Vulnerabilities in the Linux kernel would have a similar impact to a macOS kernel bug. It’s a myth that “more eyes means more secure” for OSS ;-) - it can be true, but often that’s not the reason
Are you suggesting that western exploit sellers are selling bugs to western governments and also BRICS? that sounds not very likely.
All of this stuff is very complicated ethically, but I don't think you can simply say that it is always in the public good to expose bugs (stuxnet is a good example of a bug chain avoiding a far deadlier outcome)..
I've personally worked for vendors of software and done offensive research, and now I do neither.
GP is suggesting that not all exploit researchers are “western” or western aligned. Some of them are even nation state funded, and they’re often quite good.
Yep, I don't think there's any disagreement with that, especially when you look at things like Tianfu cup in general. Any country that can, essentially wants to do offensive cyber.
It's not true anymore due to the new generation of hackers that came up, and it's unpolite to dox them if they don't want to be known for it, but for a period, about a third of Google Chrome/Project Zero security all came from ex Western govts (or contractors) - you can find vague mentions on dailydave mailing list about this.
firstly, very unlikely that zerodium are supplying bugs they use (could be internally developed, or developed by a more trusted domestic defence contractor).
What about if the targets are like Osama Bin Laden's (* INSERT MORE MODERN TERRORIST) family (I have no idea who they are targeting).
Are you meant to have some dude speak arabic and become close friends with the top terorist leaders? Like how do you propose that even work? Would HUMINT actually work in those cases?
I think it's a nice idea for everyone to work on fixing the vulnerabilities, I don't think that will scale with whatever organisations mandate to stop terrorism or whatever.
Interesting blog post that was long overdue, I think Google should probably disclose all the details (URLs/actors responsible, methodology for catching these exploits ITW and targeting) around the ITW samples when they kill the bugs, so we can have nuanced discussion with actual facts. It would also help the threat intelligence industry ;)
while beg bounty people can be annoying, you have to remember that people aren't obligated to sit down and find free bugs for any company (especially not a big one) - why would i sit down and look at some code for free for some giant corp when i could go to the beach instead?
No, they aren't obligated. So, if there's no bug bounty program in place, then they should either go to the beach or be willing to find bugs for the public good.
The idea that the company owes them anything for their unsolicited work is misguided. And, if they present the bugs for money under the implicit threat of selling the information to people who would harm the company, then it's extortion.
1. Companies are amoral entities, and given the opportunity have few qualms about screwing people over if they can profit from it. Why do you expect people to behave ethically towards entities that most likely won't treat them ethically?
2. If said person doesn't present the bug to the company, but just goes straight to selling it to the highest bidder it's not extortion. If the company does not provide the right incentives (via e.g. bug bounties), isn't it their own fault if they get pwnd? They clearly don't value security.
I would agree with everything you said, If we ignore the fact that the company has billions of dollars in revenue and paying a bug bounty is a drop in the ocean for them.
Do you think it's reasonable to say the the ethics of what you call "extortion" should depend with how big the company is? I'm obviously not advocating for making a small company pay more than they can manage
>the company has billions of dollars in revenue and paying a bug bounty is a drop in the ocean
That framing is strange to me. If they want to offer a bug bounty, then they can. But, it's their choice. Maybe they'd instead rather engage a security firm of their own selection.
But, whatever the case, to say "they should pay the money because they can afford to" isn't right to me. I don't believe the definition of extortion changes based on how big the target is or whether it can afford to pay.
In fact, the line of thinking in some of the comments here is so far off from what seems obviously ethical to me that I've had to re-read a few times to ensure that I'm not missing something.
None use Linux, most just use BSD licence software (or things like openssl). I haven’t seen any GPL code at all tbh.
But yep, would be nice if it was open source, although not sure how much that would help (only if sufficiently motivated auditors can be bothered to look at it). A bunch of baseband firmware is even encrypted on disk now (loaded into BB memory from the kernel)
So I got a little bit of time to check (https://github.com/Biktorgj/quectel_eg25_recovery/tree/EG25G... - the NON-HLOS), and it's still actually running a Qualcomm Hexagon baseband (40mb binary by Qualtec when combined using Gal's unify_trustlet script).
Load that into Hexagoon IDA plugin and you'll see it's bog standard Hexagon for all the remote GSM/LT code that actually does stuff (similar to the project zero research). I haven't verified (and don't own a Pinephone) but most Quectel boards I've seen in the past do enforce signature validation, so binary patches are not easy.
This is not true on pretty much any phone post 2014ish. Pretty much all platforms have IOMMU's or similar separation mechanisms. source: did baseband vr commercially
