18 comments

[ 3.2 ms ] story [ 53.8 ms ] thread
I'm for cool research, but I am also tired of the trend where security companies come up with a flashy name, logo, url, etc. for every exploit/vuln.
Why?
It reeks of marketing, which is antithetical to the hacker spirit?
Good.. Instantly recognisable name for e-peen augmentation, enters lexicon of general public easily, media outlets can spam it easier, vendors hand forced to fix promptly.

This is hardly a bad thing.

If it's antithetical, why do open source projects tend to have cute little mascots?
Yeah the little SIM card face cringed me out
I'm the opposite. Security researchers have struggled for decades to get people to fix their stuff after discovering something is broken. When a vuln has a human-readable name that sounds vaguely scary, even nontechnical decision makers can ask good questions like "are we vulnerable to this 'heartbleed' thing?". Anecdotal, but I've definitely noticed people talking about them; I've seen articles in mainstream press referencing some of these named vulns and have even had friends who are otherwise uninterested in computers ask me about them!

Certainly there's a self-serving glamorous aspect to it on the part of security researchers, but fun names and logos brings attention to issues that otherwise result in eyes glazing over. As much as this stuff makes me cringe to read, I'm willing to bet the branding for this issue will result in more eyes on it and probably will result in a fix. That's ultimately what vuln disclosure is about, after all.

Yeah, the in-your-face advert right before the main text is very spammy too:

  "Do you know if attacks like like Simjacker or other next
  generation attacks are happening in your network?

  Book a meeting [with us to find out]."
The website feels like a con/ad rather than something legit.
So which company, working for which government, and how to stop it? The article is just a talk-to-our-salesman piece?
Yep, it's all fluff. They were supposed to reveal more information on the matter in a conference back in October. But we still only have a "technical" paper with nice looking graphs and an unnamed boogie-man.
Most likely: NSO Group
Less likely, NSO's expertise is in development of exploits for browsers and apps (ex: WhatsApp), not ss7 exploits