
The Post-Snowden Cyber Arms Hustle - pier0
https://www.bloomberg.com/news/features/2017-01-18/the-post-snowden-cyber-arms-hustle
======
Buge
Very interesting article, and funny in a dark way.

But I can't help but compare these guys to this guy[1] who was on the front
page of HN 2 weeks ago. He privately disclosed the vulnerability, then waited
12 days then publicly disclosed it on his blog. And there was widespread
outrage and condemnation of him for daring to disclose that quickly, putting
users at risk. He was described as "a parasite on society". Well if someone
who privately discloses then waits 2 weeks and publicly discloses is a
parasite, what is someone who sells exploits to oppressive countries that kill
journalists? With that comparison, the discloser seems downright virtuous.

[1]
[https://news.ycombinator.com/item?id=13407717](https://news.ycombinator.com/item?id=13407717)

~~~
meowface
Full disclosure is not what people had an issue with there. The problem is he
only waited 12 days, and didn't really try hard enough to confirm someone at
McDonalds was aware.

The standard is something like a minimum of 30 days (usually more) _upon
confirmation receipt_. He never saw someone acknowledge the disclosure, so
McDonalds' security staff could justifiably say they were not aware and
couldn't have done anything.

Responsible full disclosure, like how Google's Project Zero reports bugs, is
the best compromise.

~~~
_up
Google can undercut that. They disclosed MS vulnerability after only 10 days.

[http://venturebeat.com/2016/10/31/google-discloses-
actively-...](http://venturebeat.com/2016/10/31/google-discloses-actively-
exploited-windows-vulnerability-just-10-days-after-reporting-it-to-microsoft/)

~~~
meowface
That's still 10 days upon acknowledgment of the vulnerability.

------
nikcub
This same story was told from the perspective of Cristian Provvisionato, the
Italian who has been detained in Mauritiana, in Motherboard a few weeks ago:

[http://motherboard.vice.com/read/the-forgotten-prisoner-
of-a...](http://motherboard.vice.com/read/the-forgotten-prisoner-of-a-spyware-
deal-gone-wrong)

Interesting that Kumar wouldn't speak to that reporter and was characterized
as a criminal and scammer by others.

