this post was submitted on 16 Jul 2024
311 points (95.3% liked)

Technology

59358 readers
6668 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] henfredemars@infosec.pub 14 points 4 months ago (8 children)

Easier is a very relative term. It’ll be really expensive to use a genuine zero-day to do it. Such exploits are few and far between.

[–] dwindling7373@feddit.it 10 points 4 months ago* (last edited 4 months ago) (5 children)

How is it expensive? It is if it eqates to the zero day becoming of public domain, and this is not the case here. They can say they guessed the password while in fact they exploited some unknown vulnerability...

[–] henfredemars@infosec.pub 3 points 4 months ago (4 children)

Zero days are extremely expensive costing in the millions of dollars even if you’re not publishing exploit details. Just using it is extremely costly because each attempt exposes your bug to the world, which is an opportunity that it could get caught and patched. Android and iPhone both have mechanisms to detect and report crashes which could easily cost you your bug. Plus, on the exploit markets, a bug that hasn’t been used is worth more because there have been literally zero days of opportunity to defend against it.

There is definitely a cost to using something that expensive and that requires a necessary level of risk. You’ve got to be worth it, and the supply of such bugs is extremely low and sometimes zero depending on your exact software version.

[–] SineNomineAnonymous@lemmy.ml 2 points 4 months ago (1 children)

to be fair to the incompetent people in law enforcement, I do believe "trying to kill a presidential candidate slated to win and being a millimeter away from getting it done" would justify relying on a 0-day.

[–] henfredemars@infosec.pub 2 points 4 months ago

Indeed. That's a pretty motivating reason.

load more comments (2 replies)
load more comments (2 replies)
load more comments (4 replies)