a sternly worded letter on official letterhead-- not an exploit.
So, not to detract from either of your' points; but there is another angle to add to the mix.
Well, client-side attacks are great because they typically rely on the naivete or indifference of the user. And the client-side attack surface is typically protected to a lesser degree than a server. A well orchestrated spearfishing attack is tough to defend against, even for a security conscious user. The attack surface is just so large.
However, the meat on the bones is really on the servers. If someone pops my desktop at work, they won't find much valuable data. But they will be able to keylog me, grab admin password hashes, arp-spoof etc. Still, no data. But what they will get enables them to access our company files and databases in short order.
In essence, client-side attacks in the corporate world are definitely targeted at server data, while in the consumer world, they're targeted towards identity theft or botnet creation.
This is the gov world though, where the interesting information is things like your address book, your emails (the content as well as the senders/recipients), your private keys and passwords, etc. etc. Client sides provide direct access to those things (or at least, a means of obtaining them).
There are very few governments that care about what is on your company file server or in your company databases. (Ignoring the elephant in the room on that one.)
Law enforcement agencies keep huge Access databases of the contacts they extract from cell phones taken from criminals. They share this intel with each other via email (I know, I know...). They can discover a great deal about who is involved in an activity and where they are on the totem pole from just this data. Its even possible to identify people by correlating the content of the "name" field and using the phone number is a unique ID. Criminals tend to have poor OPSEC.
I don't think it's safe to assume that government simply means spying on individuals for national security reasons. Governments engage in corporate espionage all the time, and not just China.
No they're not, on both counts. They're not making themselves rich at the expense of everyone else. Their major customers are governments, who are in no rush to make their own purchasing patterns illegal. They're taking part in an active established market. Immunity have been doing this publicly for over a decade, with the difference being that anyone can buy Canvas.
The simple solution (which works in favour of the exploit dealers too btw) is to use a layered approach to defences that make it more expensive to develop an exploit. That's what Microsoft have been doing since Vista. There are now so many hurdles you have to jump through for a server-side remote code execution bug that for most people it's just not worth it (given that you'll have to chain exploits more often than not to bypass protective measures), which is partly why client side bugs are becoming more common.