[liberationtech] no-disclosure / other-disclosure [was: Foxacid payload]

Jonathan Wilkes jancsika at yahoo.com
Sun Jul 20 09:09:57 PDT 2014 

On 07/20/2014 11:00 AM, Michael Rogers wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 18/07/14 01:02, coderman wrote:
>> as thought experiment: a hidden site is setup by presumed
>> trustworthy experts.  exploits are funneled there, then they all
>> dry up.
>>
>> - congratulations! NSA is out of 0day! ? - congratulations! NSA is
>> not using 0day over Internet! ? - technique for catching 0day has
>> been compromised. start over,...
>>
>> explain to me how any public effort will not fall into the last
>> trap, repeatedly.
> Assuming the effort doesn't stop when exploits dry up, but instead
> looks for new ways to attract exploits, what's the problem?

If the cost of buying a 0day and adding it to the pile is so 
insignificant that we can call it zero, then coderman "wins".
If that cost is nonzero, then you "win".

So, what's the ballpark cost of buying a 0day and adding it to the 
pile?  (Buy, implement, test, deploy.)

Can one of the experts on this list estimate a cost within an order of 
magnitude, and give links to peer reviewed research to support their 
estimate?

Thank you,
Jonathan

>
>> if your concern is security for the public, do it by making the
>> software we use more difficult to exploit as a whole, rather than
>> fixating on free exploits from NSA for a particular vulnerability
>> among many.
> That sounds like a false dichotomy to me. Publicising a specific
> exploit may spur the development of general as well as specific
> mitigations.
>
> Cheers,
> Michael
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQEcBAEBCAAGBQJTy9l8AAoJEBEET9GfxSfMfgkH/RSVybypdVyJJprzT860Gm5v
> XEzwDG8fK1f+BHfC7ougO6JfQODdCigC6gfNlhSG5eyhAUoQ1+YctrjKz1tGS3S+
> DdzI4zplRnVZrFkHZOyps36W+DnO1v199xgT1nPsFlxwc9lGAFqhfkQos7CkF2e9
> YxPgC0xfsKupxt1PfStkm6s1CLPUA+o9RVvO4nN8ARTRnp3LrAZW/zjh7FynJ9rj
> Elfb8wttCd3SzFMcRF7bor/M0fCgW76zTCLJEjAIYTADvp4iMmacjM8Xs4VVDql0
> RyJZrK1yQGY3X5H3Zv0Qj00TYbMgrF8oXQTHeo+9p6xE+mcfN2X9AMIhjqL+aJY=
> =TXzt
> -----END PGP SIGNATURE-----

More information about the liberationtech mailing list