Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] In his own words: Confessions of a cyber warrior

Tom Ritter tom at ritter.vg
Wed Jul 10 17:00:03 PDT 2013


On 10 July 2013 09:43, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> Andreas Bader:
>> Tens of thousands zero-days; that sounds like totally shit. That guy
>> seems to be a script kiddie poser, nothing more.
>> Are there any real "hackers" that can issue a competent statement to that?
>>
>
> I couldn't disagree more. This sounds consistent with the current arms
> race and also relates directly to the 0day markets that have been active
> for many many years. Remember though: buying 0day bugs or exploits for
> 0day is just one part of a much larger picture.


I cautiously disagree with Andreas also, but from a different angle.
I don't have any insider knowledge obviously.  But if the tens of
thousands figure included 'soft targets':
 - OEM Software like printer drivers, graphics drivers, or the
preinstalled crud you get when you buy something from Best Buy
 - Open Office
 - Realplayer, VLC, and other media players
 - Lotus Notes
 - SCADA
 - eDonkey or whatever the non-bittorrent P2P stuff is today
 - random non-default installs of servers (who uses X11 on the open
internet these days?)

...Then I could see a "tens of thousands figure".  But if someone said
they had more than, say, 250 completely distinct, weaponized exploits
for a fully up to date target like Apache, Chrome, Windows 7/8, Apple
iOS, IE9 - I would be more skeptical.  Only because I think if they
were that easy to come by, the price list we know of[0] would be
lower.  250 * $100,000 = $25Mil.  And while I wouldn't put it past a
government to jump at that offer - my gut, which could be wrong, says
those types of exploits are rarer.

For example: "Think 1 poorly-exploited IE 0day is scary? Our feed has
4 reliable ones on Win7. Defenders should be scared of attacks that
don't make news."[1].  Four is a lot.  But it's not 100, and it's not
10,000.

-tom

[0] http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
[1] https://twitter.com/ExodusIntel/status/286731662316937217



More information about the liberationtech mailing list