Hacker News new | ask | show | jobs
by zigzigzag 3588 days ago
However, in contrast to 3.5 billions Internet users, only a few hundred experts have to be identified.

This is the sentence that lets you know the post can be safely ignored. Anyone who thinks there are only a few hundred people in the world capable of writing Linux exploits doesn't have a grip on the scale of the world at all.
3 comments
rincebrain 3588 days ago
The assertion was not that there are only a few hundred people, but that the organization responsible for this software employed at most a few hundred people to write it.

(There are other problems with the article's conclusions absent the data they withhold, but I don't agree that this is one of them.)

e: Actually, on further reflection, neither your interpretation of their statement nor mine is a reasonable conclusion, so I now agree with you that this is a flaw in their argument.

link
zigzigzag 3588 days ago
But that isn't the approach the article takes - it tries to narrow down the list of possible authors from public data, not identify employees of organisations that may have a few hundred hackers.
link
CoryG89 3588 days ago
Perhaps it's possible to limit the search space by also looking only at experts likely (or possibly) have worked with the US government or NSA in the past or present. Then maybe you could get the list down to a reasonable number? For example, any experts that have never been to the US for extended periods of time can probably be excluded.
link
zigzigzag 3588 days ago
How would you know? I've encountered at least one person who was without a doubt ex-GCHQ but didn't identify that anywhere.
link
micaksica 3588 days ago
Agreed. There are probably 5-25K (yes, large range, but still order of magnitude higher) people in the Bay Area alone that are capable of writing exploits.
link
mseebach 3588 days ago
Also, there's a huge difference in the number of people capable of secretly building exploits alone in their bedrooms at night (probably committing a crime), and those building them as a day job, where you can solicit feedback and advice from peers, reference well-organised documentation and study the original source code of previously successful exploits and freely discuss ideas and approaches with colleagues over lunch.

Which of course partially challenges this assumption in the article:

The developers of the malware [..] were discovered and not trained.

link
lawnchair_larry 3588 days ago
people capable of secretly building exploits alone in their bedrooms at night (probably committing a crime)

No, that isn't how exploit research works. I don't understand why one would think that writing exploits is associated with being a criminal.

link
mseebach 3588 days ago
Research, no, but turning it into malware is.
link
lawnchair_larry 3587 days ago
Do you consider exploits to be malware? If so, then no, you couldn't be more wrong.
link