Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] In his own words: Confessions of a cyber warrior

Tom Ritter tom at
Wed Jul 10 17:00:03 PDT 2013

On 10 July 2013 09:43, Jacob Appelbaum <jacob at> wrote:
> Andreas Bader:
>> Tens of thousands zero-days; that sounds like totally shit. That guy
>> seems to be a script kiddie poser, nothing more.
>> Are there any real "hackers" that can issue a competent statement to that?
> I couldn't disagree more. This sounds consistent with the current arms
> race and also relates directly to the 0day markets that have been active
> for many many years. Remember though: buying 0day bugs or exploits for
> 0day is just one part of a much larger picture.

I cautiously disagree with Andreas also, but from a different angle.
I don't have any insider knowledge obviously.  But if the tens of
thousands figure included 'soft targets':
 - OEM Software like printer drivers, graphics drivers, or the
preinstalled crud you get when you buy something from Best Buy
 - Open Office
 - Realplayer, VLC, and other media players
 - Lotus Notes
 - eDonkey or whatever the non-bittorrent P2P stuff is today
 - random non-default installs of servers (who uses X11 on the open
internet these days?)

...Then I could see a "tens of thousands figure".  But if someone said
they had more than, say, 250 completely distinct, weaponized exploits
for a fully up to date target like Apache, Chrome, Windows 7/8, Apple
iOS, IE9 - I would be more skeptical.  Only because I think if they
were that easy to come by, the price list we know of[0] would be
lower.  250 * $100,000 = $25Mil.  And while I wouldn't put it past a
government to jump at that offer - my gut, which could be wrong, says
those types of exploits are rarer.

For example: "Think 1 poorly-exploited IE 0day is scary? Our feed has
4 reliable ones on Win7. Defenders should be scared of attacks that
don't make news."[1].  Four is a lot.  But it's not 100, and it's not



More information about the liberationtech mailing list