Comment by portaouflop
2 months ago
You are imagining a market that doesn’t exist.
First there are only very few gobs/companies that are sketchy enough to do this - and for those a huge number of non-anonymous people exist with huge reach that are very critical for years. If such a market would exist they would assassinate all those first - you don’t need the email if you have the face, voice, and name - since that is not happening they just don’t care that much about it.
There’s 100% an active market for this, and I think tptacek is simply wrong on this point (the others are valid)
The likes of Cambridge Analytica didn’t go away, they exist and absolutely go hunting for data like this.
The ability to map between different identifiers and pieces of content on the internet is central to so many things - why do you think adtech tries to join so many datapoints? Let alone things like influence campaigns for political purposes.
I’m not talking about assasination plots, but more mundane data mining. This is why so much effort in the EU has gone into preventing companies from joining data sources across products - that’s embedded in DMA
There's an easy way to put your money where your mouth is here. Just offer $11k for this or similar vulnerabilities out of your own pocket, and then resell them. If there really is a large and active market for this at higher dollar values, you'll make a killing!
Sure is funny there's nobody doing that despite so many people being so dead certain there's an active market.
If I did, would you know?
And if I did, it wouldn’t stop people from doing co-ordinated disclosure either, would it? Same with high end exploits - some folks do co-ord disclosure because it feels good and is great for your CV; others sell gray market and we generally have no idea what’s being traded.
(With the exception of say, zerodium or 0xcharlie’s various talks)
1 reply →
Sure, but do adtech companies buy vulnerabilities in web services to advance their mission? Wouldn't that risk running foul of e.g. the Computer Fraud and Abuse Act?
You don‘t need to sell the vulnerability to them, or even tell them the vulnerability is there. Just set up an API and bill them by the query.
10 replies →
I think you've missed my point. I know data brokers exist. Does there exist today a data broker that functions in whole or in significant part buy acquiring vulnerabilities and exploiting them to collect data? He's a more concise way to frame my argument: if you're imagining yourself to be the first person to sell a particular kind of vulnerability to, then your customer is imaginary.
Yeah, I think this is valid. “I’m confident I can find someone who will buy this” vs “I’ll message grugq”, roughly?
1 reply →