In the debate about publishing n-day PoCs, I’m not reading anyone debating what the value of n should be for fully working PoCs. I’ve personally published vuln details when patch was released, techniques in abstract, but waited over a year for working exploits. Seemed best to me.
-
-
Replying to @dinodaizovi
I think people forget it's not the 90s, exploits are big business, not just trolling Theo. If you have money, you can buy capability, it's an economic decision.
2 replies 0 retweets 17 likes -
Replying to @taviso
If I'm following your point, it's that anyone who wants capability can now use capital to acquire it, so release of N-day PoCs is immaterial to that? I don't think criminal groups could buy NSO's products and researchers wanting to make that kind of thing now go work for NSO/APT.
2 replies 0 retweets 1 like -
Replying to @dinodaizovi
Right, the incentives favor attackers, they can make a purely economic decision to build an exploit, so the availability of pocs levels the playing field. N-day exploits are traded for relatively low prices, not sure how NSO are relevant, do they sell nday?
1 reply 0 retweets 1 like -
Replying to @taviso
It could be semantics, but n-day still affects a ton of devices in the real world (e.g. Android binder exploit, which was fixed upstream). I only know what I read on twitter about NSO, but I'd assume that some n-day is used in their products (it makes sense to use what works).
1 reply 0 retweets 1 like -
Replying to @dinodaizovi
It sure does, that's why tens of thousands of professionals use tools like metasploit to hugely benefit security. Is depriving them off tools to barely move the needle on opportunistic attacks a good trade? I don't think so
2 replies 0 retweets 3 likes -
Replying to @taviso
I don't know of a way that data could show either way, so it really comes down to differences in expert opinions and how different individuals want to spend their productive hours.
1 reply 0 retweets 1 like
Doesn't the popularity of good quality tools with professionals count as data? If it was without value for defenders, we could show that easily. I can say that my work benefits greatly from access to open research, hard to believe you wouldn't agree with that!
-
-
Replying to @taviso
I can absolutely see how open research benefits your work, but (as an example), we never validate a vulnerability using a published PoC. It's useful to gauge how exploitable something may be, but I'm fine taking top tier researchers' words for it. I read the code for my own fun.
0 replies 2 retweets 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.