Comment by computersuck

Comment by computersuck 10 months ago

29 replies

Why would they do this? Knowing that any bugs found won't be patched since EOL, and will just be used for mass exploitation and harm??

Why is the cyber industry so desperately stupid for attention?

hedgehog 10 months ago

Without splashy narrative and quantifiable risk the vendors won't change and the general public won't perceive the danger of unsupported devices. Public bounties are one way to change both so this seems like a reasonable project with net benefit.

  • sandwichmonger 10 months ago

    Let's say there's a group of people living a small, old house. They have the money to move to a bigger, newer one, but there's sentimental and other value to the one they're in.

    Yeah, they don't have the latest door chain and fancy security systems, but that just means they don't open the door to random people who come knocking and are more careful and wary of burglars.

    Now imagine a real estate company paying people to try and break into houses like theirs in order to scare the people into spending money and moving to a bigger and newer house they don't want to move to, claiming that the people don't know any better and need to be FUD'd for their own good.

    That sounds like an evil thing to me.

    • hedgehog 10 months ago

      A better analogy is a product safety bulletin, if your stove has a design flaw that can burn down your house the main difference is whether you or the manufacturer knows to do something about it. The bugs exist and people exploit them, it's mostly a question of whether the general public is aware. Breaking into houses requires a lot of labor to scale, exploiting software bugs doesn't so past some point more people knowing about them doesn't increase risk in the same way.

      After 25 years of this debate it's pretty clear what works.

Aissen 10 months ago

To protest stupidly short EOL deadlines.

  • schlauerfox 10 months ago

    Just went to get some BIOS files for the 5th gen Intel NUCs and they've purged them from the site. It's like when Microsoft purged the KB of everything not in current support. Burning of libraries, it's sickening.

Hackbraten 10 months ago

I think this contest is a good thing.

It might put pressure on customers to demand products with longer support lifecycles, which in turn forces vendors to offer longer support and/or make their software and APIs open source once support ends.

  • wpm 10 months ago

    >It might put pressure on customers to demand products with longer support lifecycles

    It won't. It'll allow vendors to put pressure on customers to buy new shit to replace their old shit that still works just fine that the vendor would rather not spend the resources patching.

    • teeray 10 months ago

      It puts pressure on regulators to realize the shitty situation MBAs create when they EOL products that aren’t reaching revenue targets.

    • throwaway48476 10 months ago

      Possibly but a website that says 'vendor vulnerable' is bad PR and readers won't care if it's EOL or not.

freehorse 10 months ago

The first best thing for vulnerabilities is fixing them, the second best is knowing they exist and what they specifically are (so one can either try to mitigate them or make an informed choice on replacing equipment).

  • amenghra 10 months ago

    Also great for learning. Vendors learn from their mistakes, right?

asabla 10 months ago

I don't see it like that at all. Some 0-days can (somewhat) be mitigated by other hardware/software.

I rather have as many "known" 0-days in the open. Then having it the other way. Even if it means I won't see any updates to affected devices or software

1970-01-01 10 months ago

Why do you think the industry is morally obliged to have them remain untouched?

0xdeadbeefbabe 10 months ago

> Why is the cyber industry so desperately stupid for attention?

Burglaries aren't getting enough attention.

thomascountz 10 months ago

I'm thinking that bugs may not necessarily disappear when the device or application where they are discovered is EOL'd. This research could discover attack vectors and vulnerabilities that will need to be addressed in active implementations.

1oooqooq 10 months ago

I cannot say if your comment is sarcasm.

Do you think devices are retired because they aren't sold? Why would you want that information to be known only by bad actors? Just imagine trying to convince someone who mounted a beautiful android 4.4 tablet to control their smart home (heh) 5 years ago that they will have to redo every thing because they bought into a proprietary protocol and the base os isn't receiving security updates.

Or do you truly believe you are safe if you hide under your bedsheet?

  • computersuck 10 months ago

    It's about the barrier to entry and amount of effort to exploit something. When public information comes out about a vulnerability that can't be patched in a reasonable amount of time (due to EOL or some other reason), the bad actors have the upper hand.

    Giving ransomware actors free bugs for mass exploitation when they are unlikely to be patched is just putting innocent users in harms way. It doesn't really make a dent in the shit vendors' profits, so the only other motives are 1) to show off your cool research or 2) protest ridiculous EOL deadlines (which sure, might make a difference).

    • mulmen 10 months ago

      You’re assuming bad actors don’t already know about these zero days. You have to assume any possible vulnerability is already being exploited. Publishing zero days in EOL devices reduces the information asymmetry.

  • computersuck 10 months ago

    When there's no publicly known bug, someone needs to spend the time and effort to research it; when public POCs come out every skid cybercrime crew jumps on and starts exploiting it for financial gain.

IshKebab 10 months ago

These devices don't magically become secure just because white hats decide not to attack them.

You're advocating security through sticking-your-head-in-the-sand.

  • frankharv 10 months ago

    I think we need a cyber swat team to assassinate anybody doing a port scan.

    You want to play with something you don't own or have permission to play with it.

    Assassinate target. You want to make money/fame off others. DIE.

    If somebody came to you house and started jiggling doorhandles what would you do?

    Why is cyber different?

    NO CONSEQUENCES.

    • PhilipRoman 10 months ago

      Fun idea, although nobody who is serious enough about hacking will use their home PC as source, more likely it will be some random grandpa's old router. Even putting that aside, we can't exactly send a SWAT team to China...

    • [removed] 10 months ago
      [deleted]
stackghost 10 months ago

Dunking on Internet of Shit^H^H^H^HThings vendors is always a win in my book.

nashashmi 10 months ago

Look at what they are saying. They want to document all sorts of bugs in past products for future research purposes. And they want to draw attention to the product that it be replaced.

I agree putting such burdens on companies with little IT resources isn’t healthy for the company, its customers or anyone else. This is hostile.

  • jon-wood 10 months ago

    If you put a product out in the field which can potentially be remotely exploited it’s on you to either patch it when someone does find an exploit or possibly open source everything so others can. If you genuinely can’t support it I guess you could put a self-destruct mechanism in which remotely bricks the device instead, just don’t expect your customers to be happy about it.

    • nashashmi 10 months ago

      ... or maybe build a foolproof product that cannot be hacked or attacked. Maybe products that don't get updated loose their access to the internet. And the only way you can get access is through some clamped down application.