Hacker News new | past | comments | ask | show | jobs | submit | wepple's comments login

There’s 100% an active market for this, and I think tptacek is simply wrong on this point (the others are valid)

The likes of Cambridge Analytica didn’t go away, they exist and absolutely go hunting for data like this.

The ability to map between different identifiers and pieces of content on the internet is central to so many things - why do you think adtech tries to join so many datapoints? Let alone things like influence campaigns for political purposes.

I’m not talking about assasination plots, but more mundane data mining. This is why so much effort in the EU has gone into preventing companies from joining data sources across products - that’s embedded in DMA


There's an easy way to put your money where your mouth is here. Just offer $11k for this or similar vulnerabilities out of your own pocket, and then resell them. If there really is a large and active market for this at higher dollar values, you'll make a killing!

Sure is funny there's nobody doing that despite so many people being so dead certain there's an active market.


If I did, would you know?

And if I did, it wouldn’t stop people from doing co-ordinated disclosure either, would it? Same with high end exploits - some folks do co-ord disclosure because it feels good and is great for your CV; others sell gray market and we generally have no idea what’s being traded.

(With the exception of say, zerodium or 0xcharlie’s various talks)


Which of "0xcharlie's various talks" addresses the likelihood of your being able sell a web authz information leak bug on a Google site for bitcoin?

Sure, but do adtech companies buy vulnerabilities in web services to advance their mission? Wouldn't that risk running foul of e.g. the Computer Fraud and Abuse Act?

You don‘t need to sell the vulnerability to them, or even tell them the vulnerability is there. Just set up an API and bill them by the query.

This ignores tptacek's points in the top-level post.

> [...] a bug that Google can kill instantaneously, that has effectively no half-life once discovered, and whose exploitation will generate reliable telemetry from the target.

You can't set up unmask-as-a-service because it's going to take you longer to get clients than it will take Google to shut down your exploit.


Yes, but:

1. It can still take a while before Google finds out

2. You can log every mapping you got in the meanwhile, then keep selling the ones you already have

Edit: although probably most of your business will be over when word gets out that your data isn’t exactly legal (which your clients have understood from the start, of course; they could just plead ignorance)


People keep talking about this as if there's a 0% chance of being caught if you do this?.

So let's suppose that you did set up the service like this. Can you even make 10 K? What are your odds of getting caught? How much do you value not being in prison and/or having to hire a lawyer to get you out of there?

I'd take the 10k every time.


I’d take the 10k, too, but I think it’s possible to pull this off without getting caught.

It’s a lot more work, of course, but you can scrape some top youtubers first as it seems relatively easy. If you can pull this off you can then try and figure out how to legitimize your offering – I won’t go into details here, for obvious reasons, but now that you have something valuable on your hands it makes sense to spend some time/money on selling that.


You’re talking about this as if there aren’t other countries who actively infiltrate power infrastructure and for whom this is the most low risk mild attack (if you can call it that)

I’m not speaking theoretically, which I suspect most on this thread are.


Okay, which state actor is going to buy this for $100,000? How are you going to sell it to them? What's the risk of getting caught?

Even if someone on telegram was telling me that Russia would buy this information for $100,000, I think I would reach out to Google and "settle" for $10k.


I’ve seen a light version of this, where a “marketing data” company was scraping baby shower gift registry pages and selling the data to an infant formula company in the US.

The scraping was def in violation of the EULAs. Product data is one thing, but I believe this group was combining it with other sources and selling the identities and context as a bundle.


An API is too much work. Grab the addresses for the top 100,000 YouTubers and sell that csv on the dark web.

What happens when the first to buy the CSV starts selling it themselves?

That’s not a new problem with selling info on dark web marketplaces. if you're interested in learning more, here are a couple of books you might enjoy:

"The Dark Net” – Jamie Bartlett “We Are Anonymous” – Parmy Olson “Future Crimes” – Marc Goodman “Kingpin” – Kevin Poulsen


I think you've missed my point. I know data brokers exist. Does there exist today a data broker that functions in whole or in significant part buy acquiring vulnerabilities and exploiting them to collect data? He's a more concise way to frame my argument: if you're imagining yourself to be the first person to sell a particular kind of vulnerability to, then your customer is imaginary.

Yeah, I think this is valid. “I’m confident I can find someone who will buy this” vs “I’ll message grugq”, roughly?

My feeling is that if he were still paying attention on HN he'd probably back me up on this stuff (if not, I'd be thrilled for him to come set me straight).

> Threat actors buy vulnerabilities that fit into existing business processes

Selling crazy stories to the media is as old as time.

This vuln would give you a lookup table from email->YT

SELECT * FROM table WHERE email LIKE “%.gov”


And? So what. You can spam them?

Come on.


You don’t think there are folks with content they’d very much not like to be directly associated with them? Comments, videos, likes, etc

There's no existing black market of criminals extorting politicians and celebrities over Youtube comments (also how you go from an email address to an identity is itself iffy).

You are imagining a potential market, the exploits are priced against markets that are real and pay out today. Security researchers aren't traveling salesmen going around to every shady character on the internet and pitching them on the potential of a new criminal enterprise.


And so what's going to happen? Are there blackmailing rings that are in active need of ways of tying youtube comments to work accounts that are paying out the nose?

You don’t think the daily mail would buy a story about how firstname.lastname@nypd.ny.gov posted a comment in support of the KKK?

Or spear-phish, with a high degree of accuracy knowing the target.

You could dump all the data over a matter of weeks, then you’re sitting on a treasure trove that will pay out over 5+ years.

You could sell it non-exclusively to every data broker


Huge miss on the gun analogy. The likes of NRA are pushing for 50-state constitutional carry. Everyone has a gun on their person with no licensing requirements. Yet at the NRA conference they ban guns.

There’s probably actually some other hidden factor though, like the venue not allowing it.

Edit: FWIW those late night TV shows are nothing but rage bait low brow “comedy” that divides the country. But the above remains true.


> Everyone has a gun on their person with no licensing requirements. Yet at the NRA conference they ban guns.

That's not what the NRA is pushing for, any more than there are Democrats pushing for mandatory sex changes for all kids (yes, this is cited on similar right-wing comedy shows, and individuals on the right believe it). Pushing for a right doesn't mean 100% of the population will exercise that right.

And yes, most venues (as well as schools, government buildings, etc.) will not allow guns. If there's a security guard, police, or similar within spitting distance, there isn't a reasonable self-defence argument.

One of the interesting pieces of data is looking at 2nd amendment support versus distance to the nearest police station / police officer / likely law enforcement response times. It explains a lot about where support / opposition comes from.


The NRA is absolutely in favor of constitutional carry [0] and permitless carry [1].

[0] https://www.shootingillustrated.com/content/constitutional-c...

[1] https://www.nraila.org/articles/20210413/texas-permitless-ca...


Please reread what I wrote. You should correct your statement to:

"The NRA is absolutely in favor of A LEGAL RIGHT TO constitutional carry and permitless carry."

I have a legal right to spend all of my money on Pokemon, (in my jurisdiction) to pro-Nazi free speech, to paint the outside of my house bright pink, or to walk around wearing a mankini in the middle of the winter. Very few of the people who advocate for me to have those rights advocate for me to actually do any of those things.


Are you really arguing that it's okay for the NRA to support dumb laws because most people won't make use of them?


No. I am not.

I am arguing about the importance of accurately understanding everyone in a discussion and avoiding strawman attacks like the ones you're making over and over.

If you'd like to understand the importance of that, I'd refer you to CPG Grey: https://www.youtube.com/watch?v=rE3j_RHkqJc

And to Sun Tzu: https://www.goodreads.com/quotes/17976-if-you-know-the-enemy...

My general stance on most polarizing issues is to:

1) Keep the debate civil

2) Make sure everyone understands each other (starting with myself)

3) Push towards Pareto-efficiency

What's interesting is that in most discussions, left-wing extremists always believe I'm right-wing because I can articulate right-wing views and don't buy into left-wing Facebook conspiracies, and vice-versa. In other words, both sides lump me into "they" or "enemy" as soon as I either:

- contradict disinformation

- clearly explain an opposing viewpoint (without stating whether I agree with it)

- even use simple trigger words

Very much as you did.

It's okay to understand opposing viewpoints. If both sides did that, there are solutions to most polarizing problems -- guns, abortion, LGBTQ, etc. -- and not even very hard ones.

I'm posting a long-form comment so you can reread what I wrote, reread how you read it, and perhaps debug yourself. You'll be much more effective in advocating from your views if you stop doing this.

If you believe someone is intentionally "arguing that it's okay for [organization] to support dumb laws because most people won't make use of them," the problem is very much on your end.


I'm not entirely sure you picked the best example because the Democrats aren't pushing for that to be a right at all. It's certainly true that Republicans bought into the hysteria, my home state passed a bill banning it despite it having never once occurred and such a thing already going against the standards of care.

But Constitutional Carry does allow for anyone who can legally acquire a gun to be armed if they choose. I honestly don't mind this since basically anyone can get a concealed carry permit already and these bills just remove the paperwork and fees. I would love to see annual car registration done away with in the same manner, pointless busywork.

So if you're doing a bit on a comedy show or news program that's "what does $bill maximally allow for" then you do get everyone is armed in public without a permit (which again is fine I don't know why people care, this could already happen right now) but you don't get "every child gets a sex change."


There are LEOs that were prosecuted by states and the federal government for not taking action while children were being shot by another child.

LEOs are expected to take fire to protect civilians. Protect & Serve is their credo.

I wouldn’t trust LEOs to protect me, so I sure as hell fire am not trusting a low paid rent-a-cop to perform a similar duty.

Nope. I believe that my mindset is prevalent and not an outlier.


I would trust a security guard more. They have consequences for misconduct or failure to do their job. (Assuming they aren't an on-duty LEO who is "overemployed.")

Not enough that I think they'd protect me in a situation that requires a gun. Just more than a cop.


A security guard's job is to act as a witness and deterrent, not to intervene to protect you.

Only a private bodyguard can be expected to fight for you.

Observe and Report.


>And yes, most venues (as well as schools, government buildings, etc.) will not allow guns. If there's a security guard, police, or similar within spitting distance, there isn't a reasonable self-defence argument.

Can you give me one example of a valid "reasonable self-defence argument"? Legit question.


The extreme scenario:

I live in a home surrounded by miles of fields. There is no one within miles to hear me scream. Without a gun, anyone could come by my home, kill me, rob my home, and be gone before the police would even show up, if I even had a chance to call them. If I didn't call the police, they could literally move in and stay for months before anyone would notice.

The reason this does not happen is because everyone has a gun. Everyone knows I have a gun. If I see you coming on my property, I WILL shoot you. You don't know if the first shot will be a warning shot, birdshot, buckshot, or a 5.56×45mm NATO. You might get lucky and I might not spot you. Or you might be crippled for life. Without guns, crime is free. With guns, crime doesn't pay.

That's a scenario surprisingly common in rural America, parts of Appalachia, and other very low population density areas.

Now, I actually live in a dense city. There's a police station a few hundred yards away from virtually anywhere I might go. There are security cameras everywhere, thanks to Ring, Wyze, and friends. The city has a ShotSpotter system.

Crime rates are low, and more guns don't make me (personally) safer. Most of my neighbours want to ban them. However, I can understand there's a bias there.

As a footnote: If it were possible to hold clear conversation, I think there are solutions which work for everyone. However, people talk across each other.


> The reason this does not happen is because everyone has a gun.

Probably not. The reason we're not permanently locked in a life or death battle against each other is that very few humans like committing violence. It's a pretty terrifying view of the world to think that all that's preventing someone from perpetrating a home invasion on you is the threat of violence.


> very few humans like committing violence

How many people commit violence, and how many people are victims of violence, are two very different things. You could live in a society where only 1% of people commit violence, and yet the remaining 99% are living in fear, because each of them was repeatedly a victim of violence.

But if you have 1% of people ready to initiate violence, and let's say 3% of people willing to use violence in self-defense, suddenly life becomes much safer for you, even if you are among the remaining 96%. Not because the bad guys would hesitate to hurt you, but because they are likely get in trouble before they get to you.

People often confuse these two numbers. For example, they look at some statistics and think "20% of women report having been victims of domestic violence... oh, that means that 20% of men must be violent abusers", and they don't realize that the statistics also include some violent men who abused five or more partners each, so the actual number is probably much smaller than the 20%.


Without wading into the "good guy with a gun" debate, tl;dr: almost no humans want to effect the level of violence required to execute a home invasion, even if the risk of being shot is zero. A big deal is made about guns as deterrents, but the simpler answer (and the one that explains why it's also safe in rural areas of other OECD countries with gun control) is that humans just aren't that violent--when there's enough to go around anyway. That's all I'm saying here.


> The reason this does not happen is because everyone has a gun. Everyone knows I have a gun. If I see you coming on my property, I WILL shoot you. You don't know if the first shot will be a warning shot, birdshot, buckshot, or a 5.56×45mm NATO. You might get lucky and I might not spot you. Or you might be crippled for life. Without guns, crime is free. With guns, crime doesn't pay.

Your perceived safety might be higher because you have a gun. This absolutely does not correlate with reality, extensive literature has looked at the perceived/real safety measure. Very rich resource linking peer reviewed research: https://www.americanprogress.org/article/debunking-the-guns-...

Anchoring it to your reality though, have you ever shot anyone invading your property with your gun to act as counterfactual? How many people in your area shot invaders? What about accidents and misuse? I do not mean to minimize your experience and how safe you must feel, but it would be naive to close a serious matter like this with just your perception.


So the problem with a survey like this is that it does not break out among the scenarios I listed:

1) Rural, minimal police, minimal government, large plots, no collective security.

2) Dense, urban, heavy policy, significant government, right housing, extensive collective security.

Indeed, it focuses on the latter. Virtually all of the addresses, photos, and stories talk about cities, or at least towns.

I don't want to over-post so I'll answer the other comments too:

1) Violence does not require more than "very few humans" to "like committing violence." The point of security isn't to protect against the typical individual but the violent outlier.

2) Most violent individuals aren't sophisticated. What's more, one instance of violence has little impact. Serial violence does. If an individual robs one house, that's not enough to live off of. If an individuals robs houses regularly, in an area with guns, they will be shot. That's a pretty good deterrent.

For gun safety to move forward, both sides need to understand each other, and everyone needs to address the major issues of gun advocates, such as:

1) Day-to-day safety (on the scale / in the settings I described)

2) National safety (if Jan 6th had worked, and we had a coup; if China invaded; etc.)

3) Rule-of-law (we do have a 2nd amendment, and changing that would require an amendment)

Otherwise, it's simply a push of more guns versus less guns, with idiotic laws being shoved through opportunistically on both sides.


Your scenario _sounds_ convincing, but does it really work? Surely an attacker has a massive advantage in the element of surprise. If you see them coming (short of some sophisticated surveillance system), it's because they were impatient.


Or I have a dog.


> yes, this is cited on similar right-wing comedy shows, and individuals on the right believe it

Can you give an example? Of course you can find 2 people in the US who believe it, and they held 2 comedy shows where it was said, and it's technically true, but I don't think I've ever seen anything like this said.


I don't log all comedy shows I see, so I can't provide a citation off-hand, but I've heard it plenty of times. However, to see consequences, I might start by reading executive orders:

https://www.whitehouse.gov/presidential-actions/2025/01/prot...

And follow the trail back to how they got there.

https://www.breitbart.com/education/2022/07/07/aclu-national...

You can look around. You'll see many other articles like this one. As with most things, this is distilled into more inflammatory posting once it hits social media or comedy.


> I don't log all comedy shows I see

I don't see the point of this snark. If you don't have any examples of what you're saying, why reply at all?


it's interesting to me how easily you can fact check the statement:

> Everyone has a gun on their person with no licensing requirements. Yet at the NRA conference they ban guns.

yet, you claim that it's the late night TV that divides us, while making sure to double down on your misleading statement.

The NRA doesn't "ban guns at their conferences", they have been banned at small parts of a multi-day conferences e.g. where Trump was speaking because that was a rule established by the secret service and they complied for a small part of the conference.

When the majority of a conference allows guns, it's simply a lie to claim that guns were banned. An unintentional lie, I'm sure, but it seems likely to be the result of you believing some headline or tweet and accepting something wholesale as truth because it fit your narrative. I'm guilty of the same, it happens, but hopefully we can both get better about portraying easily fact checked things as the truth.


Maybe I’m wrong, but while we’re fact checking, can you provide a source?

I'm very skeptical that you're having a hard time sourcing this information. I have pages from my google search with easily 75% of the results confirming my claim.

Either way, here you go:

https://www.usatoday.com/story/news/factcheck/2022/05/27/fac...

> "Restrictions are in place exclusively at the NRA-ILA Leadership Forum at the direction of the United States Secret Service," spokesman Lars Dalseide wrote in an email to USA TODAY. He called the claim that the NRA is banning guns at its conference "incorrect."


What might start as “wow! A whole new place” ends up being “ok, just another new place” for many people.


This is how interpreted the post. Listing “throwing parties” as one of your hobbies shows they don’t really have deep passion curiosities like the things you listed can be.


Your parties must not be any good. People have entire careers just organizing events like weddings and corporate conferences. You can or as little or as much effort into throwing parties as you can pottery or any of the other things listed.


Most of your points feel very “water discovered to be wet”

Except: Lab-grown meat and plant-based protein alternatives will become more mainstream

That one seems to have been trending negatively and I expect it to continue


You don’t understand what most people do for work. I’d be very surprised if 10% of jobs are wiped out.


What’s your word for it?


In Chinese it would be 你们. Pronounced "ni men". The first character means "you" while the second character means "the previous noun is plural".


In Spanish it would be "Ustedes".


Spanish is a fun example of the euphemistic treadmill applying to pronouns. Usted comes from "vuestra merced" meanining "your (plural) mercy" but refers to a singular person. We can take that to mean that the second person plural "vosotros" already was a plural-meaning-formal-for-singular thing and then that wasn't enough and we got another word based on it. Fascinating!


jullie


Versatile is far worse. It’s so broad to the point of meaninglessness. My garden rake is fairly versatile.

Agentic to me means that it acts somewhat under its own authority rather than a single call to an LLM. It has a small degree of agency.


Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: