....or sell the bugs to brokers who sell to responsible parties and make more money. 20 crashes in Chrome is $40-$100k. Even without escaping the sandbox working RCE is more than that. If do that volume in 6mo-1year, one is comfortable, one is not
-
-
Replying to @tylerni7 @scriptjunkie1 and
Sure, if you can rationalize leaving a billion users vulnerable to anyone who does the same thing you did - potentially very unpleasant people - you might make slightly more money. No argument there.
2 replies 1 retweet 1 like -
Replying to @taviso @scriptjunkie1 and
As much as people like to shit on them, the US Gov also is able to save lives thanks to its offensive cyber programs. They aren't angels who do no wrong, but I think they do net positive. I also don't think bad folks use 0days against billions, only very targeted folks
2 replies 0 retweets 2 likes -
Replying to @tylerni7 @scriptjunkie1 and
That is a dishonest tweet that misrepresents the argument. When you say "It's okay because only sell exploits to the good guys", the problem is you can't stop bad people finding and exploiting the same bug, and *that's* the problem.
1 reply 1 retweet 1 like -
Replying to @taviso @scriptjunkie1 and
I get that 100%, I agree selling exploits to folks that don't report means good people are vulnerable to the same bugs. But going and working in an unrelated area (not bug bounties, not p0, not selling to brokers) still leaves bad people able to find those bugs.
1 reply 0 retweets 0 likes -
I do hope that what most of us do pushes everyone in the right direction to be "more secure". *But* I also think the US Gov and others have legit uses for 0days, and that espionage saves lives. I think it's unfair to paint everyone who agrees with that as unethical.
1 reply 0 retweets 2 likes -
Replying to @tylerni7 @scriptjunkie1 and
Here's the problem with that argument, the government has effectively unlimited resources. They can literally drop people with guns out of helicopters. It is not necessary to put innocent people in harm's way, there are other options to achieve the same goals.
2 replies 1 retweet 1 like -
It's hard to imagine a scenario in which air-dropping combatants via helicopters is *lower* risk to civilians than the chance of a bad actor conducting exploitation.
1 reply 0 retweets 0 likes -
It was an example of just how many options are available. You literally cannot think of *any* way to gather intelligence other than exploits?
1 reply 0 retweets 0 likes -
Signals intelligence (and cne) is a much less risky than others. And we shouldn't rely on a single source of intel anyway. Both of you are making valid points. There is no correct answer here. The competing interests are exactly why equities review process in US gov exists.
1 reply 0 retweets 0 likes
Sure, and signals intelligence predates iphone exploits. I agree there is no correct answer, the thread started because it was being presented as a solved problem.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.