[HN Gopher] Zerodium offers $100k for a RCE in Pidgin, who recei...
___________________________________________________________________
Zerodium offers $100k for a RCE in Pidgin, who received $25k
donation this year
Author : phh
Score : 105 points
Date : 2021-06-02 17:36 UTC (5 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| LordOfWolves wrote:
| From Zerodium's FAQ page:
|
| > Zerodium customers are government organizations (mainly from
| Europe and North America) in need of advanced zero-day exploits
| and cybersecurity capabilities.
|
| Based off Zerodium's origin and reputation, it seems an exploit
| is sought which enables a governmental actor to examine
| information that it otherwise could not. I am assuming they do
| not have a legal basis for doing so or courts would have
| granted/ordered such access.
| g_p wrote:
| > I am assuming they do not have a legal basis for doing so or
| courts would have granted/ordered such access.
|
| It's also possible that they have a lawful basis and warrant,
| but realise executing a physical warrant won't get access to
| what's required - with e2e encrypted chats going over Pidgin,
| on an encrypted laptop, you need to be very confident that when
| you swoop, the laptop is on and decrypted. You get one "go" at
| that, otherwise you have a suspect, little or no evidence, and
| an attorney requesting their immediate release on bail absent
| any actual evidence, which would let them flee and clean up any
| other evidence that may be out there, either with them or
| others.
| zulln wrote:
| This assumes they even know the physical location.
| tedunangst wrote:
| How do you think warrants work? The police suspect Criminal
| Charlie of organizing a crime using pidgin, so they get a
| warrant, then they give the warrant to Charlie? "Please
| remember to cc us on all your criminal plans. Thanks."
| vmception wrote:
| Governments can offer bounties to find exploits, it is just too
| public if people know which government is looking for what. It
| isn't a legal issue.
| celticninja wrote:
| Also 'mainly' does not mean exclusively. If you think they
| won't sell an exploit to some tinpot dictator then I have a
| bridge to sell you.
| caymanjim wrote:
| The NSA doesn't need a warrant to intercept foreign
| communications, for just one example.
| gurjeet wrote:
| It's sad state only because the FOSS developer managed a low
| funding. OTOH, if they had managed significantly more, say a
| million, then irrespective of the bounty size we wouldn't label
| it a sad state.
|
| This is to say that FOSS needs more funding and contributors;
| rest of the industry can do whatever they want, and we wouldn't
| care.
| tptacek wrote:
| I'm not sure I understand the cognitive dissonance here. The same
| imbalance exists in a lot of commercial products; for instance, a
| new reliable Chrome bug chain might earn you more than a Chrome
| developer makes in a year, and a lot of those people make bank.
| It's simply the case that for some projects, reliable exploits
| are more scarce than feature engineering resources --- they
| involve different skill sets.
|
| None of this is to say that $25k is adequate compensation for
| critical FOSS development work.
| [deleted]
| Cyph0n wrote:
| The difference is that Zerodium can turn around and sell these
| exploits to autocratic governments. More often than not, these
| governments then use the exploits to monitor political
| dissidents.
| tptacek wrote:
| If you're reading me as saying the two enterprises are
| morally equivalent, you're taking something I'm not saying
| from that comment.
| Cyph0n wrote:
| Sorry, I did not mean to imply that. I was just noting an
| important difference between bug bounty-style exploits
| funded by companies and what Zerodium does.
| lovasoa wrote:
| and to democratically elected governments too, who will then
| spy on their own citizens
| pjc50 wrote:
| Solution: put bug in, get accomplice to claim bug bounty under
| an alias.
|
| (This is fraud, don't actually do this! But it comes up every
| time someone does bug fixing metrics)
| jonfw wrote:
| Seems like unnecessary steps- I'm sure Zerodium would be
| happy to just pay you directly to put in a backdoor
| failwhaleshark wrote:
| Obfuscated Open Source Subtle Bug Insertion Contest
|
| Edit: If it's not a bug bounty to fix it, but a vuln bounty
| to sell it, then it's highly-unethical but not necessarily
| illegal.
| mlex wrote:
| Sounds like the University of Minnesota already has a team
| ready.
| failwhaleshark wrote:
| Sploits are worth a lot more because of the damage they can do.
|
| Fixing some bugs and adding some features is a nice-to-have
| that most people and companies aren't willing to pony-up much
| for.
| paulgb wrote:
| Fair point, but as someone not familiar with exploit markets, I
| do find it surprising that an exploit in a relatively niche
| (because desktop linux is relatively niche) IM client is worth
| $100,000k.
| kjs3 wrote:
| Undoubtedly some TLA has learned someone of interest is using
| Pidgin, and has offered a premium for an exploit to target
| them. TLAs have deep pockets for such things.
| g_p wrote:
| I would have thought the same, but the existence of this
| "ask" certainly would suggest there is indeed demand from a
| market dynamic perspective. Pidgin is cross-platform, and you
| could conceive that it was being used by people for various
| activities with OTR or OMEMO end-to-end encryption. At that
| point, there's a bunch of potential customers looking to pay
| Zerodium for a good, robust, zero-click exploit that would
| give them access to exfiltrate and monitor messages sent
| through the client.
| tptacek wrote:
| The work is the work, no matter how much the project itself
| took to build. If it was easy for exploit developers to pull
| a Pidgin exploit out of their butt, they'd be cheap. The fact
| that it's a niche target can actually make bugs scarcer;
| sometimes, exploit devs can draft off the work other people
| have done beforehand.
| paulgb wrote:
| Sure, my surprise is more that the _demand_ exists at
| $100k, not that the supply isn 't cheaper.
| tptacek wrote:
| I get why that's surprising but I think it's important to
| beat that surprise out of your brain, because $100k is a
| rounding error for any state-level actor --- not just the
| US, but, like, Seychelles as well. If you have a problem
| that can be solved with a Pidgin exploit, it's a problem
| you'd fall over rushing to write a simple $100k check
| for.
| mike_d wrote:
| Zerodium is a proxy for governments wanting to buy exploits.
| That niche IM client might be the software of choice for a
| child-exploitation ring or a high level ISIS commander.
|
| Comparatively a single hellfire missile costs $150k - plus
| $32 million for the drone to fire it from.
| t0mas88 wrote:
| The 100k exploit bounty is probably less than the yearly
| cost of 1 agent for many government organisations. So the
| target doesn't even have to be a high value ISIS terrorist
| to make this bounty worth it. Just save them 1 or 2 FTE
| somewhere and the economics already work.
| mike_d wrote:
| The 0day market is actually getting disrupted by
| cryptocurrency. Even the major exploit brokers can't compete
| with weaponizing the exploit against an exchange or online
| wallet provider to net tens of millions in easily cleaned
| money.
| celticninja wrote:
| Any evidence of this?
| throwaway2048 wrote:
| Its pretty common sense, if you exploit people and steal
| their cryptocoin wallets, that is worth a lot more than a
| single one time payment of 100k.
| viro wrote:
| Speaking of common sense ... most people don't have
| cryptocoin wallets
| OJFord wrote:
| But not more than Google's revenue / Chrome project funding.
| (Or at least not above board, out in the open like this.)
|
| I don't necessarily disagree with you, but I do think it's
| dissonant enough to be interesting.
| phh wrote:
| Compare the project fundings?
|
| Chrome funding is probably in the XXM$/year, while Zerodium
| offers 500k$ for a vulnerability, that's an approximate 20-100
| funding / vulnerability ratio.
|
| Pidgin is at 25k$/year, for 100k$ for a vulnerability, so a
| ratio of 1:4.
|
| I think the only reasonable conclusion is that community-driven
| opensource projects are 100 time safer than private company-
| funded opensource projects /s
| thaumaturgy wrote:
| I don't think cognitive dissonance is the right label to apply
| to this. I read it more as a misalignment of incentives. It's a
| sad comment on the state of things that a year of effort to
| produce some popular software is worth only a quarter of what
| somebody else is willing to pay for exploitable bugs in that
| same software.
|
| Like, I understand _why_ that 's the case, but it still sucks.
| lolsal wrote:
| I would pay more than my yearly salary to find out if I have
| a 'curable' cancer, so that I could treat it. To not, or
| ignore that, would likely mean my death. I imagine it is
| similarly motivating for OSS projects.
| yoz-y wrote:
| One difference is that people may have a safety net in
| either savings or insurances, but underfunded open source
| projects don't.
| thaumaturgy wrote:
| It's not.
|
| OSS projects aren't people with curable diseases. Most of
| them are labors of love, run by people in their spare time.
| Those people have needs that are mostly not met by working
| on open source projects. Epsilon open source projects are
| well-enough funded that nobody in the project feels starved
| for resources.
|
| Bug bounty programs are only useful for these projects if
| the details of the bug are shared with the project.
| Zerodium's model relies on keeping developers unaware of
| the bugs for as long as possible [1].
|
| Nobody developing OSS is grateful for programs like
| Zerodium.
|
| [1]:
| https://security.stackexchange.com/questions/199480/what-
| doe...
| ianai wrote:
| Unless the foss developer is also getting the RCE award.
| renewiltord wrote:
| Well, surely you just have a confederate add one, sell the
| exploit, then patch it. Do it three times and you've got a decade
| of funding. I'm sure you'll get away that many times.
| sebyx07 wrote:
| Begging cash for os exploits is trashy and rude, the author
| should have just submit a pr with the fix. Target crapy closed
| projects where real money is next time and ask for more, peasant.
| detaro wrote:
| ... you probably should read the submission again.
| sebyx07 wrote:
| They encourage finding bugs and then begging money for open
| source stuff. This is crazy. 100k should go to people like
| Gary.
| throwaway-571 wrote:
| What Pidgin user(s) could possibly be worth that much?
|
| Are there some activist or terrorist monitored by a 3 letter
| agency that is computer literate enough to use Linux + pidgin to
| try and keep away from prying eyes (or just plain ethical
| reasons)? Or would the exploit end up being targeted at some
| foreign government that has standardized on Pidgin?
| kjs3 wrote:
| Either seems plausible to me, especially since US$100k chump
| change for a TLA or other state sponsored actor.
| upofadown wrote:
| Pidgin is the IM client provided in Tails Linux. In practice
| that makes it the OTR over XMPP client provided in Tails Linux.
|
| I suspect that this use also causes those that are not doing
| Tails to use Pidgin on Windows to communicate with those that
| are. After all, Pidgin is in Tails. It must be secure.
| kilroy123 wrote:
| Maybe someone who's holding a LOT of crypto?
| meowface wrote:
| Maybe. But if you're holding a LOT of crypto, it's very
| unwise to store the private keys on an internet-connected
| computer you also use for instant messaging and other things.
|
| (I'm sure plenty of people do actually do that; just
| lamenting the fact rather than expressing skepticism at the
| plausibility.)
| normaler wrote:
| There are many government organizations which are still using
| XMPP and the Clients they usw are most likely based on libpurle
| the vasic library for pidgin and similar clients (Adamantium on
| MacOS).
| paulryanrogers wrote:
| Adium?
| failwhaleshark wrote:
| Vupen / Zerodium folks (Chaouki Bekrar, et. al.): helping
| governments monitor, abduct, torture, silence, and murder their
| enemies through monetizing sploits.
| high_byte wrote:
| except they don't see it that way. they don't see at all when
| money is blinding and used to look the other way.
| IncludeSecurity wrote:
| They know exactly where their sploits are going and how
| they're being used, they chose to look away with a blind eye.
| viro wrote:
| I wonder which Pidgin user is the "target" of this increase.
| riffic wrote:
| isn't this the polar opposite of responsible disclosure? This
| rubs me as completely unethical.
| monkey_monkey wrote:
| Zerodium is an ethics-free company.
___________________________________________________________________
(page generated 2021-06-02 23:01 UTC)