Jacob Appelbaum: > Andreas Bader: >> Eugen Leitl: >> >>> Grimes: How many exploits does your unit have access to? >>> >>> Cyber warrior: Literally tens of thousands -- it's more than that. We have >>> tens of thousands of ready-to-use bugs in single applications, single >>> operating systems. >>> >>> Grimes: Is most of it zero-days? >>> >>> Cyber warrior: It's all zero-days. Literally, if you can name the software >>> or >>> the controller, we have ways to exploit it. There is no software that isn't >>> easily crackable. In the last few years, every publicly known and patched >>> bug >>> makes almost no impact on us. They aren't scratching the surface. >> >> >> Tens of thousands zero-days; that sounds like totally shit. That guy >> seems to be a script kiddie poser, nothing more. >> Are there any real "hackers" that can issue a competent statement to that? >> > > I couldn't disagree more. This sounds consistent with the current arms > race and also relates directly to the 0day markets that have been active > for many many years. Remember though: buying 0day bugs or exploits for > 0day is just one part of a much larger picture.
I have to agree here with you. The 0day market is booming and we have a very unclear picture as of now on the magnitude of that market. However, there is something weird in this guy statement. With my experience, finding exploitable 0days for known software is not that trivial, it takes time and effort. Now, creating a working exploit (preferably remotely of course) is also very difficult! He goes on stating: "I would hack the software and create buffer overflow exploits. I was pretty good at this. There wasn't a piece of software I couldn't break. It's not hard." To be honest, for my self being a person that does security contest for years now (Defcon, iCTF, csaw, etc...) and in security communities, someone speaking like that is a bit of a red flag in terms of deep knowledge of software/OS exploitation (especially OS exploits). 0day development is not an easy business (like he is picturing it). From friends in the reverse engineering field (AV corp.), a *lot* of people are doing that full time in Russia for malware development and word! it takes time, experience and knowledgeable people. In a nutshell, in my opinion, this interview looks more like a guy that wants to flash rather then the real truth. There is SURELY true stuff in there but I doubt seriously the part about the extent of 0day and bugs development. This is just too fishy to be serious... anyway that should not mean we should not take this seriously! Cheers! David > > All the best, > Jacob > > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech
-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech