The percentage of vulnerabilites the government discloses to vendors is largely PR: The public harm of maintaining 10 high severity flaws far outweighs the benefit of disclosing 90 low severity ones. We need to know the severity of disclosed vulnerabilities, not just the number.
-
-
So NSA would mass exploit all of their target within 90 days and then "throw" away the vulnerability? That would encourage them to infect massively targets, which isn't a good option either. What do you think about that?
-
Exploits aren't necessary for every target every 90 days, only for installing the original implant. Implant survive long after the exploit is dead. And don't forget NSA has far more than 1 exploit at any given time.
-
Everybody, even the exploit broker (who get to sell more bugs), benefits from a faster turnover. When lazy RCEs becomes too hard, offense simply returns them to traditional mechanisms (social, proximity, supply chain, human compromise) that never stopped working.
-
And the idea that NSA judiciously limits the scope of targets is simply not persuasive on the evidence: we had something close to 200,000 implants active on just the systems I could see. FBI routinely does 8000+ in one go:https://motherboard.vice.com/en_us/article/53d4n8/fbi-hacked-over-8000-computers-in-120-countries-based-on-one-warrant …
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.