Anti-security company VUPEN claims to have broken Windows 8 & Explorer 10, will sell exploits to cops, governments & wiretapping vendors

VUPEN is an anti-security company that roots out vulnerabilities in common operating systems and programs and sells these vulnerabilities to governments, police forces and others who want to use them to build malicious software to let them spy on people (we've written about them before). Now they claim to have found vulnerabilities in Windows 8 and Internet Explorer 10, and have put these up for sale to customers who want to use them to hijack other peoples' computers.

Our first 0day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers. Welcome #Windows8
— VUPEN Security (@VUPEN) October 30, 2012

Security firm VUPEN claims to have hacked Windows 8 and IE10 (via /.)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: corporatism • corruption • lawful intercept • msft • security • surveillance

More at Boing Boing

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

The Snowden Principle

http://www.kmoser.com kmoser

They have done Microsoft’s debugging work for them. Redmond just needs to cut them a check, fix the bugs, and move on. Free market at its finest!
- foobar
  
  It’s going to be worth more to miscreants than it is to Microsoft to fix.
  - wysinwyg
    
    But what about the costs imposed by tarnishing the brand…
    
    …sorry, couldn’t finish that with a straight face.
- http://anti-virus-rants.blogspot.com imaguid
  
  unfortunately that’s not how VUPEN works. they aren’t a security company, they’re not interested in improving anyone’s security, they’re an anti-security company as mentioned in the post. they make it their policy to not sell the information to the affected vendors. they’ve realized that that hurts their bottom line. they can make more money by:
  
  1) selling to governments
  
  2) selling the same thing to multiple parties
  
  3) not invalidating the value of the exploit by helping the vendor fix the problem (an exploit with a long life has more value to people who want to use it to attack others than one that gets fixed in a few hours/days/weeks/months).
blissfulight

Where’s Anonymous when you need them?
http://profile.yahoo.com/GEHCGQK7W4Q2I3QP6TE5MEVGHA Crap

Fucking terrorists.
soylent_plaid

Christ what a (group of) asshole(s).
nosehat

Assuming that this information they are selling could reasonably be used to break into computers with some copyrighted content (oooooh!), they are breaking the law, specifically that part of the DMCA that deals with “Distribution of Circumvention Tools”. See here.

(2)No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that—
(A)is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;

Granted the DMCA sucks, but as long as it’s still on the books, why not apply it here and actually make it do some good for society?
- foobar
  
  Looks like they’re French, and thus above American law.
  - IronEdithKidd
    
    That’s what the RIAA and MPAA got Hadopi for, no?