The most interesting aspect of this was the exploitation of trust in the security research community. We often take for granted the unique relationship we have with our 'adversaries'. Thread..
If you have worked in this industry long enough you likely have friends who are both blackhats and whitehats. We all play 'spot the fed' at Defcon and at times we share ideas with each other. I've shared drinks with exploit brokers, government employees and
of course my peers in industry. It's something I love about this work. These guys approached my team back in October suggesting they wanted help with research and also to report security bugs. Fortunately we are cautious and nobody got owned.
While this was under investigation I saw these guys leverage one of my bugs to draw people to their blog and potentially attack the community I deeply value. It was a strange experience and felt very personal.
• • •
Missing some Tweet in this thread? You can try to
force a refresh