On 10 July 2013 09:43, Jacob Appelbaum <ja...@appelbaum.net> wrote: > Andreas Bader: >> Tens of thousands zero-days; that sounds like totally shit. That guy >> seems to be a script kiddie poser, nothing more. >> Are there any real "hackers" that can issue a competent statement to that? >> > > I couldn't disagree more. This sounds consistent with the current arms > race and also relates directly to the 0day markets that have been active > for many many years. Remember though: buying 0day bugs or exploits for > 0day is just one part of a much larger picture.
I cautiously disagree with Andreas also, but from a different angle. I don't have any insider knowledge obviously. But if the tens of thousands figure included 'soft targets': - OEM Software like printer drivers, graphics drivers, or the preinstalled crud you get when you buy something from Best Buy - Open Office - Realplayer, VLC, and other media players - Lotus Notes - SCADA - eDonkey or whatever the non-bittorrent P2P stuff is today - random non-default installs of servers (who uses X11 on the open internet these days?) ...Then I could see a "tens of thousands figure". But if someone said they had more than, say, 250 completely distinct, weaponized exploits for a fully up to date target like Apache, Chrome, Windows 7/8, Apple iOS, IE9 - I would be more skeptical. Only because I think if they were that easy to come by, the price list we know of[0] would be lower. 250 * $100,000 = $25Mil. And while I wouldn't put it past a government to jump at that offer - my gut, which could be wrong, says those types of exploits are rarer. For example: "Think 1 poorly-exploited IE 0day is scary? Our feed has 4 reliable ones on Win7. Defenders should be scared of attacks that don't make news."[1]. Four is a lot. But it's not 100, and it's not 10,000. -tom [0] http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/ [1] https://twitter.com/ExodusIntel/status/286731662316937217 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech