WabiSabiLabi Co-Founder Arrested

Dave G. | November 06th, 2007 | Category: Industry Punditry

WabiSabiLabi, formerly most famous for bringing to market the first public vulnerability market, has once again made the headlines. This time, one of their co-founders, Roberto Preatoni, has been folded into an ongoing Italian wiretapping scandal. This investagation has been going on for 10 plus months.

Prior to WabiSabiLabi, Roberto worked at Telecom Italia as part of their penetration testing team. Four members of this team have already been arrested back in January for using a Trojan Horse to compromise and monitor Vittorio Colao, the former CEO of the Rizzoli Corriere della Sera publishing group.

From Robert McMillan:

According to the reports, Preatoni helped staff a 10-member “Tiger Team,” ostensibly set up to test Telecom Italia’s information security system. Members of this team are now charged with hacking and spying on Carla Cico, CEO of Brasil Telecom; the Kroll investigative agency; and journalists Fausto Carioti and David Giacalone of the newspaper Libero.

This might actually be one of the biggest challenges for vendors and vulnerability researchers. How far can you really trust that everyone is doing the right thing? If I were a vendor, I would not make the assumption that the vulnerability researcher is trustworthy. This isn’t to say that you should be hostile towards vulnerability researchers. It is simply that you have absolutely no idea how many people a researcher has told about a vulnerability. Given that, I think it makes sense to treat vulnerability reports as if you just found out about your vulnerability through BUGTRAQ.

While obvious, this also speaks to why it is hard to implement a vulnerability market. It is all about trust. And if the buyers and sellers utilizing (or considering utilizing) WSL can’t get past this, I’d say it’s game-over.

As I think about it, probably the best way for vulnerability researchers and vendors to be bridged is through a vulnerability broker. This could be a trusted person or organization that can represent vulnerability researchers whose reputation is at stake when dealing with vendors.

Of course, I am personally not sold on the idea that the sale of vulnerabilities is a good idea.

Finally, from the ‘There’s No Such Thing as Bad Press Dept’:


WSLBlogTN

12 Comments so far

  1. PaulM November 7th, 2007 3:47 pm

    I think WabiSabiLabi proved that there is an inherent problem in trying to sell vulnerabilities in a marketplace environment. The primary problem being that, in order to market your vulnerability to buyers, you have to describe it enough that the vulnerability can be found by other researchers before its sold.

    The fact that Preatoni got busted only serves to confirm what most above-board infosec pros already suspected about the shadiness of WabiSabiLabi.

  2. Ma petite parcelle d'Internet... November 8th, 2007 4:54 pm

    C’est chaud l’Italie…

    En Italie, le petit monde de la sécurité informatique est en pleine ébullition. En effet, Roberto Preatoni, fondateur de Zone-H, aurait été arrêté lundi en marge d’une sombre affaire d’espionnage industriel. C’est du moins ce qu’en disent certains…

  3. ivan November 8th, 2007 10:39 pm

    According to all public sources, the arrest of Roberto Preatoni is not at all related to WabiSabiLabi so this hardly serves to confirm any of the suspected shadiness of WSL.

  4. cmlh November 8th, 2007 11:37 pm

    @Dave G,

    Based on the failing (due to agenda) of (particular) Researchers, Coordinators (i.e. FIRST Members) and Vendors - Which “trusted person or organization” is left “that can represent vulnerability researchers whose reputation is at stake when dealing with vendors.”?

  5. Dave G. November 9th, 2007 2:48 pm

    @ivan:

    The jury is still out on all of this, and he could very well be innocent. But this is the CEO and Co-founder of a company that was arrested for something that absolutely would degrade one’s trust that allegedly happened just prior to starting WSL.

  6. Steve Christey November 9th, 2007 8:57 pm

    cmlh - some vulnerability researchers have tried and failed to organize on a couple occasions. Maybe it’s due to the heavily independent nature of researchers as a group, but the Pwnies is the best they/we have been able to come up with so far. I liked the Pwnies, but it’s nothing compared to a guild or non-profit advocacy organization that speaks solely for researchers. This failure to organize continues even in light of growing legal threats.

  7. cmlh November 11th, 2007 2:53 am

    @Steve Christey,

    The only prior effort that I am aware of is when Greg Hoglund built “Zero-Bayâ€, which he then abandoned due to the “possibility†of legal threats prior the launch.

  8. cmlh November 11th, 2007 4:26 am

    @Dave G

    I disagree to your response to Ivan – ppl tend to focus on the company rather then senior individuals of a company as the Executive can be reshuffled or the company is sold.

    That stated, their existing sellers would lose “trust†in WabiSabiLabi if they attempted to take ownership or resold their IP without their consent.

  9. Dave G. November 11th, 2007 5:21 pm

    @cmlh

    I think it depends on the size and stage of the company. In a small startup, the senior individuals ARE the company. If the allegations were true, I would think their existing sellers (and buyers), would have to wonder if WSL is re-using this information.

  10. sigsegv November 16th, 2007 10:04 am

    I love it when a so called “whitehat” is publicly revealed in a manner like this. It always brings a grin to my face.

    But honestly, who really trusted somebody affiliated with zone-h? Would you hire the people who were part of the original PHC or were responsible for the production of el8 and trust them implicitly (and for the record, any of those guys would be far more skilled than the WSLabi guys)? Probably not.

    The same idea should apply to “security professionals”. You do have the college educated kids these days, who lack real world hacking experience (they got into computer security for money), and you have the so-called reformed hackers who now work for a company. You really need to know who you have working for you.

    And Dave, I agree with you when you say that you’re not sure if selling exploits is a good idea. It’s not. It’s a terrible idea. One of the worst I’ve heard in my life. It’s no different than the arms trade.

    And I wouldn’t be surprised if the WSLabi guys took a copy of the 0day for themselves. Could you honestly say you’d pass up 0day (and money!)?

  11. cmlh November 18th, 2007 8:16 pm

    @Dave G,

    I disagree that this will be the case.

    WabiSabiLabi will simply put themselves on the market for a buyer if Roberto is innocent until proven guilty at the conclusion of this trial that is either:
    1. Unaware of the trial.
    2. Aware but willing to invest to limit the damage caused (e.g. rebranding WabiSabiLabi)

    If Roberto is found not guilty, then this will exonerate Roberto and (in your mind) WabiSabiLabi.

  12. swinky November 25th, 2007 4:46 pm

    Indeed, Preatoni started his recruitment for Telecom Italia 4 years ago. Among them, DkD (Damien) famous french script kiddy and cyber jihadist (here is interview with him from Zataz (the worst security magazine ever) http://www.zataz.com/interviews-securite/7049/dkd-hacktiviste.html)

    So now, how Telecom Italia can accept to recruit ex defacer for islamic jihad ??? Maybe Preatoni never talk about his past before ??? Who is really this zoneh guy ???

    As for myself, Preatoni will be charged for this because i’m really sure he is guilty. I mean he even tried to recruit defacers from Morocco and Egypt .. hell, this is really nut !!!

Leave a reply