HackerTrans
トップ新着トレンドコメント過去質問紹介求人

notactuallyben

no profile record

投稿

Binary Ninja 5.0 – Gallifrey released

binary.ninja
4 ポイント·投稿者 notactuallyben·昨年·0 コメント

コメント

notactuallyben
·2 年前·議論
Vulnerabilities in the Linux kernel would have a similar impact to a macOS kernel bug. It’s a myth that “more eyes means more secure” for OSS ;-) - it can be true, but often that’s not the reason
notactuallyben
·2 年前·議論
Yep, I don't think there's any disagreement with that, especially when you look at things like Tianfu cup in general. Any country that can, essentially wants to do offensive cyber.
notactuallyben
·2 年前·議論
Are you suggesting that western exploit sellers are selling bugs to western governments and also BRICS? that sounds not very likely.

All of this stuff is very complicated ethically, but I don't think you can simply say that it is always in the public good to expose bugs (stuxnet is a good example of a bug chain avoiding a far deadlier outcome)..

I've personally worked for vendors of software and done offensive research, and now I do neither.
notactuallyben
·2 年前·議論
It's not true anymore due to the new generation of hackers that came up, and it's unpolite to dox them if they don't want to be known for it, but for a period, about a third of Google Chrome/Project Zero security all came from ex Western govts (or contractors) - you can find vague mentions on dailydave mailing list about this.
notactuallyben
·2 年前·議論
also TAG and other Google security people hired from former Western sigint :)
notactuallyben
·2 年前·議論
firstly, very unlikely that zerodium are supplying bugs they use (could be internally developed, or developed by a more trusted domestic defence contractor).

What about if the targets are like Osama Bin Laden's (* INSERT MORE MODERN TERRORIST) family (I have no idea who they are targeting).

Are you meant to have some dude speak arabic and become close friends with the top terorist leaders? Like how do you propose that even work? Would HUMINT actually work in those cases?

I think it's a nice idea for everyone to work on fixing the vulnerabilities, I don't think that will scale with whatever organisations mandate to stop terrorism or whatever.
notactuallyben
·2 年前·議論
Interesting blog post that was long overdue, I think Google should probably disclose all the details (URLs/actors responsible, methodology for catching these exploits ITW and targeting) around the ITW samples when they kill the bugs, so we can have nuanced discussion with actual facts. It would also help the threat intelligence industry ;)
notactuallyben
·2 年前·議論
while beg bounty people can be annoying, you have to remember that people aren't obligated to sit down and find free bugs for any company (especially not a big one) - why would i sit down and look at some code for free for some giant corp when i could go to the beach instead?