Comment by 1oooqooq

Comment by 1oooqooq 2 days ago

3 replies

View on Hacker News

I cannot say if your comment is sarcasm.

Do you think devices are retired because they aren't sold? Why would you want that information to be known only by bad actors? Just imagine trying to convince someone who mounted a beautiful android 4.4 tablet to control their smart home (heh) 5 years ago that they will have to redo every thing because they bought into a proprietary protocol and the base os isn't receiving security updates.

Or do you truly believe you are safe if you hide under your bedsheet?

computersuck 2 days ago

It's about the barrier to entry and amount of effort to exploit something. When public information comes out about a vulnerability that can't be patched in a reasonable amount of time (due to EOL or some other reason), the bad actors have the upper hand.

Giving ransomware actors free bugs for mass exploitation when they are unlikely to be patched is just putting innocent users in harms way. It doesn't really make a dent in the shit vendors' profits, so the only other motives are 1) to show off your cool research or 2) protest ridiculous EOL deadlines (which sure, might make a difference).

Reply View 1 reply
  • mulmen 2 days ago

    You’re assuming bad actors don’t already know about these zero days. You have to assume any possible vulnerability is already being exploited. Publishing zero days in EOL devices reduces the information asymmetry.

    Reply View 0 replies
computersuck 2 days ago

When there's no publicly known bug, someone needs to spend the time and effort to research it; when public POCs come out every skid cybercrime crew jumps on and starts exploiting it for financial gain.

Reply View 0 replies