🚨 NEW PAPER on the 0day Supply Chain 🚨:
I gathered open source data & interviewed Gov employees, VR and China researchers to figure out what the zero day marketplace looks like in the U.S. and how it compares to China.

Key findings below ⬇️ 0/🧵
atlanticcouncil.org/in-depth-resea… 1/ Takeaways from interviews w 0day firms:
⚙️ Dev takes 6–18 mo (higher than 5-10 yrs ago)

💸 Middlemen inflate prices (10 - 100x markups) and obscure original sellers
🐛Bug collisions are more common
🎭 Researchers are more frequently targeted by foreign intel

🚨NEW - iSoon & the Chinese cyber mercenary ecosystem 🚨
Going back to my roots with some good old fashioned China cyber analysis @Margin_Research. How is iSoon related to cyber mercenaries, and the Chinese offensive ecosystem? 🧵/ 5 findings:
margin.re/2024/02/same-s… 1️⃣ Tianfu Cup confirmed to be exploit feeder system for the Chinese Ministry of Public Security (MPS). If the stuff isn’t fullchain ⛓️(ready to use), the MPS disseminates the proof-of-concept code to private firms to further exploit.

@TheOnion just submitted a brief to the Supreme Court on a First Amendment Case about parody on social media, and it is the best thing I have ever read. Buckle up: 🧵/ 1: Why is this case so important?
Novak made a parody Facebook page of his local Ohio police department. The page was up for 12 hours: the police investigated the page, arrested him, and seized his computer. 😡
acluohio.org/en/cases/novak…

🚨Linux Kernel Security Blog🚨
Corporate, automated bug-finders in the #linux kernel- how much do we know about them?

@daveaitel @ian_roos and I look @ closed source, corporate interests in the world’s biggest open source project. THREAD 🧵
margin.re/media/watching… @lwnnet’s 5.12 development statistics caught our attention at @Margin_Research: 5 of the top 10 bug reporters (presumably for bugs that got fixed) were automated systems!