[liberationtech] Foxacid payload

Thu Jul 17 15:07:52 PDT 2014

On 07/17/2014 05:57 PM, Griffin Boyce wrote:
> Andy Isaacson wrote:
>>> this is exactly why some who have received these payloads are
>>> sitting on them, rather than disclosing.
> 
>> Hmmm, that seems pretty antisocial and shortsighted.  While the
>> pool of bugs is large, it is finite.  Get bugs fixed and get
>> developers to write fewer bugs going forward, and we'll rapidly
>> deplete the pool of 0day and drive up the cost of FOXACID style
>> deployments.
> 
>> Forcing deployments to move to more interesting bugs will also
>> give insight into IAs' exploit sourcing methodologies.
> 
>   Solidarity is really important here.  "Increased security for those
> who actively set honeytraps" doesn't really scale at all, and most
> people will never reap the rewards of this work. =/  Forcing the
> government and defense contractors to burn through 0day at a high rate
> is far, FAR better than coming across one or two on your own and
> hiding it.  These backdoors need to be revealed if we're to protect
> ourselves.
> 
>   Let's sunburn these motherfuckers.
> 

You are forgetting moral hazard.

Why are there so many bugs? The laws relieve software manufacturers
of liability for the flaws of their programs. It is cheaper to
let clients do the testing for you.

If a 3rd party like Google takes over the software testing for
free, there is even less incentive to make the slightest effort
to test pre-release software and make non-faulty products.

You will not exterminate all the bugs, you will give the bug
makers (software manufacturers) more incentive to flood the
world with faulty products.

Which I think is why the open source/free products are more reliable
than the commercial ones. The economic incentives are to build
crap quickly. If you are not doing the work for profit motives,
you can afford to make a decent product.