Search Mailing List Archives
[liberationtech] In his own words: Confessions of a cyber warrior
tom at ritter.vg
Wed Jul 10 17:00:03 PDT 2013
On 10 July 2013 09:43, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> Andreas Bader:
>> Tens of thousands zero-days; that sounds like totally shit. That guy
>> seems to be a script kiddie poser, nothing more.
>> Are there any real "hackers" that can issue a competent statement to that?
> I couldn't disagree more. This sounds consistent with the current arms
> race and also relates directly to the 0day markets that have been active
> for many many years. Remember though: buying 0day bugs or exploits for
> 0day is just one part of a much larger picture.
I cautiously disagree with Andreas also, but from a different angle.
I don't have any insider knowledge obviously. But if the tens of
thousands figure included 'soft targets':
- OEM Software like printer drivers, graphics drivers, or the
preinstalled crud you get when you buy something from Best Buy
- Open Office
- Realplayer, VLC, and other media players
- Lotus Notes
- eDonkey or whatever the non-bittorrent P2P stuff is today
- random non-default installs of servers (who uses X11 on the open
internet these days?)
...Then I could see a "tens of thousands figure". But if someone said
they had more than, say, 250 completely distinct, weaponized exploits
for a fully up to date target like Apache, Chrome, Windows 7/8, Apple
iOS, IE9 - I would be more skeptical. Only because I think if they
were that easy to come by, the price list we know of would be
lower. 250 * $100,000 = $25Mil. And while I wouldn't put it past a
government to jump at that offer - my gut, which could be wrong, says
those types of exploits are rarer.
For example: "Think 1 poorly-exploited IE 0day is scary? Our feed has
4 reliable ones on Win7. Defenders should be scared of attacks that
don't make news.". Four is a lot. But it's not 100, and it's not
More information about the liberationtech