Twitter | Search | |
Tavis Ormandy
Vulnerability researcher at Google. This is a personal stream, opinions expressed are mine.
4,600
Tweets
506
Following
102,904
Followers
Tweets
Tavis Ormandy 12h
I always figured they should integrate all the dozens of decompressors from mpengine into explorer. I mean, It's already attack surface... 😛
Reply Retweet Like
Tavis Ormandy 23h
Replying to @sleevi_ @hanno and 5 others
Yiiiikes, what were they thinking 😬
Reply Retweet Like
Tavis Ormandy 24h
Yep! Some jokesters started a rumour that they had a Juniper VPN exploit, turns out it was just a prank. We actually had some so I started looking... and found a real one haha.
Reply Retweet Like
Tavis Ormandy 24h
Replying to @wdormann @miketlester
I think it stopped working because they changed the connection message format (it has to match or the server won't accept the connection). That can be fixed, and then the edit session attacks should still work. I don't really know why they called it an "ALPC" bug. 🤷🏻‍♂️
Reply Retweet Like
Tavis Ormandy Aug 15
Replying to @nimnaij @tylerni7 and 3 others
It's supposed to balance it, but it doesn't seem to work. The VRP will pay for and fix unlimited bugs, but Tyler says he can sell the same amount for more to exploit brokers - that does sound like stockpiling?
Reply Retweet Like
Tavis Ormandy Aug 15
Replying to @nimnaij @tylerni7 and 3 others
Yep, that is the argument - if collateral damage to civilians/allies is acceptable. There's no right answer of course, but it's definitely not the case that so long as you only sell to the good guys there are no ethical issues.
Reply Retweet Like
Tavis Ormandy Aug 15
Replying to @nimnaij @tylerni7 and 3 others
That is why I would prefer they use intelligence techniques that cannot easily fall into the hands of others, and we find and fix vulnerabilities instead of hoarding them.
Reply Retweet Like
Tavis Ormandy Aug 15
Replying to @nimnaij @tylerni7 and 3 others
Right, they can find another way. The reason that's important is because I think it's reasonable to trust the military to competently safeguard equipment from abuse. It is *impossible* to prevent bad actors from finding the same bug, so they cannot prevent it being abused.
Reply Retweet Like
Tavis Ormandy Aug 15
Replying to @nimnaij @tylerni7 and 3 others
Sure, and signals intelligence predates iphone exploits. I agree there is no correct answer, the thread started because it was being presented as a solved problem.
Reply Retweet Like
Tavis Ormandy Aug 15
Replying to @nimnaij @tylerni7 and 3 others
If totalitarian governments don't need 0day, then how come they keep getting caught using them, and companies keep getting caught trying to sell to them? I don't buy the "It's just little old me, I can't make a difference" argument, sorry 😛
Reply Retweet Like
Tavis Ormandy Aug 15
I get that you need to rationalize selling exploits to the military. You do that by saying "It's 100% ethical because I only sell to the good guys", and don't think about someone selling the same bug to repressive regimes instead.
Reply Retweet Like
Tavis Ormandy Aug 15
Replying to @nimnaij @tylerni7 and 3 others
It was an example of just how many options are available. You literally cannot think of *any* way to gather intelligence other than exploits?
Reply Retweet Like
Tavis Ormandy Aug 15
You're not discussing this in good faith, I cannot enumerate all the things that the military can do in a tweet dude. There are other options available to the military other than exploits and shooting people.
Reply Retweet Like
Tavis Ormandy Aug 15
Replying to @haxorhead
It doesn't require Administrator, just run it as a standard user.
Reply Retweet Like
Tavis Ormandy Aug 15
Here's the problem with that argument, the government has effectively unlimited resources. They can literally drop people with guns out of helicopters. It is not necessary to put innocent people in harm's way, there are other options to achieve the same goals.
Reply Retweet Like
Tavis Ormandy Aug 15
That is a dishonest tweet that misrepresents the argument. When you say "It's okay because only sell exploits to the good guys", the problem is you can't stop bad people finding and exploiting the same bug, and *that's* the problem.
Reply Retweet Like
Tavis Ormandy Aug 15
I do think that, because I do know people who do it and make a comfortable living. You talk like your only options are living in the gutter or selling exploits to the military, there is a third option, I promise!
Reply Retweet Like
Tavis Ormandy Aug 15
I would say that if you were willing to optimize your workflow for VRP, the income would be similar, however.
Reply Retweet Like
Tavis Ormandy Aug 15
You sure like this false dichotomy.
Reply Retweet Like
Tavis Ormandy Aug 15
Sure, if you can rationalize leaving a billion users vulnerable to anyone who does the same thing you did - potentially very unpleasant people - you might make slightly more money. No argument there.
Reply Retweet Like