[Someone1234]

Which does at least HINT that it might be what it claims to be. That's a pretty impressive 0-day which they just gave away as a freebie, who knows what they didn't give away.

I will say we'll never get real confirmation if this was actually stolen from the NSA, but if the other bundle contains a bunch of nice original vulnerabilities people will presume it was.

[moyix]

Washington post got former NSA TAO employees to go on record (anonymously) confirming the leaked toolkit comes from NSA:

https://www.washingtonpost.com/world/national-security/power...

[wang_li]

Good. Given that these tools no longer can be considered available only to the NSA, they might start working with vendors to close these particular set of holes.

[DanielDent]

I wonder how this leak affects their "vulnerabilities equities process".

The publicly available data would suggest that thus-far NSA-hoarded vulnerabilities are definitively known to actors who appear willing to act against US interests.

Vendor disclosure means those vulnerabilities can be patched and US interests can cease being vulnerable, but could also confirm NSA awareness of vulnerabilities - which could in turn cause attribution concerns for past or present operations the NSA is undertaking or has undertaken using these vulnerabilities (in addition to providing additional credibility to the leaker).

What a tangled web.

[rdtsc]

Worked with the US govt (selling to it) and can tell by browsing those files, there is a high chance it came from a 3 letter US govt agency. It was just by looking at stuff they reference, packages, tools they use. The language and phraseology in comments (excluding bundled software like requests and scapy of course). After many years you start to get a feel for stuff like that.

[fapjacks]

Yes, I think so, too.

[salem]

Makes you wonder if they could have made more money by pretending to find them and reporting them to the respective bug bounty programs.

[wcummings]

Bug bounties almost never pay market value for exploits. Only reason to participate in them is charity.

[kbenson]

And legality. I'm not sure why people seem to entirely discount that portion. There's more reward by selling on the black market, but there's also more risk associated with that.

[MichaelGG]

Yeah. Homeowners don't pay market value for me not robbing them, either. After all, think how much that jewellery is worth. And the damage of ID cards and passports.

A laptop alone could get me $250, but no one wants to give me even $10 for telling them their door is unlocked.

[peterbotond]

Most people only care about tangibles. When i politely advised about security holes, i was told that "we don't need people like you' or just called the police. I understand.

[lawnchair_larry]

They discount it because it's not true. Nothing illegal about looking for vulnerabilities in products and being compensated for your findings. It's only illegal to attack someone else's deployment.

[rdtsc]

What's illegal about selling them? Is there an anti-security-consulting-market legislation?

In general what are some risks invovled (I am just not very familiar and wondering in general). Is it a tax issue, the chance IRS could come after you for undeclared income?

[kbenson]

Depending on jurisdiction and the particulars of the sale and who you sold it to, I think it's possible you could be charged as an accomplice if the exploit is used in a crime. For example, if you had any reason to believe the individual or organisation you sold it to might use it illegally, and someone singles you out after they do use it illegally, I don't think it would be hard for a prosecutor to make a case. I also don't think under those particular circumstances that's necessarily a bad thing. IANAL though.

[wcummings]

Nothing, there are businesses doing it in the US paying taxes on their income.

[schoen]

> Only reason to participate in them is charity.

Maybe believing that it's good when fewer vulnerabilities exist and when attackers are less able to exploit things? Does that count as charity?

[jessaustin]

...noun: the voluntary giving of help to those in need.

[dtemp]

Getting a CVE on your resume isn't bad either.