
Hackers Claim Million-Dollar Bounty for iOS Zero Day Attack - deegles
http://www.wired.com/2015/11/hackers-claim-million-dollar-bounty-for-ios-attack/
======
SCHiM
Better to have all 0day trading above board than below I think. The genie is
out of the bottle, it's senseless to outlaw this kind of behaviour since the
people and the skills are already out there.

Even AnglerEK uses 0days sometimes, we'd only be increasing the underground
economy if these practices were to be outlawed completely. The only way to go
is for companies to offer higher bug-bounty payouts than their offensive
competitors. Which is a reasonable thing to do if you look at the damages
caused by malware campaigns powered by 0days.

------
bcook
Is there any proof aside from the claims of Zerodium?

Reputable hacking team taking credit perhaps?

Smart PR though. "Watch me do a magic trick behind this sheet."

~~~
Rubu
I'm pretty skeptical as well. Can't say I know a lot about going rates for
0days like these, but something tells me 1M isn't even that much. If this
"anonymous hacker collective" doesn't mind selling to the highest bidder, why
not take it to the market themselves?

~~~
test1235
Politics? Could be a stolen technique - maybe it's easier to hack the hackers
and steal their hacks to sell than develop your own.

~~~
chinathrow
Possible...

[https://twitter.com/i0n1c/status/658751231154913280](https://twitter.com/i0n1c/status/658751231154913280)

------
runesoerensen
Also discussed here
[https://news.ycombinator.com/item?id=10495033](https://news.ycombinator.com/item?id=10495033)

------
wwayer
Apple should offer double the bounty in exchange for having these Zero Days
reported directly to them.

~~~
celticninja
until recently the market for these exploits was for jailbreaking. Apple didnt
need to pay for the exploit, just wait until it was released and then patch
it. Buying the exploit does nothing for them and actually allowing jailbreaks
means more people buy iPhones (because they can jailbreak) then they have to
decide whether they want new features or jailbreak features. Either way the
are in Apple's ecosystem and have paid apple some money.

These days the exploits are wanted by companies like Hacking Team or agencies
like NSA, I dont see there being too many more free jailbreak exploits being
released as a result.

edit: Also if Apple doubled their bug bounty they would be paying 2 * $0.00

~~~
dogma1138
This isn't your run of the mill jailbreak, this is a proven remote jailbreak
that can be automatically triggered by either visiting a website, receiving an
SMS or by triggering any of the built in application "magnet links" to qualify
for the bounty the exploit most also be interaction free so no interaction
other than opening an SMS or clicking on a link is required. So effectively
this is a remote code execution exploit that allows you to remotely bypass any
restrictions and protections provided by the IOS OS and take full control over
the device.

You'll probably still see local jailbreaks, that require you to connect the
IOS device to a computer and launch the exploits from there manually, Pangu
has updated their jailbreak to support IOS 9.0.X already.

------
dogma1138
Considering that Zerodium is a zero-day vendor (this is continuation of Vupen)
the payout for the bounty will probably would bring them ten fold than what
they've paid out. This type of practice has to be regulated just like the arm
trade is there shouldn't be any reason for a US company to be paying out god
knows who how much money and then selling it to who ever they want considering
that for all intents and purposed those zero-days would likely to be used
against US targets.

~~~
dfc
So you want security researchers to have to get the equivalent of Federal
Firearms License? I see no reason to relive the Crypto Wars again. Anyway I
thought Vupen was a French company?

~~~
dogma1138
Vupen is a French company, zerodium was founded by the same guy in the US.
[https://en.wikipedia.org/wiki/Vupen](https://en.wikipedia.org/wiki/Vupen)

Researchers not really, companies that out right sell malware and zero days
need to be regulated.

