Comment by computersuck 2 days ago
Why would they do this? Knowing that any bugs found won't be patched since EOL, and will just be used for mass exploitation and harm??
Why is the cyber industry so desperately stupid for attention?
Let's say there's a group of people living a small, old house. They have the money to move to a bigger, newer one, but there's sentimental and other value to the one they're in.
Yeah, they don't have the latest door chain and fancy security systems, but that just means they don't open the door to random people who come knocking and are more careful and wary of burglars.
Now imagine a real estate company paying people to try and break into houses like theirs in order to scare the people into spending money and moving to a bigger and newer house they don't want to move to, claiming that the people don't know any better and need to be FUD'd for their own good.
That sounds like an evil thing to me.
A better analogy is a product safety bulletin, if your stove has a design flaw that can burn down your house the main difference is whether you or the manufacturer knows to do something about it. The bugs exist and people exploit them, it's mostly a question of whether the general public is aware. Breaking into houses requires a lot of labor to scale, exploiting software bugs doesn't so past some point more people knowing about them doesn't increase risk in the same way.
After 25 years of this debate it's pretty clear what works.
Just went to get some BIOS files for the 5th gen Intel NUCs and they've purged them from the site. It's like when Microsoft purged the KB of everything not in current support. Burning of libraries, it's sickening.
I think this contest is a good thing.
It might put pressure on customers to demand products with longer support lifecycles, which in turn forces vendors to offer longer support and/or make their software and APIs open source once support ends.
>It might put pressure on customers to demand products with longer support lifecycles
It won't. It'll allow vendors to put pressure on customers to buy new shit to replace their old shit that still works just fine that the vendor would rather not spend the resources patching.
Possibly but a website that says 'vendor vulnerable' is bad PR and readers won't care if it's EOL or not.
Why do you think the industry is morally obliged to have them remain untouched?
I'm thinking that bugs may not necessarily disappear when the device or application where they are discovered is EOL'd. This research could discover attack vectors and vulnerabilities that will need to be addressed in active implementations.
I cannot say if your comment is sarcasm.
Do you think devices are retired because they aren't sold? Why would you want that information to be known only by bad actors? Just imagine trying to convince someone who mounted a beautiful android 4.4 tablet to control their smart home (heh) 5 years ago that they will have to redo every thing because they bought into a proprietary protocol and the base os isn't receiving security updates.
Or do you truly believe you are safe if you hide under your bedsheet?
It's about the barrier to entry and amount of effort to exploit something. When public information comes out about a vulnerability that can't be patched in a reasonable amount of time (due to EOL or some other reason), the bad actors have the upper hand.
Giving ransomware actors free bugs for mass exploitation when they are unlikely to be patched is just putting innocent users in harms way. It doesn't really make a dent in the shit vendors' profits, so the only other motives are 1) to show off your cool research or 2) protest ridiculous EOL deadlines (which sure, might make a difference).
When there's no publicly known bug, someone needs to spend the time and effort to research it; when public POCs come out every skid cybercrime crew jumps on and starts exploiting it for financial gain.
> Why is the cyber industry so desperately stupid for attention?
Burglaries aren't getting enough attention.
Dunking on Internet of Shit^H^H^H^HThings vendors is always a win in my book.
I think we need a cyber swat team to assassinate anybody doing a port scan.
You want to play with something you don't own or have permission to play with it.
Assassinate target. You want to make money/fame off others. DIE.
If somebody came to you house and started jiggling doorhandles what would you do?
Why is cyber different?
NO CONSEQUENCES.
Fun idea, although nobody who is serious enough about hacking will use their home PC as source, more likely it will be some random grandpa's old router. Even putting that aside, we can't exactly send a SWAT team to China...
Look at what they are saying. They want to document all sorts of bugs in past products for future research purposes. And they want to draw attention to the product that it be replaced.
I agree putting such burdens on companies with little IT resources isn’t healthy for the company, its customers or anyone else. This is hostile.
If you put a product out in the field which can potentially be remotely exploited it’s on you to either patch it when someone does find an exploit or possibly open source everything so others can. If you genuinely can’t support it I guess you could put a self-destruct mechanism in which remotely bricks the device instead, just don’t expect your customers to be happy about it.
Without splashy narrative and quantifiable risk the vendors won't change and the general public won't perceive the danger of unsupported devices. Public bounties are one way to change both so this seems like a reasonable project with net benefit.