Skip to content

Instantly share code, notes, and snippets.

@vito-lbs
Forked from tylerni7/rant
Created Jul 22, 2014
Embed
What would you like to do?

I don't think people understand what vulnerability sellers really do. They invest thousands of man and computer hours into finding bugs which people are willing to pay lots of money for. As a business, they want to keep their customer base happy, which means allowing their customers (yes, presumably the NSA/FBI/etc.) to use their exploits rather than selling them to Tails OS maintainers. Yes, it's probably the case that these exploits don't just go to nabbing child pornographers or drug traffickers, they also probably try to catch the next Snowden, which not everyone agrees is The Right Thing To Do. But for what it's worth, I'd still trust the US government (even with all its faults) far more than the Russians or Chinese.

But let's be honest here, Tails OS maintainers probably couldn't afford the same price that Exodus's customers will happily pay. Even if Exodus were happy to sell it to the Tails folks, that is certainly going to be a loss of money.

The arguments I'm used to hearing go something like "but it's obviously unethical, they should just responsibly report and disclose vulnerabilities they find". But this is a total crap argument. The options Exodus has aren't "sell to governments" or "responsibly disclose for little to no fee". The options are "sell to governments" or "go out of business". So maybe someone will say "fine, they should go out of business, then we will all obviously be safer!".

But, well, it's not really clear that's the case. If Exodus (or Vupen, or whomever) quit, it's not like suddenly the government would stop looking for exploits. And if the US government did, it's not like China or Russia would. And if they did, it's not like criminal organizations would stop. You aren't going to stop vulnerabilities from happening or being sold. Game theoretically, it seems like the right choice is to keep the US government snatching up what vulnerabilities it can to keep in its back pocket for espionage. Not doing so would be a huge blow to US intelligence agencies, when every other major government out there is working on the same capabilities.

At this point some folks might say: but doesn't that mean we'd all just be safer if the government just released all the vulnerabilities they knew about to vendors to have them patched? then the Chinese/Russians/criminals wouldn't be able to break in! Sadly, that's not how security works. You can patch 100 vulnerabilities, but if you miss one, you'll still lose. Staying open about every vulnerability would almost certainly hurt foreign intelligence, true, but if the US government is sharing every vulnerability they know about, and $ENEMY isn't, then US intelligence is going to be at a disadvantage, hands down.

So, when Exodus wants to invest time and money in finding exploits in your favorite application and turning a profit to help their government against Chinese/Russian/criminal agencies, that doesn't bother me.

@blaquee
Copy link

blaquee commented Jul 23, 2014

well said. i agree.

@WesleyAC
Copy link

WesleyAC commented Jul 24, 2014

Sadly, that's not how security works. You can patch 100 vulnerabilities, but if you miss one, you'll still lose.

And if you miss 101 of them, you have 101 times more chance of getting attacked via one of them.

@hellekin
Copy link

hellekin commented Jul 24, 2014

Hey thanks for this shit. I wanted to write something on arms manufacturers, but I couldn't find the time. Now, with forking this, I could easily justify killing people. Thanks!

https://gist.github.com/hellekin/82c1c4c1b7f7015546ec

@sudoaza
Copy link

sudoaza commented Jul 24, 2014

fuck you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment