Companies Are Now Offering Seven Figures For Hacks That Allow Spies, Cops To Steal Chat App Messages (vice.com) 73
Zerodium, a startup that buys and sells hacking tools and exploits to governments around the world, announced on Monday price increases for almost everything they are looking for, such as iOS remote jailbreaks and Windows exploits. "It said it will now pay security researchers $1,000,000 for exploits in WhatsApp, iMessage, and SMS/MMS apps for all mobile operating systems," reports Motherboard. From the report: Compromising the whole iPhone, sometimes referred to as remote jailbreaking or rooting the phone, can cost $2 million or more, and usually involves a series of bugs and exploits. The price increase shows that mobile devices in general are getting more and more secure, and thus harder to hack. That means that it's becoming increasingly hard for hackers to break into iOS and Android devices. That makes the life of folks like spy agencies and police departments harder too. That's where Zerodium and other similar companies, such as Azimuth and Crowdfense, come in: they act as intermediaries between security researchers and government agencies looking for tools -- often called zero-days -- to break into targets. Before today, Zerodium was willing to pay $500,000 for WhatsApp and iMessage exploits, according to an archived version of the company's site. These new prices are in line with the market, according to Maor Shwartz, who used to run a company that acquired and sold exploits to government agencies.
It's almost tempting (Score:2)
I've been doing computer security for over 20 years.
A million bucks might be tempting if I didn't already have a job I like, and what some would call an overinflated sense of ethics.
Re: (Score:2)
how safe can your life be, if you are perceived to be that valuable or that dangerous to party A or B or C?
personally, I'm glad I don't know that much ;)
Re: (Score:2)
For that kind of money (Score:5, Interesting)
I hope the aforementioned companies are paying their own engineers well.
Once bounties get this high, the thought would cross the minds of many to build in a vulnerability for use later on.
Then again, I suppose the various three letter agencies with their unlimited budgets probably have an engineer or
several on the payroll already. . . .
Re: (Score:2)
Why wait for the engineers to build it in, why not just include it as a feature from the start?
Or does that only work for privately held companies?
Re: (Score:2)
Why wait for the engineers to build it in, why not just include it as a feature from the start?
Or does that only work for privately held companies?
This is the point of Australia's Assistance Access bill that the US can access via intelligence sharing arrangements.
Re: (Score:1)
Hacks are NOT sold - they are strictly licensed. Will one intel agency tip off other agencies or share the details? You bet.
Australian leaked Swedish propeller designs to USA the moment they got them, then lied about it - so Australia is not trustworthy. USA stole IP off the guy who had the patent on optic fiber taps without paying until caught.
Anyway at 1-2 Million, it is now worthwhile to use a STM, shaving all chips, laser test point taps and lithium nicobate to take hidden code and work on it and nab th
Re: (Score:2)
Hacks are NOT sold - they are strictly licensed. Will one intel agency tip off other agencies or share the details? You bet.
You really missed the point about there now being a legal avenue to do this.
Re: (Score:2)
Nope there always was a legal avenue.
I don't disagree with the point you are making however the point I'm making is there has never been a legal mechanism for government to compel a software company into installing "front-doors" into their software products specifically for government to use until the law was passed at the end of 2018. There has never been a legal mechanism for government to coerce information technologists with fines and jail terms for not co-operating until now.
Re: (Score:3)
"I'm gonna write me a new mini-van this afternoon!" (https://dilbert.com/strip/1995-11-13)
Re: (Score:1)
I hope the aforementioned companies are paying their own engineers well.
Yeah, because the fear of getting caught clearly doesn't factor in. It wouldn't take a genius to catch someone attempting to cash in on their own "exploit", and I'm sure these companies have some very expensive lawyers which could make your life really miserable.
Re: (Score:2)
Not even close. Someone can compromise an algorithm of "forget" an equals sign or any other compromises which are not obvious to prove as intentional. The person who cashes in is going to cash their reward in secret, the companies who buy the exploits do not broadcast them to the public.
Also, I guarantee you that security researchers in the past have found vulnerabilities in the code written by people they know - a lot of security guys know each other already from conferences, academia, working for the same
Re: (Score:2)
I'm guessing that every company that has a worthwhile target in their product offering, has a mole or two in their employ.
I'd go farther: a known set of moles and an unknown (to the company) set.
this includes the build system and binary modules. hardware has its analogs, too.
yes, we *are* post-snowden. and we damned well know it.
Re: (Score:2)
A counter-intel team that sells the exploits they find so the group is self funding, then waits juuuust long enough they'll be able to sell the next time before patching.
Done right that could be an intentional extra revenue stream. It's not like these companies have any ethics to complicate matters.
Re: (Score:2)
That is a new business model for a startup. Pay for exploits to be inserted, then sell them.
Spies?!? (Score:2)
Re: (Score:2)
Pigeons. Definitely pigeons.
Re: (Score:1)
Get your facts straight. Khashoggi was NOT a US citizen.
Spies or Cops (Score:2)
So they're only interested in ones for spies and cops, not just the average joe using an exploit?
So, uhm-- this 4th amendment thing... (Score:1)
You know, this thing?
https://constitutioncenter.org... [constitutioncenter.org]
I am fairly certain that personal correspondence, which would be the modern equivalent of "papers" mentioned explicitly in the amendment, is something that cannot be obtained without a warrant.
That is, unless the constitution is NOT a "Living document" that gets reinterpreted to suit modern climates and courts... and only paper based correspondence is covered explicitly.
Oh, who the fuck am I kidding; The clowns are running the circus, and there are no c
You know not everyone is a US citizen, right? (Score:3)
Re: (Score:1)
Oh, I understand that they can and do, and that yes, the vast majority of the world population does not live in the US.
That does not give my government the right to do so. (Or, to "Trade favors" with other governments to circumvent this restrictions. >.> Looking at you GCHQ in the UK... )
I am sure it makes you feel morally superior to point obvious facts like this, but you are missing the point; These people (companies) are paying monetary bounties to enable the local police forces (who are SUPPOSED
Re: You know not everyone is a US citizen, right? (Score:2)
These people (companies) are paying monetary bounties to enable the local police forces (who are SUPPOSED to be upholding constitutional law) to perform unlawful searches
That's your assumption, which you pretty much pulled out of your ass. As the other guy pointed out, TLAs can use these to conduct lawful surveillance outside of your country. Additionally local police and TLAs can make use of this tech to surveil citizens legally, by first obtaining a warrant.
The fact that any given technology can be abused does not mean that it does not have legitimate uses. It's just that when you're paranoid you always tend to see only the potential for abuse.
Yep (Score:5, Insightful)
Re: Yep (Score:2)
In Soviet America law breaks you!
Re: (Score:2)
and will the law enforcement dmca exempt cover (Score:2)
and will the law enforcement dmca exempt cover this or is there to many subcontractors in the mix?