These prices are consistent (actually more costly) than public bounties by (now defunct) western based exploit brokers and manufacturer bounties.
> Those are (mostly) not RCE, and are for consumer devices configured in a default way.
I'm more worried about activists and journalists in developing counties without the financial means to afford flagship phones. But even Google can't manage to keep out a pedestrian mid sized security outfit selling to the cops and the FBI.
When activists lobbying for a fucking sugar tax in Mexico get hacked, then the bar is too fucking low.
Let's not talk about the nightmare that is old networking equipment or IoT devices.
> Any government can get RCE on any OS with the change in their couch
If you were extremely hyperbolic for effect that's fine, that's why I asked if you actually believed that, but what you are saying now is not at all arguing the same point.
I was not being hyperbolic: a couple million dollars is very cheap for virtually any military. Both exploit broker bounties and corporate bug bounties are in that range.
That is inanely pedantic. The municipal government of Monowi, Nebraska probably can not buy a RCE in any OS as they only govern a single person. That is also utterly meaningless to argue as it bears no effect on the core thrust of the argument that COTS operating systems in use by military and critical infrastructure are easily and cheaply hackable by potential adversaries. They are demonstrably grossly inadequate for purpose.
All my questions where with the assumption of a country-level government. I asked why, if this is so cheap, common and easy we do not see it used more.
Even if we said that we restrict it to for example the G20 I still don't think they can easily and cheaply "RCE any OS".
We do see it! Do you not remember the Snowden leaks?
Shit hasn't changed much. We still have monolithic kernels written in portable assembly. Linus still doesn't tag bug fixes with potential security impacts as such because he is more worried about unpatched consumer garbage (which compromise all low end phones). When your mitigation for such problems is to not make it obvious, then your OS is not safe enough in safety critical settings (which includes consumer devices).
Process isolation would downgrade the vast majority of critical Linux CVEs to availability bugs (crash a server but not compromise it).
Just because governments don't need to reach for RCE everytime doesn't mean that it is safe. Th fact that such bugs are so cheap is an indication that your safety margin is too thin.
> Those are (mostly) not RCE, and are for consumer devices configured in a default way.
I'm more worried about activists and journalists in developing counties without the financial means to afford flagship phones. But even Google can't manage to keep out a pedestrian mid sized security outfit selling to the cops and the FBI.
When activists lobbying for a fucking sugar tax in Mexico get hacked, then the bar is too fucking low.
Let's not talk about the nightmare that is old networking equipment or IoT devices.