Feel free to look at my comment history on matt's previous articles, like i've said, i've done point by point before if that's what you want.
I'm just not spending the time to do it anymore because after doing it a lot, matt doesn't ever get better.
It's always just the same garbage.
Past a certain point, it's just not worth engaging with garbage anymore, and it's not reasonable to say "well you didn't engage with his garbage this time, so therefore you lose/are wrong by default".
No, actually, past a certain point, the onus is on him to stop producing garbage before anyone has to waste their time engaging.
While i did go point by point for a while (years actually) on his articles, I finally gave up when he started writing articles about the early days of android, and asserting lots of things, and I was actually there and doing the work with a small number of others, so i know why certain things were done because either I decided them, someone i know very closely decided them, or I was in the room when it was decided. As usual, Matt simply asserts his own set of facts, and when pressed for sources, it turns out he has none. It's just his own views, masquerading as fact. But that doesn't stop him at all! He'll just assert facts that are convenient to him and when pressed for sources just ignore or move on to the next target.
Always another BIG newsletter to write!
This is of course, independent with whether i agree or disagree with any of his particular views - there are plenty of people i disagree with who i would happily point you at on antitrust if you want it, becuase despite our disagreements, at least they aren't making up facts and writing soothsaying garbage based on it.
You can't do that but you can follow the above sentence with 1000 more words?"
Feel free to use a word counter.
The post above yours has about 286 words after the sentence you quoted. Quite ironic for you to criticize the grandparent when you're being even lazier.
Yeah, this strikes me as pure projection. I see absolutely no reason to think this guy is right about anything. He says "like i've said, i've done point by point before if that's what you want" ... as if the mere fact that he's written something makes it correct.
"He doesn't even really try. I just decided i'm not the target audience. The target audience is either people who already agree with Matt Stoller and want to feel like they are right, or people who can't be bothered to do even a trivial amount of research.
He's definitely not convincing anyone else."
Sorry, but this is a form of rhetoric that I'm very familiar with from ideological cranks.
I'd buy these arguments if America was a place that cared about its citizens and not a country that lets a small group of very elite, very rich, people ruin the lives of tens of millions of Americans subjecting them to poverty to make a buck.
The last war China was involved with was 1979 compared to America, today mind you, that is on the cusp of invading Venezuela because Rubio has a moronic axe to grind.
It's really hard to not see the facade for what it is: rich people are upset that their world order is collapsing.
Frankly who care? Give me universal medicare, universal childcare, and public higher education then maybe, just maybe, I might start to care about all this stuff that only seems to make people lives worse not better.
China has used resources to buy alliances with developing countries, like pretty much all of Africa, which they leveraged at the UN to have the communist party recognized.
Sadly you have to start caring for things to get better first.
That will only work as long as the check clears. Anyone relying on those 'friends' better hope China never stops sending those checks. Ask the US or the USSR how that goes.
America has used this same time period to sell out jobs to the lowest bidder, decimate its manufacturing industry to make a quick buck, is willing to sell "critical" tech to "enemies" to make a buck, make billions off of profiting from people's misery.
Why am I suppose to care that people in Africa are pushing for better worker rights and decolonialization? Because the executives as Nestle might make slightly lower money? That big tech can't extract more blood minerals? Boo hoo, it's not like this has ever benefited American citizens writ large.
Also the UN is worthless, if this is suppose to scare people you might lose your hat come election night in 2026.
It's like how the Sackler's did everything they can to make opioids more addictive and increase profit margins, there is virtually no difference between this and Zuckerberg hiring psychologists to make his apps more addictive.
Was actually looking for somebody mentioning this bit. Admittedly, one of the few regular Firefox users. Yet, as a regular Firefox user, this much ranting about something that can be turned off with a click, is kind of annoying. The stuff that's been added so far ("Allow AI to read the beginning of the page and generate key points", "Solo AI Website Creator", "Sidebar AI chatbot") is incredibly easy to disable. Been in advanced, beta, dev releases for a while.
Edge has a larger market share (4%-7% depending on who you ask)
Firefox has (2%-6%, similar issue). Firefox mostly scores well among Wikimedia users and tracking. (High as 15% recently) Firefox barely even registers with Mobile users (0.5%-1.5%).
And. They both pale in comparison to Chrome (56%-69%) and Safari (14%-24%) in terms of user base / market share. People can argue and rant about Firefox doing something, yet they're arguing about 2%-6% of the WWW users currently.
I mean if this was the 90s, yes it was true but you are also correct that it's very rare for anyone to be in prison for just marijuana alone in the US. Even in states where it's "illegal."
Back in the day the US government would give you $20k-60k cash in a nice briefcase for this type of exploit. Just another thing big tech has ruined I suppose.
Apple gave me $47k back when I was 16 and it definitely changed my life. Was subsequently able to get out of my 3rd world country and pay for university in the UK. While the quality of education is disappointing, having a graduate visa makes it so much easier to get a job or start a business there.
No not to individuals. There are absolutely contracts you can score for certain attack surfaces but that usually involves going through a company. If this person is from the united states, they will absolutely land themselves a good scholarship and a very well-paid job with a security clearance.
The book "This Is How They Tell Me the World Ends" by Nicole Perlroth, while it's about the history of cyberweapons it does a very good job detailing the late 90s to early 2010s exploit market.
I don't have it in front of me, but I'm talking about the "nobody but us" era of exploit markets:
Where the NSA seemingly was buying anything, even if not worthwhile, as a form of "munitions collection" to be used for the future attacks.
edit: this mostly ended in the US because other nations started paying more, add in more regulations (only a handful companies are allowed to sell these exploits internationally) and software companies starting to do basic security practices (along with ruling out their own bug bounties), it just mostly whimpered away.
Also relevant to the discussion, the book discusses how the public exploit markets are exploitive to the workers themselves (low payouts when state actors would pay more) and there are periods of times where there would be open revolts too (see 2009 "No More Free Bugs" movement, also discussed in the book).
Definitely worth it if you aren't aware of this history, I wasn't.
I haven't read her book, am myself somewhat read in to the background here, and if she's claiming NSA was stockpiling serverside web bugs, I do not believe her.
In reality, intelligence agencies today don't even really stockpile mobile platform RCE. The economics and logistics are counterintuitive. Most of the money is made on the "backend", in support/update costs, paid in tranches; CNE vendors have to work hard to keep up with the platforms even when their bugs aren't getting burned. We interviewed Mark Dowd about this last year for the SCW podcast.
Maybe there is a misunderstanding, I'm not saying that the NSA would be buying XSS scripts. I'm saying that if this was 35 years ago the NSA would be buying exploits with common user software. Back then the exploits were "lesser" but there still was a market and not every exploit that was bought was a wonder of software engineering. Nowadays the targeted market is the web and getting exploits on some of the most used sites would be worthy of buying.
Kid was simply born in the wrong era to cash out easy money.
I think you're wrong about this. 35 years ago was 1990. Nobody was selling vulnerabilities in 1990 at all. By 1995, I was belting out memory corruption RCEs (it was a lot easier then), and there was no market for them at all. And there has never been a market for web vulnerabilities like XSS.
Building reliable exploits is very difficult today, but the sums a reliable exploit on a mainstream mobile platform garner are also very high. Arguably, today is the best time to be doing that kind of work, if you have the talent.
I can't imagine intelligence agencies/DoD not doing this with their gargantuan black budgets, if it's relevant to a specific target. They already contract with private research centers to develop exploits, and it's not like they're gonna run short on cash
If that were the case, we'd routinely see mysterious XSS exploits on social networks. The underlying bugs are almost always difficult to target! And yet we do not.
The biggest problem, again, is that the vulnerabilities disappear instantaneously when the vendors learn about them; in fact, they disappear in epsilon time once the vulnerabilities are used, which is not how e.g. a mobile browser drive-by works.
They have a class of attacks which are used for targeted intrusion into foreign entities. Typically espionage or cyberwarfare, so they're not often used (they're aware they might be a one-use attack), but some persist for a long time. Foreign entities also tend not to admit to the attacks when found, so if the vendor is a US entity, often the vendor doesn't find out. We do the same; when our intelligence agencies find out about a US compromise, they often keep mum about it.
I'm not talking about XSS specifically, I mean in general. An XSS isn't usually high-value, but if it affects the right target, it can be very valuable. Imagine an XSS or CSRF vuln in a web interface for firmware for industrial controls used by an enemy state, or a corporation in that state. It might only take 2 or 3 vectors to get to that point and then you have remote control of critical infrastructure.
Oh - and the idea that a vendor will always patch a hole when they find it? Not completely true. I have seen very suspicious things going on at high value vendors (w/their products), and asked questions, and nobody did anything. In my experience, management/devs are often quite willing to ignore potential compromise just to keep focusing on the quarterly goals.
Are these things you think it stands to reason the IC must be doing, or things you know for a fact that they are doing? It stands to reason for a lot of people that the IC must stockpile vulnerabilities, but they don't (they keep just a couple working ones) --- just as an example of counterintuitive things about how CNE works.
It's partly fact, partly reasoning. One fact comes from STUXnet and Snowden Leaks, where they developed and deployed vulns that persisted for years without notice. The other fact is I've interviewed at the research centers and my eyes got pretty wide at the stuff they told me without an NDA, so they're definitely paying a lot to develop and acquire more vulns/new attacks. That was all 20 years ago, but the contracts are still there so there's no reason to suppose it stopped. There's also past NSA directors that've spoken at DEFCON for years about how they want more hackers, and the new cold war with China and Russia has been ongoing for nearly as long.
I'm not saying they stockpile vulns; I'm saying if somebody on the dark web said they had a vuln for sale for $50k, and it could help an agency penetrate China/Iran strategically, it would make no sense to turn it down, when they already pay many times more money to try to develop similar vulns.
You are here implicitly comparing Stuxnet and BULLRUN, two of the most sophisticated and expensive CNE operations ever conducted, with an XSS in Discord.
Why would YOU see a mystery XSS exploit on a social network? The idea of the DoD scoring these little exploits in a box is usually to deploy in a highly controlled and specific manner. You as a layperson is of no interest to them unless you are some kind of intelligence asset or foreign adversary
detected: WAF caught or detected the attack and raised an alert, post-exploitation
discovered: they audited or pentested themself and found out, preemptively
I just mean that Coinbase didn’t see anything happening and didn’t take action though the boy successfully exploited the vulnerability on their live system.
Is it really fair to compare an open source project that desperately wants only $60k a year to hire a dev with companies that have collectively raised over billions of dollars in funding?
I think it’s very fair. Anubis generated a lot of buzz in tech communities like this one, and developers pushed it to production without taking a serious look at what it’s doing on their server. It’s a very flawed piece of software that doesn’t even do a good job at the task it’s meant for (don’t forget that it doesn’t touch any request without “Mozilla” in the UA). If some security criticism gets people to uninstall it, good.
I'd say it's probably worse in terms of scope. The audience for some AI-powered documentation platform will ultimately be fairly small (mostly corporations).
Anubis is promoting itself as a sort of Cloudflare-esque service to mitigate AI scraping. They also aren't just an open source project relying on gracious donations, there's a paid whitelabel version of the project.
If anything, Anubis probably should be held to a higher standard, given many more vulnerable people (as in, vulnerable against having XSS on their site cause significant issues with having to fish their site out of spam filters and/or bandwidth exhaustion hitting their wallet) are reliant on it compared to big corporations. Same reason that a bug in some random GitHub project somewhere probably has an impact of near zero, but a critical security bug in nginx means that there's shit on the fan. When you write software that has a massive audience, you're going to have to be held to higher standards (if not legally, at least socially).
Not that Anubis' handling of this seems to be bad or anything; both XSS attacks were mitigated, but "won't somebody think of the poor FOSS project" isn't really the right answer here.
I don't think it's fair to hold them to the same, or higher standard. at all this is literally a project being maintained by one individual. I'm sure if they were given $5 million in seed money they could probably provide 1000x value for the industry writ large if they could hire a dedicated team for the product like all those other companies with 100,000x the budget.
Seems fair. XSS is a confused deputy attack, a type of vulnerability known since the 1980s. That we keep reinventing it in every new medium is frankly embarassing.
reply