[tptacek]

Anyone who thinks this kind of work requires nation-state backing should look at the (hobbyist!) projects to jailbreak the Xbox, X360 and PS3. Low-level kernel- and hypervisor- programming in which obstacles are casually overcome by dropping zero-day memory corruption bugs in core libraries that would be worth tens of thousands of dollars today just from bounty programs, deploying crypto bugs that make "custom RC5" and "thousands of iterations of SHA1" look like the shoplifted- from- Schneier technique that it appears to actually be (TEA hash collision, ECDSA nonce repeats, &c).

And these were, more or less, student side projects.

[javajosh]

That doesn't mean that it's easy, it just means that hacking a PS3 is highly motivating. Making some lame centerfuge explode half-way around the world is high on patriotism (I guess) but short on lols.

[tptacek]

It's not easy (the sophistication of some of the console jailbreaking work is extremely frustrating to some of us in the pro vuln research community, in that they treat as footnotes things that would score a whole Black Hat talk).

[wongarsu]

He didn't say that it's easy, just that it isn't so hard that you need nation-state backing to do it. Judging purely from their capabilities, Equation Group could be a small group of college graduates who make a living with hacking and don't settle for the low-hanging fruit.

Of course the other evidence strongly suggests that this group is NSA-employed, but the real reason why their malware is so much more sophisticated than anything else out there isn't that nation states have staggering amounts of resources, it's simply that normal malware doesn't need to be sophisticated.

[cocoablazing]

You are saying that you think it is reasonable that a small group of "college graduates" have created and executed a global espionage campaign against airgapped military targets using software that makes previous nec plus ultra NSA cyberweapons look obsolete.

[hengheng]

There's still a difference between finding the weakest link in a big chain and then attacking into it, and creating large amounts of features out of thin air. The latter is not any more difficult, but it requires one or two magnitudes more effort, which is almost impossible without a larger team. I'm thinking 2 people in a garage vs 30-60 people in an office building.

[venomsnake]

Piracy and cheating has always been gateway to serious programming.

[trvz]

Wait, what?

"Piracy and cheating" isn't always a gateway to serious programming.

Exploring the software on your purchased devices can be a gateway to serious programming. What you call that process is subjective, but arguably not piracy and cheating.

[lawnchair_larry]

Not at all similar. This absolutely requires nation state budgets.

[tptacek]

... because...