Apple should outbid these creeps. They definitely have the cash. Or just buy them out and fold them into their own security operations.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Zero-Day Acquisition Platform Triples iOS 10 Bug Bounty to $1.5 Million
- Thread starter MacRumors
- Start date
- Sort by reaction score
How in the world is Apple going to know who got the bounty? Zerodium paid 3 million dollar bounties last year for 3 weaponized exploits. Who could Apple take to court in that instance?
It's pretty obvious that you don't know it, but you have no idea what's going on with this subject matter.
You didn't understand the quote you read. In your haste to defend, you overlooked the obvious meaning of that quote.
What information is being obtained by Zerodium without users permission? The hackers code?
There's nothing in his post to indicated any kind of a joke. In fact, his own replay bears out that it was quite serious:
See? Not joking.
because the same people who make our laws are the same ones buying the exploits so that they can spy on their citizens and/or hack into their phones after crimes.
Last edited:
The government plays by their own rules. They don't follow laws.
[doublepost=1475259220][/doublepost]
Not just after crimes. At their whim.
"... after crimes." Tee hee. Since when did the government need a criminal action to spy on us?
And this is why having ANY sensitive information in an Internet-connected device is a risky affair.
I'll never use Apple Pay or its equivalents, and my using my mobile device for anything other than calls, chats, photos, and non-important browsing is an accepted risk I take sparingly and in full awareness of the exposure.
I like my storage local and disconnected from the Air whenever possible, I use physical credit cards, and a real computer to do and keep sensitive stuff (as opposed to an iPad and the like).
The tradeoff of convenience and security is exemplified in a scenario such as this Zerodium thing.
I'll never use Apple Pay or its equivalents, and my using my mobile device for anything other than calls, chats, photos, and non-important browsing is an accepted risk I take sparingly and in full awareness of the exposure.
I like my storage local and disconnected from the Air whenever possible, I use physical credit cards, and a real computer to do and keep sensitive stuff (as opposed to an iPad and the like).
The tradeoff of convenience and security is exemplified in a scenario such as this Zerodium thing.
Captalism is to blame? You realize government would be the biggest customer here right?
Blame? I don't think that is the point here. We're living in a market driven economy where the invisible hand sets the market rate for any widget or service. An exploit is simply a time-limited good which is sold at the rate the market can bear. Blame? NO! God loves Capitalism.
Why? It's just like any other private security firm. Why would it be illegal?
-----------
Dang I guess I need to start learning how to root devices in my free time. Only need one big hit and done.
[doublepost=1475264320][/doublepost]
The issue for many I guess is not knowing which government.
Depending on the design of the lock and how many were sold, someone out there could very possibly already have the key to your house.
Does that immediately make them (or all the people with the same key) a suspect in the event of a break in? Nope.
Also a locksmith has the ability to make a key via numerical methods for quite a few locks without having a key and that doesn't make him a suspect.
The person using the "tool" for the illegal act is the criminal. The guy on the factory line that made the key cutter isn't responsible for the use of it.
How can it be, unless Apple shares source code to make lives easier for bug chasers?
Also, with Apple's wealth, how come it's resorting to taking advantage of talent out there to do their work for pennies? People should be offended, especially since the tax scandal the Apple company is mired in. Don't they believe in trickle down? Seems not...
I think that was my point, that he took a phrase that is usually uttered as a joke and applied it literally.
[doublepost=1475274785][/doublepost]
Look up "security through obscurity" at Wikipedia. It explicitly mentions "security through minority" as a variation of it.
I really find it strange that somebody who thinks a given concept doesn't work then tries to assert his or her position by declaring the whole term as actually not describing the thing. As if the ultimate rebuttal to something is to say that word itself doesn't exist. Like countering a claim that there is oil in Albania that a) there is no oil in Albania and b) no such thing as Albania even exists. Or like exercising a word like 'recession' from the vocabulary as the ultimate way of asserting that there currently is no recession, or that the word recession actually means something else.
It's pretty obvious that your mental capacity can't stretch beyond a single sentence, if you want to get personal.
There are loads of extremely dangerous exploits that could occur, even offline, if a pilot's iPad was hijacked. Theoretically, they could develop a baseband firmware which jammed the on-board GPS and other communications and, since these are the backup maps, they could have the plane fly in the wrong direction to engineer a low-fuel situation either in a compromised location (taking the aircraft, crew and passengers hostage) or just in the middle of the ocean. Maybe they can transmit a convincing dummy GPS signal. The iPad doesn't even have to stay offline - the hack could potentially invisibly connect to on-board WiFi if available. Maybe they don't even have to - maybe they can just detect flight conditions in other ways and make the iPads overheat and explode. There are players out there who truly go to incredible lengths; never underestimate the lengths people will go to in order to harm others.
It's pretty obvious that you severely underestimate cybersecurity.
A zero-day exploit is fundamentally separate from the concept of "jailbreaking". Jailbreaking is something you do to your own device, with the intention of removing restrictions from the manufacturer. A hack is something that somebody else does to invade your computer, and their intentions can be all over the map. Both may make use of zero-days, but there is an huge distance between them.
I do remember hearing about cases where malware jailbroke peoples' phones. There are some proof-of-concepts, but I also remember about hearing one in the wild at one point (forget the name).
Here's a POC fake charger which can jailbreak your phone without you knowing: http://www.jailbreakmodo.com/3rd-party-iphone-chargers-can-install-malware-on-your-device.html
Also cases about malware targeting jailbroken phones: http://researchcenter.paloaltonetwo...000-apple-accounts-to-create-free-app-utopia/
This is why I find the idea of zero-day exploits available for anybody with enough cash abhorrent. I'm aware that such places likely exist on the darknet, but we shouldn't allow them to also openly flaunt themselves as a registered corporation. We don't have a way to regulate their use (if there are legitimate ones) by private parties, so we must consider them potentially extremely dangerous.
$1.5 mil is the going price for a brick?
How would they sue over this? There's no indication of someone providing privileged information. If this person used the exploit on anyone else, they might have legal trouble. Apple wouldn't be able to do much, and it would be a stupid battle anyway.
Consider that researchers sometimes release similar information into the public domain.
Tom Clancy would be proud. He wouldn't use it, as it's too farcical. But he would be proud of your efforts. Although, the fervor with which reads, I believe you believe it to be a viable scenario which we must guard against. Who am I to throw cold water on your hypothetical. Nobody, that's who. If it does get greenlit, please for the love of Mike, don't let choose Tom Cruise as a lead actor. He's already ruining Lee Childs' Reacher character.
As for me underestimating cyber security... you might be right. I have it on very good authority that Cyber is hard.
Well, ask yourself, how many degrees of separation does there need to for anyone to be involved in any crime after a exploit of a OS. It's a tricky proposition to say that one who exploits a OS is merely responsible for what may come about after by someone else.
Selling to companies is what's its about anyway... Where's the harm in that? as long Zerodium is not selling direct to users, it's ok.