Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tptacek 19 hours ago

Can you cite a source for that claim? The USG paying mid-5-figures for an XSS vulnerability? That's news to me.

azemetre 18 hours ago | parent | next [-]

The book "This Is How They Tell Me the World Ends" by Nicole Perlroth, while it's about the history of cyberweapons it does a very good job detailing the late 90s to early 2010s exploit market.

I don't have it in front of me, but I'm talking about the "nobody but us" era of exploit markets:

https://en.wikipedia.org/wiki/NOBUS

Where the NSA seemingly was buying anything, even if not worthwhile, as a form of "munitions collection" to be used for the future attacks.

edit: this mostly ended in the US because other nations started paying more, add in more regulations (only a handful companies are allowed to sell these exploits internationally) and software companies starting to do basic security practices (along with ruling out their own bug bounties), it just mostly whimpered away.

Also relevant to the discussion, the book discusses how the public exploit markets are exploitive to the workers themselves (low payouts when state actors would pay more) and there are periods of times where there would be open revolts too (see 2009 "No More Free Bugs" movement, also discussed in the book).

Definitely worth it if you aren't aware of this history, I wasn't.

tptacek 18 hours ago | parent [-]

I haven't read her book, am myself somewhat read in to the background here, and if she's claiming NSA was stockpiling serverside web bugs, I do not believe her.

In reality, intelligence agencies today don't even really stockpile mobile platform RCE. The economics and logistics are counterintuitive. Most of the money is made on the "backend", in support/update costs, paid in tranches; CNE vendors have to work hard to keep up with the platforms even when their bugs aren't getting burned. We interviewed Mark Dowd about this last year for the SCW podcast.

azemetre 18 hours ago | parent [-]

Maybe there is a misunderstanding, I'm not saying that the NSA would be buying XSS scripts. I'm saying that if this was 35 years ago the NSA would be buying exploits with common user software. Back then the exploits were "lesser" but there still was a market and not every exploit that was bought was a wonder of software engineering. Nowadays the targeted market is the web and getting exploits on some of the most used sites would be worthy of buying.

Kid was simply born in the wrong era to cash out easy money.

tptacek 17 hours ago | parent [-]

I think you're wrong about this. 35 years ago was 1990. Nobody was selling vulnerabilities in 1990 at all. By 1995, I was belting out memory corruption RCEs (it was a lot easier then), and there was no market for them at all. And there has never been a market for web vulnerabilities like XSS.

Building reliable exploits is very difficult today, but the sums a reliable exploit on a mainstream mobile platform garner are also very high. Arguably, today is the best time to be doing that kind of work, if you have the talent.

0xbadcafebee 19 hours ago | parent | prev [-]

I can't imagine intelligence agencies/DoD not doing this with their gargantuan black budgets, if it's relevant to a specific target. They already contract with private research centers to develop exploits, and it's not like they're gonna run short on cash

tptacek 18 hours ago | parent [-]

If that were the case, we'd routinely see mysterious XSS exploits on social networks. The underlying bugs are almost always difficult to target! And yet we do not.

The biggest problem, again, is that the vulnerabilities disappear instantaneously when the vendors learn about them; in fact, they disappear in epsilon time once the vulnerabilities are used, which is not how e.g. a mobile browser drive-by works.

vablings 17 hours ago | parent [-]

Why would YOU see a mystery XSS exploit on a social network? The idea of the DoD scoring these little exploits in a box is usually to deploy in a highly controlled and specific manner. You as a layperson is of no interest to them unless you are some kind of intelligence asset or foreign adversary

MajesticHobo2 16 hours ago | parent [-]

Wouldn't platforms see the supposed XSS payloads in their logs and publish analyses of them, or at the very least, announce that they happened?

rvnx 14 hours ago | parent [-]

Seems like none of these major websites detected anything, and they are supposed to be top-notch in the world.

It's only because the researcher contacted them.

tptacek 14 hours ago | parent [-]

Also because nobody actively exploited them! You're using the word "detected" to mean "discovered", which nobody working in the field would ever do.

rvnx 13 hours ago | parent [-]

detected: WAF caught or detected the attack and raised an alert, post-exploitation

discovered: they audited or pentested themself and found out, preemptively

I just mean that Coinbase didn’t see anything happening and didn’t take action though the boy successfully exploited the vulnerability on their live system.