I read this often, and I guess it could be true, but those kinds of transaction would presumably go through DNM / forums like BF and the like. Which means crypto, and full anonymity. So either the buyer trusts the seller to deliver, or the seller trusts the buyer to pay. And once you reveal the particulars of a flaw, nothing prevents the buyer from running away (this actually also occurs regularly on legal, genuine bug bounty programs - they'll patch the problem discreetly after reading the report but never follow up, never mind paying; with little recourse for the researcher).
Even revealing enough details, but not everything, about the flaw to convince a potential buyer would be detrimental to the seller, as the level of details required to convince would likely massively simplify the work of the buyer should they decide to try and find the flaw themselves instead of buying. And I imagine much of those potential buyers would be state actors or organized criminal groups, both of which do have researchers in house.
The way this trust issue is (mostly) solved in drugs DNM is through the platform itself acting as a escrow agent; but I suspect such a thing would not work as well with selling vulnerabilities, because the volume is much lower, for one thing (preventing a high enough volume for reputation building); the financial amounts generally higher, for another.
The real money to be made as a criminal alternative, I think, would be to exploit the flaw yourself on real life targets. For example to drop ransomware payloads; these days ransomware groups even offer franchises - they'll take, say, 15% of the ransom cut and provide assistance with laundering/exploiting the target/etc; and claim your infection in the name of their group.
I don't think you know anything about how these industries work and should probably read some of the published books about them, like "This Is How They Tell Me The World Ends", instead of speculating in a way that will mislead people. Most purchasers of browser exploits are nation-state groups ("gray market") who are heavily incentivized not to screw the seller and would just wire some money directly, not black market sales.
I mean, you're still restricted to selling it to your own government, otherwise getting wired a cool $250k directly would raise a few red flags I think. And how many security researchers have a contact in some government-sponsored hacking company anyway? Do you really think that convincing them to buy a supposed zero-day exploit as a one-off would be easy?
Say you're in the US. I'm sure there are some CIA teams or whatever making use of Chromium exploits "off the record", but for any official business the government would just put pressure on Google directly to get what they want. So any project making use of your zero-day would be so secret that it'd be virtually impossible for you to even get in contact with anybody interested to buy it. Sure they might not try to "screw you", but it's sort of like going to the CIA and saying, "Hey would you be interested in buying this cache of illegal guns? Perhaps you could use it to arm Cuban rebels". What do you think they would respond to that?
Eh, not really? If it's a legit company who provides services to various governments, they're going to pay you, they're going to report the income to the government, you'll get a 1099 for contract/consulting, and you'll pay your taxes on the legit income. No red flags. Assuming they're legit and not currently sanctioned by the US government that is.
> Even revealing enough details, but not everything, about the flaw to convince a potential buyer would be detrimental to the seller, as the level of details required to convince would likely massively simplify the work of the buyer should they decide to try and find the flaw themselves instead of buying.
Is conning a seller really worth it for a potential buyer? Details will help an expert find the flaw, but it still takes lots of work, and there is the risk of not finding it (and the seller will be careful next time).
> And I imagine much of those potential buyers would be state actors or organized criminal groups, both of which do have researchers in house.
They also have the money to just buy an exploit.
> The real money to be made as a criminal alternative, I think, would be to exploit the flaw yourself on real life targets. For example to drop ransomware payloads; these days ransomware groups even offer franchises - they'll take, say, 15% of the ransom cut and provide assistance with laundering/exploiting the target/etc; and claim your infection in the name of their group.
I'd imagine the skills needed to get paid from ransomware victims without getting caught to be very different from the skills needed to find a vulnerability.
Because it's nice to get $10k legally + public credit than it is to get $100k while risking arrest + prison time, getting scammed, or selling your exploit to someone that uses it to ransom a children's hospital?
Depends. Within the US, there are data export laws that could make the "whoever" part illegal. There are also conspiracy to commit a crime laws that could imply liability. There are also laws that could make performing/demonstrating certain exploits illegal, even if divulging it isn't. That could result in some legal gray area. IANAL but have worked in this domain. Obviously different jurisdictions may handle such issues differently from one another.
Issue 1: Governments which your own gov't likes, or ones which it doesn't? The latter has downsides similar to a black market sale.
Issue 2: Selling to governments generally means selling to a Creepy-Spooky Agency. Sadly, creeps & spooks can "get ideas" about their $500k also buying them rights to your future work.
There were strong signals from the CF CEO that they align with the Trump administration.
They threatened to pull the plug on all Italian customers.
This is relevant to this conversation: CF recently acted in a way that makes some people think it might cut its services to people for political reasons.
I don't find your comment particularly well articulated or continaing anything besides name calling (the "bot farming"). Can you articulate your opinion on the matter?
The ubiquity (network effect) and ‘convenience’ of other apps. This was more than a decade ago and our devices were an extra thing you needed to carry (travel router).
Historically the practice of producing pyc files on install started with system wide installed packages, I believe, when the user running the program might lack privileges to write them.
If the installer can write the .oy files it can also write the .pyc, while the user running them might not in that location.
I think this may actually be two different things. Much like how being good at coding doesn’t mean it’s fun to watch you code. Though there are “performance” coders where it really is!
No, that's true, and I don't actually think that the world is divided into good and evil. Nor do I think anyone doing this really has anything to fear from the justice system.
But to the degree you can take a normal person and twist them into something horribly unfit for civil society, having them do torture is the way. It's the express lane to not seeing others as human, not even when they're in front of you, being tortured by you.
The world has to modes: In one mode, we need people, as much as we can get, to make something bigger out of this world. In another mode, the world can no longer grow, so we divide, we conquer "the others" or be conquered.
The definition of the word "evil" changes depends on which mode we are in.
That's why Niccolò Machiavelli suggested that it is useful to be both loved and feared, it gives you the best chance when a challenge is facing you.
All republics are democracies. Not all democracies are republics. Some people seem to get confused about this and think that "democracy" means "direct democracy" only, and not any of the various sorts of indirect democracy.
To make this point crystal clear, “correcting” someone with “ackshually the US isn’t a democracy” is something poli sci departments break their freshmen of every single year.
The colloquial, broad sense of “democracy” is also how political scientists employ the term in most contexts. That is: the people who study this for a living are entirely OK with that usage. If they didn’t use that sense of the word they’d need another one to mean the same thing, because it’s very useful.
> To make this point crystal clear, “correcting” someone with “ackshually the US isn’t a democracy” is ...
it's not a democracy, when a large part of the population is barred from voting, and / or if your idea of a vote is giving power to legal persons more than to natural persons during the voting process.
but fine, let me rephrase, the US is not more a democracy than China, North Korea, Russia, or any other clown state that says "wE aRe dEmoCraCy". Having large swathes of your mostly illiterate and poverty-stricken population so badly brainwashed that they fly their flag in their personal LinkedIn Profile, or pride themselves as "patriots" with a red cap, does not make the country "democratic".
To put it even more bluntly: the way the US sees its population in Appalachia is how the rest of the world views the US.
On the upside it all makes great entertainment (see Sacha Baron Cohen's "Who is America" which first and foremost is a documentary and only secondly is Satire).
I'll do you one better, it's always been a bureaucracy, but even moreso following the end of the 1960s, after the beginning of the "meritocracy" myth within academia. In reality, the incoming well educated migrants (usually European) in the mid 1950s were extremely nepotistic to their own groups, such as the Irish entering Wall street, and hiring only other Irish stockbrokers, or Italian small business owners in New York. They essentially replaced or married the old money and became a noveau riche that's still in the American status quo to this day. There is a new clique of sorts acting as a nepotistic noveau riche, mostly stemming from South or East Asia. Nepotism affects everyone and everywhere, but it's especially prevalent in the United States.
Also the great entertainment has been declining in quality, and it was always funded directly by the U.S. Government and Military to support their ideologies and agendas abroad. The Koreans are recently doing this to great success, and possibly China as well.
I see. I thought you meant "under Trump the US is not a democracy". Which I think is a pretty common opinion. But now I understand you meant "the US has never been a democracy".
No, that ship sailed long ago. “App” has universally been a synonym for “application”, “program”, etc. for quite a number of years now. Even Windows 10 called them “apps” in the settings screen.
On my personal computer running macOS, I have this program called "App Store". And on my GNU/Linux machine, I have all of these weird programs distributed as something called "AppImage". And on my Windows machine, the Microsoft Store has a tagline which says, "Microsoft Store - Download apps, games & more".
There is not a desktop/mobile distinction in terminology other than the one you're attempting to enforce.
Yep, as much as I wish there were a distinction, I think there pretty clearly is not anymore. In related news, I hate that restaurants are now calling "Appetizers" "apps" because it massively confuses me for several seconds. IRL really needs namespacing
In theory, you can add some more complexity/fragility and have 'time notaries' sign the current time together with a challenge from the passport, verifiable against embedded public keys.
Pretty much. But you would need, first, to issue a valid certificate with a timestamp far ahead in the future. And then expose every ID card in the country to it.
reply