119 comments

[ 2.6 ms ] story [ 143 ms ] thread
... I think a lot of geeks might be burning their "free kevin" t-shirts.
"Mitnick became a symbol of government oppression in the late 1990s, when he spent four and a half years in prison and eight months in solitary confinement before his trial on hacking charges. The outcry generated a miniature industry in “Free Kevin” T-shirts and bumper stickers."

I wonder if money could be made selling 'Fuck Kevin' shirts and bumper stickers now.

Incidentally, Fuck Kevin.

There actually were "Fuck Kevin" stickers all over DEFCON a few years ago.
Well damn. I almost might have been motivated to do something.
I think it would be a little more condescending if you sold 'Fuck Mitnick', as if he were ubiquitous enough to be known as just Kevin.
I had a "free Kevin" bumpersticker (one of these: http://en.wikipedia.org/wiki/Kevin_Mitnick#Arrest.2C_convict...). I now regret having one.
You just need to put a "fuck Kevin" sticker right next to it. Like when weev was imprisoned: yeah he probably deserves to be in jail, but not for that particular "crime", and probably the abuse he got while in jail was also inappropriate.
Fuck free Kevin*

*consensually.

It amuses me to hear how middle-class people are baffled by the fetishization of criminality in hip-hop culture, when we fetishize the same type of assholes in our culture. Mitnick is a criminal and all the pro-hacking sympathies have been wasted on a very, very undeserving person. Funny how easily you can manipulate public opinion with the right PR and anti-government message. Everyone wants to be the rebel against "the system." Everyone seems to think they're the Ayn Rand hero amongst the idiots, when in reality, the rebels and the intellectually vain are easily co-opted politically. The rise of libertarianism in geekdom seems to fall under the same dynamic.
-deleted misread original comment :/-
How exactly does "pioneered what Russian crime rings are doing today" make someone deserving of support & sympathy?
Your pro-government rant doesn't fit in this case because the government is one of the customers in the zero day market.
Governments are almost always the market for zero-days. Private security companies also buy them, but guess who their primary market is? Look at FinFisher's customer list.

There is nothing libertarian about the defense industry or their actors. Unless you mistake neo-liberalism as libertarianism as far too many people do.

> Your pro-government rant doesn't fit in this case because the government is one of the customers in the zero day market.

(Legitimate) governments generally are the only legitimate users of 0-days. Governments can legitimately and legally hack into your computer; nobody else can. Governments can legitimately and legally shoot you, but generally nobody else can.

One definition of government is that they have a monopoly on violence.

(I say "generally" above because there are exceptions, of course.)

So the premise here is that governments can hack into your computer but the people that sell the government the tools to do it are criminals?
> the rebels and the intellectually vain are easily co-opted politically.

and

> The rise of libertarianism in geekdom seems to fall under the same dynamic.

I can agree to the first, the second can be simply attributed to an understanding of the first. It is unfortunate that you don't see the connection.

The corruption of traditional causes and activism is what leads people toward libertarianism.

Why do you say he can't see the connection? The sentence you quoted explicitly points it out.
I think you give them too much credit. I think they just want power. It's seductive.

Lawyers have power, Doctors have power, Hackers have power.

Really good point, and on a related note, guys with guns and swords have power. Doesn't Kevin worry about getting kidnapped?
Violence is short lived and easy to defend against. Knowledge is real power.
Sure, tell that to the lawyer that got eaten by the T-rex. Though what you say is probably the answer to why the threat of violence doesn't stop Mitnick. He seems to have good social skills or the knowledge of how to interact with people. He's probably selling shellshocked as a 0 day right now (though it's been out there a day or more already).
Most people don't fetishize this asshole
Agreed. Most people I know look at him with amusement. He's hardly an idolizing figure, besides some alright books about past exploits long ago.
I was fooled into this when his first book was released, "The Art of Deception". I think I read the first three pages and heart sank because it wasn't a book about computer stuff really at all and I started thinking this guy is a fraud. but mostly I was fooled by marketing. (I was 12 at the time). I just remember being very let down by the book and not being a fan of Mitnik for that reason.

The comment section of this post has an underlying anger towards the hi-jacking of the word 'hacker' as it was and is applied to kevin mitnik and thus misunderstood by the public waaaaay too often.

The first chapter (the one about random-number generator numbers and slot machines) was almost cool though (the rest was so-so, leaving that very impression you mentioned) -- read it in Russian, in translation, in a book store [and decided not to buy].
Interesting, I had the exact same reaction as you. Bought the book (along with Michal Zalewski's Silence on the Wire), got less than a chapter in, and put it down in frustration. I've since wondered if I should go back and give it another chance. Sounds like no?

For what it's worth, I really enjoyed Zalewski's book. He seems like a really smart guy.

Silence On The Wire is an excellent book: both a good read and also technically informative. I’d highly recommend it.
There's some poetic justice to feeling deceived by a book with that title.
One of the prime examples from my corner of the world:

The Finnish software house Reaktor recently invited Mr. Mitnick as a "keynote speaker" into their popular event for software developers:

http://reaktordevday.fi/2013/

To be honest, I didn't understand the relevance at all. The idolization seemed quite childish.

As far as I could ever tell, 90% of the sympathy for Mitnick was because of the excessive sentencing passed down by the government. It's less like hip hop idolizing gangsters and more like sympathy for Rodney King, who was drunk driving at 100 miles per hour and resisted arrest before he was beaten by the LAPD.
Yup. This is why people were upset about Mitnick:

   Mitnick served five years in prison—four and a half years pre-trial and 
   eight months in solitary confinement—because, according to Mitnick, law 
   enforcement officials convinced a judge that he had the ability to "start a 
   nuclear war by whistling into a pay phone", meaning that law enforcement 
   told the judge that he could somehow dial into the NORAD modem via a 
   payphone from prison and communicate with the modem by whistling to launch 
   nuclear missiles. He was released on January 21, 2000. During his 
   supervised release, which ended on January 21, 2003, he was initially 
   forbidden to use any communications technology other than a landline 
   telephone. [1]
He committed a series of crimes, and prison was appropriate. Solitary confinement, however, was not.

[1] http://en.wikipedia.org/wiki/Kevin_Mitnick

> Mitnick is a criminal and all the pro-hacking sympathies have been wasted on a very, very undeserving person.

Wow, he hacked into some corporation's computers, that's just so awful. Pacific Bell - a shady monopoly who is granted a monopoly by the government, and in return showers politicians with bribes, I mean donations, and sends our calls and web history off to the NSA for monitoring and permanent storage.

> in reality, the rebels and the intellectually vain are easily co-opted politically

In reality, he has been doing security consultations for corporations, so he has already been co-opted. "The service has offered to sell corporate and government clients high-end 'zero-day' exploits". That doesn't really smell of rebel. Of course, everyone has to grow up and make a living.

I can think of a number of IT companies that were founded in the past 20 years, sold for billions of dollars, or worth billions or even hundreds of billions of dollars, that were founded by ex-hackers, or at least people very associated with the hacker scene and whose first technical hires were ex-hackers. It's mentioned in the tech press, in interviews, in blogs etc. It's easy enough to look up if you want to. I mean, one of YC's founders is rtm, and he was around back in Viaweb days.

It's difficult for me to perceive of a modern working class kid interested in technology today, it seems he has more resources at his disposable (although not many - a dinky Vic 20 booted people right into a programming environment, whereas a kid with an iPad and iPhone today would find it very difficult to program his own device - it is pretty much that definition of an embedded system of a device that can't program itself). Back in the 1980's a working class kid with a Vic 20 and 300 baud modem could only call people locally, call local BBS's, and be stuck with poor computing power.

If he hacked and phreaked, he could call around the country, access teleconferences, call BBS's around the country, access powerful Unix, Vax/VMS etc. systems, access the Internet, access x.25 networks and x.25 chat networks in Europe etc. He could follow the law and accept his straitjacket of being designated by the Relations of Production to be one who works a menial job, and for the privilege of being allowed to work he can kick up his expropriated surplus labor work time to the idle class job creator heirs who own his company. Or he can bend the rules, see new vistas, and somewhere down the line maybe co-found a billion dollar company, or a hundred billion dollar company. Then he, or his apologists like you, can then go around complaining about the kids hacking into his company's computers.

Is a criminal, or was a criminal? If you claim he is (in 2014) a criminal, is it because of his crimes pre-1995, or some crime he committed in the past year? If your answer is the former, then you are essentially saying "once a criminal, always a criminal." And if you claim that, I will throw some counterexamples in your face, beginning with myself.
Mitnick probably falls inside the psychopathy spectrum though, so the parent might have used the word in a looser sense.
This gets into the mild ambiguity of the word... anyone who has been convicted of a crime is by definition a criminal [1]

Calling them a criminal does not necessarily invoke [2]

[1] a person charged with and convicted of crime

[2] a person who commits crimes for a living

Maybe it's because I'm pretty much in the libertarian/anarchist spectrum, but I think that if what he's doing is legal, it's for the best that it's done openly.

The alternative to free markets isn't "no markets" or some flowery hippie ideal world. It's mafia and black/dark markets operating in complete or partial secrecy.

My initial thought was "this should be illegal" - but if there's no market for exploits, security will remain poor. So, this sort of business is a bump on the road to global security, which I have some hope we're heading towards.

Either way, an exploit market is a grimy business, basically war profiteering. I wonder who is off-limits to sell to - certainly the Iranians, but who else, and who decides who is evil and who is good? People will die from some of these sales.

I think we'll see pervasive encryption and P2P (blockchain-based) applications that will push back tyranny a bit. There will be technological solutions to things like secret legal proceedings and warrantless wiretaps. And by pushing computation back out to decentralized nodes, there won't be such juicy targets to attack.

> "this should be illegal"

Governments define legality, and governments are likely to be some of Mitnick's best clients. Funny thing is, if I were Iran's government I would be concerned about buying exploits there because for all I know Mitnick has double-crossed me and given the US government info on the exploit and how to neutralize or detect it.

Pervasive encryption only helps if the endpoints doing the encryption aren't compromised, and this type of service is aimed at those endpoints.

* Governments also enter into treaties to define international law.

* We need less endpoints in general. You can imagine a blockchain-based encrypted email system, which could not be tapped, pen-registered, and the government would have to issue a subpoena to actual users to see data.

That's irrelevant. Governments are in the habit of doing lots of things that would be illegal for me and you to do. For example, jail systems can exist while it's still illegal for me to keep people locked up in my basement.
I've always thought it would be a just punishment for a neutral, but government arbitrated, third party to hold a highest bid auction for zero-day exploits, where the breached company has the opportunity to buy back their bad security at a market price. I feel as though making it public and legal would force larger targets to make better security decisions, instead of the current status quo of letting them off with tiny fines if anything at all.
+1 for the creative thinking. We need the market forces improving security, but at the same time, brokering for profit seems imperfect.
Can be solved by funneling the profits into some other neutral cause.
Eh, just require all profits above $XX million to go to paying down the national debt. Its a government sponsored monopoly that he is suggesting, its reasonable to cap its profits.
is the goal to make a mega corp think twice about adding a product of feature? Now they can cancel that feature in fear of having to buy a 0day back for a gorillion dollars?
For those wanting to criticize Mitnick's actions, what I gather from the following quote is that there is an existing "industry" around finding, and selling these exploits...

"Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between."

Can anyone shed light on these "researchers" and how they sell their exploits now? Or is this just a friendly way of saying "we pay hackers for exploits and then blackmail vendors"?

They generally don't blackmail the vendors. Someone paying $100,000 wants to get in someplace.

I can't say I like the money-for-exploits thing, but one good thing is that it's made most companies be very nice to people to want to voluntarily report bugs. Silver lining and all that.

VUPEN is an example of how exploits are monetized. "Trusted organizations" can subscribe to their vulnerability service for a large chunk of money.
So, who did he buy the 0days from?

I know he didn't find them himself. The boy can't code.

https://keenot.es/read/kevin-mitnick-is-celebrated-nobody

Unlike Mitnick, Gonzalez is still in prison and doesn't have speaking gigs that cost (from a leaked email in Zero For 0wned 2) $18,500 USD plus business class travel and expenses for one hour of speaking and 15 minutes of Q&A.

Sounds like Mitnick is well ahead of Gonzalez, there.

Depends what you mean by "ahead". They're both scumbags who deceive others for personal gain.
“Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”

A glorified reseller and scumbag. Pathetic.

This is similar to patent trolls, no? Both don't produce anything worthwhile, buy from others and use it to intimidate others (except patent trolls do it themselves in the open, whereas he sells it to people who'll probably use it secretly)
It's also similar to patent trolls in that the people doing it breath oxygen and have skin.

In the case of patent trolls, they're leveraging asymmetries in the legal system and flaws in intellectual property laws to profit from non-meritorious lawsuits.

To the extent that a market in zero-day vulnerabilities is something you want to have (I'm not sure where I stand on this, exactly), a firm with a reputation to maintain does have a role to play. They sell the exploit to Mitnick, who has an idea of which ones he'll be able to sell, and the companies buying them are able to avoid the transaction costs and risks associated with buying and then testing potential zero-day vulnerabilities submitted by arbitrary hackers and counterparties. He's playing a valuable role by mitigating risk for both the companies he approaches and the random hackers. Consider also that it's hit-or-miss when you try to contact a company about zero-day vulnerabilities whether or not they are going to pay you, ignore you or, worse, sue you. Knowing Mitnick doesn't sue people who submit bugs to him, and presumably he has lawyers vetting this operation carefully, is a significant benefit for bug-finders.

Worse than a reseller. If you read his website, it turns out he's just a broker. He doesn't actually buy them from the researcher and then try to sell them. He just brokers a deal between the researcher and the buyer (if he can find one); taking an exorbitant fee in the process.
That's exactly what thegrugq does too. Tomorrow if I find an iOS bug that's exploitable I don't have a rolodex of contacts to sell it to hence the need for this service. As a middle man he can confirm the bug hasn't already been discovered and is generally trusted not to keep a copy himself and hack the planet with it after sale. This arrangement protects the seller too from revealing their exploit code to the buyer before payment. Anybody could create a Tor market for auctioned exploits but somebody has to verify the goods first or you get swamped with junk offers.
Why does anyone need to legitimately buy a zero-day?
A "bug bounty" is kinda like a vendor buying a zero-day about its own product.
At below market rates.
So the same people who support Silk Road and black markets suddenly say, "Yeah, Fuck Kevin Mitnick!" because he's a capitalist and using essentially the same system to make some money??
> So the same people who support Silk Road and black markets suddenly say, "Yeah, Fuck Kevin Mitnick!" because he's a capitalist and using essentially the same system to make some money??

Who says it's the same people? Because it's people on the same site?

If you treat the commenters here as a single entity you'll really hurt your head trying to make sense of the HN consensus. There often isn't one because so much of this boils down to opinions about and attitudes towards governments, economics, personal responsibility, corporate responsibility, and laws.

Yes. You make it sound like people can't hold multiple opinions. A person can simultaneously believe the drug war is unethical while believing that selling (rather than openly revealing) 0day exploits is unethical.

The difference is that most of those people are not calling for any government interference. Otherwise that would be humorous given that governments and their no-trace-back shell companies are the largest clients. They simply disagree ethically through free speech.

Just because libertarians may hold the opinion that the government should not regulate things like this does not mean they cannot think that selling exploits to the highest bidder is a deplorable thing to do.
I was surprised by the ACLU response given that sharing source code is very clearly free speech.

Is the ACLU of all groups really interested in stopping/censoring people from sharing ideas?

In this case, there's no "sharing" of code. They're selling 0-day exploits, which is considered bad form by many in the security industry. If Kevin were sharing the exploit code publicly, so that the associated vulnerabilities could be properly fixed and defended against, there wouldn't be such backlash.
Chris, the ACLU staffer quoted in the article, is not an attorney. Chris has likened selling 0-days to being an arms merchant -- not a bad comparison -- but I'm not aware of an ACLU policy calling for a ban on selling 0-day exploits.

To respond to your point more broadly, the ACLU has done excellent work on many Internet issues, and has represented me in court on multiple occasions. But it is not a monolithic entity, its board members do not always make the decisions you and I might prefer, and it does not always come down on the free speech side of an issue: http://www.volokh.com/2011/04/27/harvey-silverglate-on-the-a...

People will decry this, but I'd argue a free and open market for vulnerabilities would be a great thing. Here's why:

1) It would result in more vulnerabilities found

This is fairly axiomatic. An open market increases the price of vulnerabilities which in turn increases the number of vulnerabilities found (unless you want to argue the ability to find vulnerabilities is inelastic for some reason).

2) It would result in more vulnerabilities being disclosed to the proper authorities rather than malicious parties

This is more debatable, but since there should always be significantly more incentive on good actors to prevent the exploit (i.e. the software creators and/or community) than bad actors, the good actors should always win the bid. Indeed, one could argue that it is only the prevention of free negotiation in the sale of vulnerabilities is the reason an exploit is ever sold to bad actors (e.g. if I found a Windows vulnerability and told Microsoft $10m or else, I'm a criminal).

3) It would ultimately increase the quality of software

Given more vulnerabilities are found and more vulnerabilities would be disclosed to good actors, the quality of software increases.

I believe that 2) is essentially the Coase theorem (http://en.wikipedia.org/wiki/Coase_theorem), but I am only an arm-chair economist. Also, I'm not sure that what Mitnick is doing actually is a free and open market for vulnerabilities.

I mostly disagree with arguments to rationalize the sale of exploits, they create a massive power balance towards bad actors, but we have to be honest with ourselves, and like drugs, 0days are not going away.

Our only proper response is secure software development practices, employment of security reseachers, and adoption of security-centric practices in critical systems... such as the Linux kernel. Which is embarassingly not the case at the moment. For ex: http://unix.stackexchange.com/questions/59020/why-are-the-gr...

I upvoted, not because I agree, but because I believe the people downvoting you are downvoting because they disagree and not because your comment shouldn't be heard.

Imagine he had said: I believe a free and open market for weapons would be a good thing, because it would reduce the number of defenseless people, would result in a power imbalance that puts generally-okay actors at an advantage (say what you will, but the mob doesn't have 1% of the resources the US government does), and would therefore reduce crime.

I do not personally find that argument compelling (and it is of identical structure to the above), but me disagreeing with it does not mean it isn't of sufficient quality for Hacker News.

Thanks. I was disappointed to see downvotes rather than engagement in the argument.

You prompt a fascinating hypothetical: suppose all the world's atomic weapons were put up in a free, transparent auction? (i.e. bidders and bids are disclosed)

I'd argue that most would end up in the hands of good actors (e.g. the world bands behind the Dalai Lama to buy and destroy them all), but who knows? Good debate topic for happy hour, though.

Unfortunately, the size of the world's nuclear arsenal being what it is, it doesn't much matter if "most" of the nuclear weapons end up in the hands of good actors.
I think this is also the case for vulnerabilities as well unfortunately.
> I do not personally find that argument compelling (and it is of identical structure to the above)

Replacing "vulnerabilities" with "firearms" while retaining the same argument structure does not mean that both arguments are logically identical (a false equivalency). The implications of a free market for information security and a free market for firearms are totally different.

Analogies rarely, if ever, imply a total equivalence between the things being compared. That's what makes them analogies, not formal deductive proofs.
I've noticed this becoming a trend. The votes are not for the quality of the comment but rather the agreeability. It's too bad...
With some round of the vote tweaks they did earlier this year it seemed like there was a huge amount of extra volatility injected in the early up/downvotes. Almost any comment on how a comment has been voted down seems to wind up wrong within a half hour or so. And this happens quite a lot.
I have a running hypothesis that those particular "wow, this is receiving a lot of downvotes" comments cause upvotes to the post they're attached to. (Unless they're by the original author of the downvoted post; then they just cause snotty arguments.)

If you cared a lot about Internet Points, I'm betting keeping a sockpuppet acccount just to post "why was [master]'s post downvoted?" comments would be one of the highest-ROI things you could do to get more of them.

Yeah, I had considered this, but I can't imagine the effect continuing beyond the un-greying of the parent post. I can see it rallying to that point, though.

I should also note that I've seen a lot of early-greyed posts come back from the dead after 30 minutes or so even without the "omgwtfisgoingon" posts underneath them as well. Sometimes even becoming clear winners on their strata of the post's comments.

I don't think the weapons analogy is a good one. For the developer of the software the purchase of the "weapon" is also essentially makes all other instances of that weapon useless forever (assuming customers patch promptly).

Perhaps restricting the analogy to nuclear weapons would make sense. Only nation states (software companies) and terrorists (malicious hackers... and perhaps intelligence agencies) would be interested in purchasing such weapons.

I think that is one of many salient differences between the scenarios.

My thought is: if one argument is good and another is bad, clearly the reason for the difference does not exist within the properties they share. It must exist where the arguments are different, or more likely in this case (as what the poster said and what I said are so similar), in the outside world of facts and understanding.

But if the shape of the argument allows for things that may successfully convince you, then clearly that information is not enough to dismiss it outright. It should be the start of a dialog with the parent comment.

Now, for something completely different:

If, for some reason, you want to actually engage _me_ on this particular policy issue, angle your thought at this: my understanding is that it's 2014, and if you want to regulate the information people share or sell over the internet you've accepted a challenge I do not envy.

I would be particularly skeptical you could do this without building a comprehensive computer spying system and perhaps outlawing crypto (it's been tried), as you're trying to read communications of highly security-conscious people.

As for if Mitnick is a good person (or similar things under discussion here), I have not met him.

If and when you do meet him, just take all he says with a grain of salt. Very full of himself :)
On your second point.... Governments should be assumed to be bad actors and they certainly have some of the deepest pockets. If an open market increases the price, it would seem to make it a better market for bad actors.

Especially if we think of small software companies or open-source projects (like OpenSSL) who cant afford to pay hundreds of thousands of dollars to secure their own exploit.

On your overall point... I think this issue of selling 0days is more a debate of ethics, and I don't think economics can solve a problem of ethics.

>An open market increases the price of vulnerabilities

That's impossible to tell. You could just as easily say that the price will crash when you take away all the costs and risk of running a black market and give buyers a place to compare multiple "products." The demand side could just as easily be inelastic (or at least saturated) as the supply.

> the good actors should always win the bid

This works if you're talking about Microsoft, but not if you're talking about smaller companies or open source products. Maybe a Google or a Facebook would step up and pay off the market for things that they use, but "the rich people will take care of us" is not a setup that I'm comfortable with.

But you aren't choosing between a perfect world, where bugs get reported only to the vendors and the vendors promptly fix them, and an open market. Right now, governments and shady corporations are already buying. If it costs some company $250k or $1M to buy their vulnerability, maybe they'll work harder in the future. Or hire their own pen testers. And they'll have the money, because almost by definition attractive vulnerabilities are those in widely used software.

In the complaints about auctioning off vulnerabilities it's hard to avoid hearing companies bitching that they may have to pay security researchers, and it will be harder to intimidate them with law enforcement.

I don't agree with you (on all points) but none the less applaud your ideas and the way you formulate your arguments.
> This is fairly axiomatic. An open market increases the price of vulnerabilities which in turn increases the number of vulnerabilities found (unless you want to argue the ability to find vulnerabilities is inelastic for some reason)

Wait a second...won't increasing the number of vulnerabilities found push prices down? If I'm looking to penetrate a system I only need to buy one vulnerability, so in effect different vulnerabilities are somewhat fungible and so should compete on price. Hence, if more vulnerabilities are being found and coming to market, prices should be going down.

On the other hand, with a free and open market for vulnerabilities there would likely be people who would NOT have bought vulnerabilities on the black market buying vulnerabilities on the safer, easier to use free and open market, so demand could go up, raising prices.

I'm not sure you can, in practice, have a completely free and open market for vulnerabilities, since any information about the vulnerability released broadly is likely to shorten the path to others discovering the same vulnerability [1], devaluing it implicitly through partial disclosure. So there's an interest in the market being small and secret. For the seller to keep the price high and for the buyer to maintain exclusivity on the exploit.

[1] As a case in point, I showed the headline of the email for the bash vulnerability to a coworker today on the commute and he instantly described in accurate detail how it probably works. Not that this was a particularly difficult case, but I think the principle holds.

The market concept is nice for the reasons you listed, but doesn't it add an incentive to introduce obfuscated exploits into code then sell an exploit to them later?
An open market increases the price of vulnerabilities

What's your logic behind this? I believe this to be false. To my knowledge the black market commands artificially high prices on illicit goods as a rule, except when the good is available on the open market. See:

1) The goods are stolen and need to be unloaded quickly.

2) Open market prices are artificially high thanks to things like taxes (example: alcohol, cigarettes)

Isn't this blackmail?

"Pay us for all your secret vulnerabilities or we'll sell them to the highest bidder".

It's all very nice hoping that a free market for this kind of thing will improve security, but I don't see how that's going to happen. Government agencies are probably going to be his top customers... let's face it, they obviously have more funding for this kind of thing than they know what to do with, and it saves them having to do any hard work.

It's going to bring way way way more detriment than it is benefit, especially if his clients start looking at using semi-legal tactics to protect their investments.

t'would appear he cares about nothing and no-one, and has opted to use his powers for evil.

We shall have wait and see how that works out for him.

At least this way large corporations will start paying more for their bounties.
Well, this is what happens when researchers are snubbed by software vendors.

I don't agree with the attitude and sale of vulnerabilities, but if someone approaches the vendor and get the responses "this is not a vulnerability" or "why are you hacking our software, we're calling the authorities" this is where it ends up...

...but then you end up with the question of "what's a fair price?"

I don't know what to do about it, either.

About the best I can come up with is to support software that I feel makes the best effort they can to defend against exploits.

I'm not sure you do. White hat the price is free, the only request here is that you don't sue me for pointing out a hole in your system.
This again, reminds me that money can buy you anything... apart from a free CONSCIENCE.
No, but the money is a great catalyst for dreaming up a rationalization that lets you sleep at night.

There are plenty of things in business that can be seen as unconscionable from the outside. I find more business practices disgusting than the general consensus of Hacker News threads, I'm kind of amused that selling exploits is one of the places where a line seems to be forming.

I'm pretty sure the line is drawn here because it is pretty clear why this is wrong.

The relaxed ethics of the general consensus of the Hacker News threads is probably due to the lack of information rather than people here having questionable morals, or so I'd like to believe :).

It's disappointing to see that Kevin would sell exploits to a government body, but I don't otherwise see a problem with an exchange for exploits. I mean, they're going to get developed and sold eitherway, whether it's here, on some darknet forum, or whatever.
Not another story about this overrated dude.

Don't get me wrong, im sure hes a nice guy. But he hasn't demonstrated anything useful for 20+ years and it seems he is mainly making a living writing vague non-technical h4ax0r books and giving interviews. Hell, i think he cant even code.

I wouldn't say nice, just full of himself. You're below him in a sense.
"My clients may use them to monitor your activities? How do you like them apples, Chris?" -- Mitnick to ACLU technologist, last line of article

Wow what a first class dick. He's implying that he will be glad to sell zero days to the government to illegally monitor ACLU activities (e.g. free speech, etc.)?

Look at Mitnick's twitter feed. He clarified that the comment was just a "fuck you" in response to Chris you are a felon comment. Mitnick said he wasn't serious.
(comment deleted)
(comment deleted)
I'm old enough to remember this guy's moment in the sun by getting himself arrested. It was easy to fall into the "Free Kevin" mindset but now he's just trading on the name to make money. It's hard to keep that same "fuck the man" vibe when you become the man.

EDIT: I realize he's been trading on his name for a while now but I was cool with it when he was a "white hat".