Business can still rationalize and excuse their behavior by pretending that they're actually doing the morally right thing
> The need for 0-days is very real and the uses are often both ethical and for the greater good. One of the most well known examples was when the FBI used a FireFox 0-day to target and eventually dismantle a child pornography ring. People who argue that all 0-day’s are bad are either uneducated about 0-days or have questionable ethics themselves.
I loathe this viewpoint, for at least 3 reasons:
- "Keys Under Doormats": you keep the 0day secret to target pedophiles, but other people will be affected by it as well
- It's using the usual cheap rethoric of figthing pedophilia to defend some business interests
- You're either with us (the spotless knights), or against us... "People who argue that all 0-day’s are bad [...] have questionable ethics themselves "
I think I agree with you. I see a market for camera bypass bugs as more evidence that the whole market is ethically bankrupt. I've always thought that --- high prices for exploits are premised on the idea that they aren't being fixed by vendors! --- but this is a lurid and disturbing detail.
Of course, it's also possible that, like the Netgear CSRF RCE, this is a bug posted with a high price as a a trial balloon, and nobody actually buys them.
(For what it's worth: I also think the idea that serious enterprises need zero-days to test their security controls is also pretty silly. I know it does happen, but I think the causality is mixed up; I think it happens because the markets exist, not the other way around.)
> One of the most well known examples was when the FBI used a FireFox 0-day to target and eventually dismantle a child pornography ring.
Funny... that's when they took down Freedom Hosting right? If I recall correctly, they didn't use a 0-day, they targeted a vulnerability that had been patched in the regular tor browser so only people using an outdated version of the browser were hit by it.
Plus, calling Freedom Hosting a "child pornography ring" isn't representing accurately what it was. Sure, their was child porn hosted there. Maybe even most of what was hosted there was child porn, I don't know... but that was a web host. There was no encouragements from Freedom Hosting to host cp there (apart from not doing anything to prevent it).
Plus, apart from busting the guy responsible for FH, I'm not sure they got anyone of interest with this operation... at least, I haven't heard of it and I'm sure they wouldn't have been too shy to brag about it if they had made any high-profile cp bust from this.
I agree, but as can be seen in the post by Netragard linked in the article:
www.netragard.com/exploit-acquisition-program-shut-down
Business can still rationalize and excuse their behavior by pretending that they're actually doing the morally right thing
> The need for 0-days is very real and the uses are often both ethical and for the greater good. One of the most well known examples was when the FBI used a FireFox 0-day to target and eventually dismantle a child pornography ring. People who argue that all 0-day’s are bad are either uneducated about 0-days or have questionable ethics themselves.
I loathe this viewpoint, for at least 3 reasons:
- "Keys Under Doormats": you keep the 0day secret to target pedophiles, but other people will be affected by it as well
- It's using the usual cheap rethoric of figthing pedophilia to defend some business interests
- You're either with us (the spotless knights), or against us... "People who argue that all 0-day’s are bad [...] have questionable ethics themselves "