You brilliant guys need to find a way to extract more than $7500 for solutions to problems that less than what, 2%?, of the worlds population can solve.
If I were your tech agent I'd demand Facebook pay out $75,000 minimum for this specific problem.
You can demand whatever you want. You have no leverage.
You can't sell the bug to anyone else (there's no semi-anonymous liquid market for random serverside bugs in line-of-business software, so you're going to end up culpable for whatever the rando who buys it --- for much less than $7000 --- does with it†).
You can disclose to Twitter, but you can do that anyways; all you're doing is foregoing the bounty.
You can tell them "I found a vulnerability in sOmEtHiNg! But I'm not telling you what it is!" but Facebook is beset constantly by bogus bounty claims and they will blow you off.
You can give them a hint as to what it is, to vouch for the legitimacy of your finding, but Facebook has one of the better-resourced security teams in the industry, and they're just going to find it themselves and shut it down without paying you anything.
Part of being a good "agent" is understanding the market you're working in.
† Especially because to even try to put a valuation on the bug --- which, again, ~nobody wants to buy --- you'd have to actively exploit it to see what's on the target system, which is straightforwardly a felony.
Source: got sued by Sony for disclosing that they screwed up their ECDSA implementation so badly that you could compute their private keys (and then putting Linux back on the PS3 using that flaw).
Microsoft not doing that with Xbox (orig/360) hackers is why the Xbox One has really good security. They hired them instead.
They settled which Geohot (who had nothing to do with the rest of us, but kind of triggered the whole thing by just implementing our exploit and posting the keys on his site), and dropped it against everyone else. I never got served personally, so for me it was mostly a big scare and having the EFF help us with lawyers to be prepared for whatever happens. One of my friends wasn't so lucky, they got ahold of lawyers at his job and caused him a bunch of trouble.
It seems like the problem is that there is disclosing as a zero day isn't seen as a credible thread, since it's generally seen as bad practice. If security researchers wanted to try and collect more they could in theory form some kind of union to keep up the price of bounties, with like a middle agent pricing the bounty and disclosing the vulnerability if the price isn't met. Maybe combine with some kind of insurance, such that if a company doesn't pay out the bounty the researcher can still collect. I don't know if this would count as extortion though, so it might not even be legal.
Really this seems like a shady security company when I describe it like that.
> some kind of union to keep up the price of bounties, with like a middle agent pricing the bounty and disclosing the vulnerability if the price isn't met
So a hacker group that will blackmail companies?
$7500 for spending anywhere less than a month on something is a pretty decent compensation.
You also seem to forget that despite the fairness of the compensation, disclosing the vulnerability could damage real users, in this case Facebook’s.
If you think $7500 for finding something like this is not enough, you shouldn’t do it. You wouldn’t clean toilets for $1 a month either right?
It could be a decent compensation if you were assured that you will get the money, but you don't know and it is probably that you can't find anything in months.
If cleaning toilets paid $1 a month, but required enough skill that you could realistically get everyone who can do that on board, you now have a leverage of having all the toilets in some region dirty. That pays more than $1.
Literally the point of unions (and big part of companies).
I understand the concept of unions and I am all for them.
Forcing companies to pay a lot for found exploits is something completely different though.
An important distinction is that the hackers are not employees of the company who are underpaid or mistreated somehow. Nobody is forcing these people to look for bugs.
The people who are after bug bounties get a kick out of finding cool security issues. I am sure a part of them would still be doing it even if there were no reward.
The rewards for these kinds of things are pretty public, so you can guess how much you will get paid for finding certain security bugs. If the amounts are too low, again, just don't do it.
> An important distinction is that the hackers are not employees of the company who are underpaid or mistreated somehow. Nobody is forcing these people to look for bugs.
> The people who are after bug bounties get a kick out of finding cool security issues. I am sure a part of them would still be doing it even if there were no reward.
"Nobody's forcing them to" and "they'd probably do it for free anyway" aren't what I'd consider valid reasons to keep something on a freelance basis. Perhaps "it's an infrequent odd-job" is a more sensible rationale, if there was one
To be clear, I wasn't trying to make a moral statement on whether they should do this, I just think it's interesting.
I think that forcing companies to recognize and deal with vulnerabilities is a good thing, so to the degree this kind of setup would do that it wouldn't be all bad, but trying to extract additional gains beyond that exposure isn't good (e.g., companies would pay more to prevent bad PR from a threat to expose something than just to fix a vulnerability due to the risk it presents them, and the former is 'artificial' in this case so it wouldn't be efficient for a group to try to extract that from someone).
That is, today companies have some existential risk that a cyber security incident causes great harm to them (think: sony hacks, cambridge analytica), the existence of white hats researching these vulnerabilities and disclosing them responsible gives companies an avenue to address this risk, likely at a lower cost premium relative to hiring security teams to try and find them. I think that it's easier for companies to recognize and deal with these risks now than it used to be, and easier for security researchers to get paid for it. These are both good things, but it is quite possible that the risk posed by cyber security threats to companies is generally worth more than they're paying in aggregate (2 million in vuln fees quotes in their latest report, not much at all given the impact), so I think that some structure that would allow researchers to force companies to up the ante would be a good thing, but this is hard since it's a completely one sided market and companies can just accept the risk of an incident occurring rather than pay, even if it's inefficient.
> Forcing companies to pay a lot for found exploits is something completely different though.
Oh, no, the horror! Almost a trillion dollar company would need to pay a couple of extra grands to a security researcher who discovered an enormous vulnerability.
I hate to break it to you but the people saying things like "eat the rich" lump Bezos/Zuckerberg and the programmers/IT folks working for them into roughly the same bucket.
It "isn't seen as a credible thread" because it's immoral.
Sequencing plays a major role here. And while that may seem somewhat arbitrary, it is significant.
(Similar case, that, for some reason tech people have entirely too much trouble understanding: Announce "I'm going to shoot this gun at that target". Person, having heard you, walks and stands in front of the target. Are you still allowed/morally right to shoot?)
What's immoral is allowing the company to leave the vulnerability unfixed. It's their system, their vulnerability is their responsibility. They should be glad they were contacted by a relatively harmless person and pay them a fair value for doing work they didn't even know they needed. If they refuse to fix it, the moral thing to do is to disclose it so that the company has no choice but to fix it.
Disclosing the vulnerability isn't a credible threat because Facebook essentially lets you disclose the vulnerability anyways. We are commenting on a thread about a dude who disclosed a vulnerability after getting a $7000 bounty.
I’d suggest anybody planning on making demands during a bug disclosure get some advice from a lawyer first. If you use the wrong phrasing, it’s very easy to end up committing extortion or blackmail.
I had some young college students report a very clever bug to me a few years ago, and they chose to take a rather aggressive approach when it came to discussing the bounty. We paid them a sum they were very happy with, but also gave them warning that if they took that same approach with the wrong company they could easily find themselves charged with a crime.
I macro agree with your point about leverage although I'd like a bit more insight here...
"You can give them a hint as to what it is, to vouch for the legitimacy of your finding, but Facebook has one of the better-resourced security teams in the industry, and they're just going to find it themselves and shut it down without paying you anything."
Wouldn't that cost Facebook much more than $7,000?
I don't think so. Those people get paid whether or not you focus their attention on a perimeter-exposed RCE bug. By tipping them off, all you've done is make them more effective for a time.
The bug is there whether a bounty hunter finds it or not. The other "leverage" you have, if you don't like $7K bounties for auth bypass on random backend thingies, is just not do hunt for bounties at all. Facebook knows that; their desire to attract bounty hunters is priced in to the bounties they pay.
It's for this reason that people who want to make serious money and who start in bounty hunting break basically two ways:
* Either they get really good at mopping up lots of 4-figure bounties (hitting the occasional blackjack on something that pays into low-mid 5 figures), often with a fair bit of automation, or
* They graduate into consulting, where the weekly rate for this kind of work is substantially higher, you're given a briefing by the target about where to look, and where you get paid whether or not you find a marquee bug.
(A good person to ask about this stuff is 'daeken).
As a company, why would I want to pay the hourly rate at all? Why not contract with a reputable bounty hunter, give them the level of access I'd give the hourly consultant, and pay the hunter bounties for what they find?
Seems like that captures the "higher bugs per hour" advantage of the consultant while retaining the "you only get paid for directly producing value" advantage of bounties.
It seems like what you're describing here is simply a bug bounty program.
The reason companies pay for app pentests and also run bug bounties is that the two modalities find different kinds of bugs. App pentesters generally get a lot of intel about their targets (source is not unusual). You're also getting a team with bios and a final deliverable that records the diligence work done, which is not an outcome you get with a bounty program.
But you can do things in between. It's not crazy to offer a gig to someone who has delivered a good finding on a bounty project. But you have to do something to incentivize them beyond what the bounty already does, and the most normal way to do that is to not make payment contingent.
Sure. But if they drop it for this, it was less value than this - and you’ve saved them the time of testing less important things before narrowing in on this bug.
Why don't state actors that are explicitly aligned against the USA have public bug buying programs? Like a Russian website where you can go and submit your bug and get $250K.
Because a vulnerability in FB's legal admin panel (and most other vulnerabilities) doesn't interest said state actors?
Anything mildly "interesting" being sold through such a program would be high treason. How do you know this "Russian website" isn't actually a CIA honeypot? Or maybe it's not a honeypot, but instead of paying you 250K you just die of heart attack in a couple of months? Or they sell your identity back to your govt. as part of some unrelated game.
Honeypots, I guess? At least that's what I'd set up if I were CIA/NSA. Ask Facebook to create a bunch of vulns that leave the intruder in a sandbox, sell the vulns, and watch where the attacks come from.
Many do. On Darknet Diaries Podcast they mentioned even the NSA buys zero days, and selling to them (if you're a US citizen) won't be (as?) illegal as selling to a foreign nation is.
Is it legal to do this? Post on Twitter that you've asked Company X for this bounty and if they don't pay it by Date X you'll post it on Twitter. If they don't pay it, post the bug on Twitter.
Is that as legal as posting the bug on Twitter straightaway, which as I understand is legal?
Although as a non-legal expert, I'm not clear on how this is different from demanding that the company fix the bug or else you'll reveal it after ninety days a la Google Project Zero? Maybe what makes that non-blackmail is the promise of revealing it no matter what, but offering to delay up to ninety days?
The classic situation of blackmail is demanding money from someone, or else you'll reveal some embarrassing fact about them, report that they committed some crime, etc.
Saying "Give me money or I will publicly disclose a bug in your computer systems" – that fits the classic situation of blackmail straight on.
Saying "Fix this bug in 90 days or I'll publicly reveal it" – doesn't fit the classic situation of blackmail, no demand for money involved.
Now, not all cases of blackmail fit the classic situation. It is possible for a person to commit blackmail without demanding money, if instead they demand something else of direct value to them – for example, saying to a university president "Offer my child a place or else I'll tell the media that you are cheating on your wife".
But, in the case of Google Project Zero style "Fix this bug in 90 days or I'll publicly reveal it", it isn't clear that the demander is actually demanding anything of any direct personal benefit to themselves. Generally speaking, the direct personal benefit to the security researcher of the bug being fixed is going to be negligible. If I demand you do something which doesn't directly benefit me (or my family or friends) in any tangible way, I don't see how such a demand could legally count as blackmail.
I doubt the delay itself has any direct legal relevance. Going to someone and saying "I'm going to report your crimes to the authorities no matter what, but if you don't pay me I'll do it tomorrow, if you pay me I'll wait until next week instead" is probably still blackmail. (Getting one week's notice is invaluable if you plan to flee the country, for example.)
A classic case of blackmail – I know you have committed a crime. I threaten to report your crime to the police unless you pay me.
The act being threatened – reporting your crime to the police – is totally legal, even socially encouraged. It is only the demanding of money (or other benefits) not to do it part which is the crime of blackmail.
If I just went ahead and reported your crime to the police – no crime of blackmail.
If I just didn't – no blackmail (but could be some other crime, such as misprision)
It's only when I tell you that whether I'm going to do it depends on whether you do something for me that blackmail has been committed.
Negotiating is above-board in its own right, which means you've got the right to say, "No, that price is too low," and walk away from the exchange. But, in a broad sense, I'd argue it becomes an issue when you say, "If you don't pay me, I'm going to facilitate crime with this data (or at least make it easy for others to do so)!" Because it's contemptuous of the law—not to mention it's a power dynamic that can really jeopardize a person's agency and certainly leads us to a more corrupt society if it's not acknowledged formally for being untoward.
But I also think a lot of these companies are happy to frame negotiations as extortionate if someone has the audacity to counter their offer, and that's bullshit. But it would also be bullshit to try to drive up the price on a real bounty after the fact by threating to let the bountied person run free with a map to your house, so it's complicated and I can see the precedent in thought there.
Maybe what you need to do is post consulting fees on your Twitter, and then post something that just says, "Facebook, I've found a bug, I'm posting it in 90 days." Then it's up to Facebook to find it and fix it, or make you an offer you can't refuse.
I think if you intersect the set of people willing to take this risk and the set of people with the capability to find bugs like this, then remove all the black hats, you'd end up with the empty set.
I doubt it's illegal, because posting a vulnerability that you found legitimately on Twitter isn't illegal. You might be dancing close to the edge by using Facebook's authorization to test their websites in an unauthorized way, which brings you back under the aegis of CFAA, but that seems a little far-fetched.
But whether it's legal or not, it won't work. Facebook will likely never do business with you again, but they'll watch your Twitter account for the free bugs you're promising to give them.
The market for random serverside bugs doesn't have to be liquid, it just has to exist
I think you could flip this on White House Market pretty quick and pretty well. Either partner up with someone willing to risk their rep, or just sell 99 cent tutorials for a week and get your rep up. Or resell fullz lol
And then come in with the much larger payload and a few forum posts about it
They only use Monero for payments and PGP signed messaging on White House
People on this subthread are talking about how you'll get caught, and maybe there's something to that, but the real reason this won't work is that nobody wants to buy your stupid auth bypass bug in a random line of business application.
If your bug generates OG Instagram accounts, you'll probably find a buyer --- they will be loons who are likely to land you a prison sentence, because that's the general caliber of person who commits felonies to briefly lock up short account names on Instagram, and you'll have absolutely no way of arguing in court that you didn't know exactly what they were going to do. But you'll probably sell it, because there is an existing business process that acquires OG Instagram accounts your bug can slot into.
Nobody has a business process for exploiting access to a stupid internal legal dashboard application. Nobody is going to shell out more than $7000, speculatively, for access to this website.
I disagree. I can imagine tons of parties that would pay good money for access to Facebook's legal admin panel. Without knowing exactly what's in there, one could imagine lawsuit filings, documents and data that have been put aside during a legal hold, C&Ds sent to people doing things Facebook doesn't like, etc. What can you do with this data? Well, probably embarrass Facebook badly by exposing all sorts of confidential discussions. You might be able to pull an invoice scam by harvesting vendor information and sending a bunch of fake invoices to be paid. You might find other unsecured information that allows you to escalate your access. One can only imagine.
Sure, the economic value of the root password to the NAS for Joe's Carwash is quite low but I suspect even the low level systems at high profile companies is worth tons (I'd guess millions) of dollars to the right (wrong people).
You can disagree, but you're wrong. The kinds of people who watch dark marketplaces for exploits are not dreaming of the super interested information they can get off a random backoffice system.
One time, about 15 "bug bounties are a ripoff" threads ago, someone actually made a non-ironic case for a high valuation for logout CSRF bugs. A competing image service could employ it to ruthlessly log users out, degrading service and jacking up their own signups. A logout CSRF. That's the kind of logic we're talking about here.
1. You can create throwaway PGP keys, it's not like they can definitively identify you
2. You can encrypt messages for target PGP public key(s) without actually signing them
It's a good way to prevent people from snooping on your messages. Why do you think it's a bad idea?
The newer protocols for encrypted messaging like Signal are intentionally less weak than PGP in order to give plausible deniability. Specifically, the other person in the conversation can forge messages from you inside it.
If you want to stay whitehat and avoid jail, committing crimes is a bad idea. For criminals, blackmailing is part of their M.O.
There's an international market of brokers for zero days, but this specific vulnerability is less in demand.
I doubt that the information found at Facebook legal team could be used by nation-states (but perhaps I am not thinking creatively enough). I can imagine it being used as leverage by a nefarious nation-state, or informational by anti-trust dept. but it would be thrown out of court (therefore only viable for parallel construction). In the case of leverage the nefarious nation-state would feel the wrath of Facebook and/or US government. A country where Facebook has near zero adoption and already on bad terms with USA while within power vacuum, perhaps. Russia has Vkontakte, North Korea and China don't use Facebook either.
Regarding PGP, you don't have to use your real name. You can use an alias. You can sign each other's keys at a crypto party.
I had to chuckle at your comment (at first glance it does seem foolish), thinking about it a little more however, I realize that there is a good reason to why they do it, and if you are careful enough you can probably evade the negative consequences. I guess you have to know what you are doing.
I mean you would be using a live OS and set up a key on that instance so it’s always a new identity, if you choose not to persist it, that service just doesn’t let you message any other way.
It would be much harder to mix identity with your clearnet pgp, if that’s what you were thinking, as the machines would air airgapped or the other ones simply off if you are using the same computer to boot the live os
It's like most "open source" knowledge work on the internet. You can't really convert it into money directly, except via reputation. reputation leading to better SEO, better job offers, better ads on your blog, better speaker invites, better consulting gigs.
I think if the guy that came to the internal google documents a few years back, would offer the content on the donation based web site and prove they are genuine, it might get more out of donations from various privacy groups / people than he got from google for the vulnerability.
Same goes here.
It is not about the vulnerability, it is about the content.
If you take documents from the website, you aren't looking for vulnerabilities, you're straightforwardly committing felonies. Private groups might donate to your legal defense fund, but they aren't going to pay you for documents they know it's a crime for you to have.
That’s why you would need an agent. Yes Facebook will brush it off if a random hacker anonymously contacts them, but if they’re approached by serious man in a suit with experience in the field, they’ll take it seriously, and, if not, you hire a social media expert to kick up a big fuss
No, they won't. They won't even talk to the weirdo in the suit. The magical powers of suits are much overstated and, in the last 20 years, greatly diminished.
This comes up on every thread about vulnerabilities. Zerodium doesn't buy random one-off serverside bugs. It's not that they simply don't have a price listing for them; it's that they don't make a market for them at all.
It's not even cut-and-dried for the RCEs that firms like this do buy. Bounty programs at giant tech companies are generally aware of the market prices for RCEs and are not overtly trying to screw you over. The flip side is that the price you get from a broker is (1) negotiated and (2) tranched, so the "number" you get is a best-case, not guaranteed, and can collapse if the bug is burned before the IC agencies the broker sells it to finish using it to hurt people. The bounty number, on the other hand, is a sure thing.
But ~nobody is buying auth bypass vulnerabilities. Maybe if you can mint OG Twitter accounts and aren't worried about going to prison.
This isn't anything equivalent to a zero-day in a web browser, for instance. It's trivial for Facebook to patch and it can't fit in a "slot" filled by a previous bug. Note that vulnerabilities in a specific web app like this one are not listed on Zerodium's website.
A story from one of my startups: A student reached out to us regarding a security vulnerability on the website, demanding money for it. He refused to say what it was or provide evidence at first, so we couldn't assess it. He said he'd disclose it to others if we didn't.
I definitely felt blackmailed. I am not a lawyer but it felt illegal. Maybe someone can chime in to say if it is?
Rather than the exploiter setting an arbitrary price (which would be closer to blackmail), I think parent comment was saying that the fair market value of disclosing such a bug was worth closer to $75k given the unique skill set required.
Skilled engineers turn to cybercrime when white-hat bounties are insufficiently rewarding, so it is in everyone's interest to pay competitive rates for finding security vulnerabilities.
The fair market price of an entire app pentest of that legal dashboard application, one which would almost certainly find that bug† if run by a competent, reputable firm, along with many other bugs, run by consultants with bios and concluded with a deliverable that Facebook can file away, is probably somewhere between $20,000 and $35,000, so the idea that the fair market value of a single finding of that engagement is $75,000 is pretty hard to take seriously.
From my perspective, people weird ideas (in both directions!) about how much this stuff costs.
† It's a little tricky to say because the blog post is cagey about what the vulnerability actually is, but I'm thinking about all of the password-reset-flow bugs I've ever seen that fit the rest of the pattern of the post and I'm pretty sure this is low-hanging fruit for a serious app pentest.
Fair enough. I could imagine that if the work were billed by the hour or said research firm hired multiple people it would be easy for costs of the work to run up to $75k - it's within O(20k). I'm not qualified to price these though - I certainly would abhor having to pay that cost if I were a small company.
Which is essentially market driven blackmail as far as I can see. Once I meet my new neighbours (one of whom is a moral philosopher by trade) I might ask about how to assess if that's ok. Personally it feels somewhat ok to me, speaking as someone who's built industrial espionage for money.
>> Which is essentially market driven blackmail as far as I can see.
Modern medicine can also be like blackmail. Nobody has to actually threaten you, but nature will kill you unless you pay whatever the price of treatment. That's why we need competition, and why pharma companies like monopolies.
It differs from blackmail because you the sick person are the one requiring others to perform a service for your benefit. With blackmail (and generally extortion) you are threatening to take an action unless someone pays you not to.
Oh I completely agree, that's why I said "can also be like blackmail". Key word "like" because it does differ in the exact way you describe.
So in this threads context, "hey I found a vulnerability in your infrastructure, you could pay me for it" does not actually constitute blackmail unless they actually follow it with "I'm selling to the highest bidder which may not be you".
And we (Australia) blackmail drug makers: sell your drugs to us at a certain price and the Government will heavily subside it and you’ll get big sales. Refuse and it will get zero subsidy and nobody will buy it.
> And we (Australia) blackmail drug makers: sell your drugs to us at a certain price and the Government will heavily subside it and you’ll get big sales. Refuse and it will get zero subsidy and nobody will buy it.
The blackmail version is actually "Refuse, and we'll produce a generic version locally and perhaps even export it to any country that wants it."
I don't think state funded healthcare works the way you think it does. The american system is the most economically inefficient system out there, to the extent that people without experience of other systems likely end up with highly distorted perception.
Note that a mixed economy (combined public/private funding, like the french and australian systems) are probably for the most part the most economically efficient. A big problem in australia is over-provision of services, especially ending up getting more pathology tests than strictly necessary.
The thing to remember is that the universe does not care, and nobody owes us anything. That's what's really terrifying until you come to terms with it.
So, what is your proposed solution for people who find security vulnerabilities in systems?
Keep in mind these vulns are worth money in the black market.
If the gov't stops prosecuting the security experts for selling the vulnerability on the black market (but instead, only prosecute those who use it for illegal purposes), then the security expert can find out the true value of a vulnerability.
This makes the company with said vulnerability pay the true price for it - may be even just purchase it on the black market and outbid the "bad guys". Or pay someone to fix it asap before it's sold.
I suspect that decent bug bounties, and therefore engendering more competition between white hat and black hat activities is probably the best way to go.
employed (by a university) as a moral philosopher. Interestingly the institute they work for is ethically dubuous (because of how it's funded, not the teaching content)
It's a rather small field, but IIRC, I had a philosophy professor in college whose specialty was the Ethics, and he had a sideline consulting with hospitals as a medical ethicist. He was also brilliant-- In the course I took with him we covered scientific ethics, one of the more memorable of my academic experiences.
I suppose the illegal part would be the student threatening to disclose the vulnerability to others if you didn't pay. That seems like crossing the line into blackmail and being an accomplice of whoever he discloses to. But the student wouldn't be legally obligated to inform you of a vulnerability, and it wouldn't make sense to if you weren't willing to pay. I can see the difficulty though, I guess you'd need to have his identity so you could legally pursue him if there was no vulnerability and he ran away with the money. Or maybe you could write up some sort of contract requiring an in-person demonstration...
>> student wouldn't be legally obligated to inform you of a vulnerability, and it wouldn't make sense to if you weren't willing to pay.
Which leads to a very interesting situation in negotiating. It's not the first time someone tried to sell information or an idea without getting ripped off. But how can one agree the value of information without knowing it. Is there a standard word or phrase to describe that situation?
Those things already exist but ultimately bugs and exploits are too niche. A trusted third party cannot rule by themselves but is always required to ask both sides about the bug's impact. Since both sides try to frame it as both high and low impact at the same time, you make both parties unhappy in the most cases and become untrusted.
Not quite. Let's say I know you're cheating on your partner: I can tell the partner, and that's legally fine. But if I say "I'm going to tell the partner if you don't pay me $7500" then that is not fine, even though the first action is legitimate. Coercion really is quite a bit about the second part as well.
I'm not sure if this rule would cover all coercion/blackmail, but a rule like the following is probably a good guideline: If the first part negatively impacts the "victim" while the second part positively impacts the other person, it's might be getting close to coercion territory.
Let's take your cake example: The person with the cake isn't really negatively impacted. If they don't like the cake, they aren't materially harmed by someone else eating it. Although even there, context matters: Let's say you're a baker, and you sell cakes, even ones that you don't like yourself (maybe you hate buttercream icing). Taking your cake and eating it when you might otherwise have sold the cake and made money would be a problem.
Unless litigating students is something your startup is interested in, I’d recommend ignoring that line of thinking and just hiring a good pen tester for a few months.
It’s really hard to say what something is worth if you are only allowed to sell it to one buyer. No competition between buyers. The only leverage is releasing the info and screwing a lot of people.
(Also sucks that you can release it anyway. But you do want to source these vulnerabilities from the world at large.)
Yet another reason why open source and collaboration may be better than capitalism and competition. Many hands make light work, with enough eyes all bugs are shallow, and all that.
(To be fair, open source lacks security by obscurity so a project becomes secure after many years and developers join it.)
2%? You have an interesting idea of the world's population.
Just think about what that means. It means 2 out of 100 people can hack into Facebook's Legal Department Admin Panel.
I mean if we are talking "mentally capable to achieve that within a decade if the person does nothing else but strive to that goal"... Perhaps.
If we are talking "sit down right now and do it", then it's more like what... 10,000-100,000 people on earth? Which makes for more like 0.0014%?
Not quite. The US alone graduates 2 million Computer Science students of various stripes every year. It's been graduating (smaller numbers) of them for over 40-50 years now. There are now second and third generation comp sci. workers and graduates.
So let's say 1% of 1 million/year are up to this, I suspect it's rather more, but I can't be bothered to do the curve on past graduation rates, and figure out what the world wide figure is... you've easily got a couple of million people world wide.
When I think it's going to get really interesting is in another 10 years or so when there start to be significant numbers of bored retired former developers. At any rate the market rate probably isn't that bad.
I think you might have looked at the wrong statistic when googling this. According to this site[0] (which is one of the first hits for "computer science graduates per year"), there are 2 million computer science people in the workforce _in total_, which seems far more realistic. Actual number of graduates per year seems to be 65000.
With your numbers (assuming linear growth) after those 40 years, about one third of the total US workforce would now be CS graduates.
They're brilliant at finding this stuff, sure, but incompetent when it comes to business acumen and valuing their work. Usually. Those that have some semblance of the latter, have received in the six figures from singular bounties. I haven't yet read this, and to be fair, most bug reports identify low severity issues which obviously don't deserve a six figure payout.
There isn't a super lucrative market for this type of thing that doesn't involve either the buyer or seller violating US law.
The real money is probably something more boring than setting up exploits--such as setting up a security consulting practice that charges a ton of money. It's a lot easier because then you would have less pressure to discover completely novel exploits.
I mean if you're demanding you're kind of committing a crime. It's actually pretty nice of FB to reward this stuff, and along with the clout come career opportunities worth much more than $7.5k.
The majority of the accounts following him have 0 posts, very low amount of followers and follow thousands of other people. They are most likely bought or collected via an online bot tool. Further quantitative evidence: His posts have a very low amount of likes and comments.
> The majority of the accounts following him have 0 posts, very low amount of followers and follow thousands of other people.
There's also the issue of "follower farmers". Basically, some spam accounts start following tens of thousands of people hoping at least some will check their profiles, maybe follow them back or click on their spam.
I noticed this mostly on Twitter, and after some digging, it turns out to be a common tactic used by spammer bots (or umm, "marketting teams"). I don't know how common that issue is on Instagram though but it could be same.
I see this often on twitter. Some account with dozens of thousands of followers, if not more, and very little reaction to their tweet (less than 10 per tweet). It’s obvious to the trained eyes that they just bought followers. I can’t be mad honestly, it’s pretty cheap to signal that you’re a big deal by doing this.
That's often the case, but on Twitter it's sometimes also just inactive followers. Not uncommon to have 10+ year old accounts now which might've been big some time, but with 95% of those followers being inactive now.
Too bad Twitter didn't do the purge of inactive accounts, would've been interesting.
Not sure about that account, but penetration testing is actually fairly popular in the Middle East. Cost of living is typically quite low, so decent researchers can make a living from bug bounties.
Fun fact: Tunisia, a relatively small North African country, was awarded the second highest number of Facebook bounties this year[1].
I've always wondered, aren't these types of bug investigations illegal? Aren't the investigators concerned about criminal prosecution? Not being snarky; I'm asking sincerely.
However, some companies (including Facebook) have a bug bounty program that provides a prescribed safe harbor that you can operate within to discover vulnerabilities within their products or infrastructure in exchange for some kind of recognition or award.
Based on a cursory glance and the fact that this individual was awarded in their program, it appears they operated by the book.
Prosecuting activity that happens outside of these parameters has definitely happened in the past and will continue. It's not always a cut and dried decision. It can be difficult/expensive to effectively prosecute and you may find a lot of social backlash depending on the nature and impact of the activity.
Yes. Most competent tech companies permissibly allow “security research” like this.
If you are genuinely trying to find exploits in good faith, and are acting within the parameters spelled out in their bug bounty program, it’s all good. You also may get paid.
This blog entry sort of dramatized what happened for clicks. I actually think it’s unwise to characterize any exploit like this, because it adds a PR dimension consumer companies just don’t want or need.
It sort of creates a sense of adversarial relationship which isn’t really what FB is after.
But it sounds like a risky endeavor put this way and probably helps get retweets attention in the short term.
Totally agree with your perspective here. There's security research and there's bug prospecting. Both have streaks of narcissists and showboaters but the latter seems to be thick with them.
(edit: to clarify b/c this can easily be interpreted otherwise, I'm not calling the writer of this article either of those. The headline is a bit of cheap clickbait but the article is a good walkthrough of their mindset)
Respectfully, I feel like you all are making up a taxonomy that feels right to you, but that is definitely not accepted by the vuln research field.
Further: this idea that "research" is something we have to valorize, and that you have to meet a public interest threshold to be worthy of it, is itself a standard to which the real world does not adhere. There are lots of different kinds of "research" out there; there are researchers who look for cures for cancer, and there are "researchers" who maintain stacks of index cards full of competitive market intelligence gleaned from press releases. The term "researcher" is about the kind of work you do, not the use to which it's put.
Maybe I'm just old and not keeping up with what the kids these days are saying, but I don't think "bug prospector" is a thing.
The academic difference is quite distinct and is well understood in the research community there. Impressive vulnerabilities that could take down all of Google wouldn’t be accepted into any security research conferences/journals if the bug didn’t involve a new class of vulnerability or discovery method.
The term “bug prospector” might not be widely accepted, but people just looking for well understood bugs in production systems aren’t doing “research” in the academic sense anymore than a person at McDonald’s “researching” the menu to decide what to eat.
But there are people who generally research vulnerabilities in academia and your “term of art” doesn’t really apply there. Point being - “vulnerability researcher” means one thing talking to a PhD student at CMU vs talking to someone in the industry.
No, Ph.D students doing vuln research understand that they are researchers in two different senses. Talk to some of them. They're not confused about this.
I’ve worked in sec academia and, if they don’t know they are interacting with someone from industry, using the term “vulnerability research” absolutely does not mean what you’re talking about.
The fact that you are saying “they are researchers in two different senses” means you already know the overlap of terminology and it requires context to disambiguate, which is my entire fucking point. The “vulnerability research” that people hunting for bug bounties are doing is not “vulnerability research” in the academic sense.
Research in the academic sense is computer science research. "Vulnerability research" is a term of art that means "discovering and qualifying vulnerabilities". Most vuln researchers aren't academic. The term itself goes back decades and predates widespread academic offensive security research; nobody at COAST would have thought to call themselves "vulnerability researchers" because vulnerabilities weren't their focus.
I'm honestly a little lost about what the dispute even is here. Obviously, the term "vulnerability research" is old, and means pretty much what I said it meant in the previous paragraph. What's the confusion? It sounds almost as if you're trying to say "vulnerability research" means "academic security research". Obviously, it does not. Are you just trying to say it should mean that?
No you're right, bug prospector was made up on the spot. I'm old too and I confused the conversation by hauling out my rusty trusty grinding axe about some miscreants I encountered along the way.
In general though I do think we diffuse the term 'research' a bit in this case by applying it to a very broad spectrum of actions and motivations. As a result I think we lose some of the nuances of incentive that emerge at opposite ends of that spectrum. I mean we do call them 'bug bounties' afterall and we don't call Duane Chapman 'Dog the Fugitive Reseacher'. :)
>Thank god for that. Blog posts like the one this thread is about are really valuable to those of us interested in the work of others.
I can see how what I said could be interpreted as 'folks that blog about their work are narcissists'. That wasn't my intent. The headline is a bit clickbaity but the explanation is a good walkthrough. This isn't the far end of the spectrum that I had in mind. Watching twitter or working for a bug bounty program is a better way to get exposed to that set.
Maybe things have gotten better. I worked for one a while back and came away with a notion of the two distinct communities I described. I try to focus mostly on the positive side, which was the majority and had some amazing and inspiring folks, but the other side had some really irritating people with wholly unprofessional conduct.
Generally companies prefer if you find bugs and disclose them before malicious parties find and exploit them.
Most websites have a “responsible disclosure” policy. If you can’t find this linked on their main page, you can often find it at /security.txt or /.well-known/security.txt
I'd suggest "most" is liberal. A few is more likely.... most corporates take it as an offense (someone may be fired, only the most enlightened of CISO's in progressive orgs treat it as anything but heresy). In SilVal - sure, a higher number because they can get it. Everyone else treats these types of issues as "guilty before proven innocent"
Places with a bug bounty program typically publicly state rules for what they think is ok for a researcher to do, specifically to avoid that problem. Without permission like that, yes, such an investigation can quickly move into legally dangerous areas, and not all companies have gotten the idea that if someone is willing to tell you about a problem you want them on your side, threatening or suing them just means the next time someone finds something you're not told. (of course that's not a free-for-all for researchers, if you start actually poking in private data or hack actual peoples accounts that's a problem)
Check out HackerOne or BugCrowd. Companies have programs with details on what’s allowed vs not, responsibly report and optionally share findings after they’re fixed.
In the US, yes. Unauthorized access and computer trespass is often felonious. People have gone to prison for logging into an email account by guessing the password.
See sibling comments for the actual reason: Facebook and other companies typically allow this kind of security research, as long as the intent is not malicious and the researcher operates within some boundaries.
> I sent random requests using intruder with a CSRF token and random emails with a new password to this endpoint /savepassword
So this endpoint simply allowed setting up a new password with a POST request for the specified email address and he was able to guess the email .. ¯\_(ツ)_/¯
I think they assumed it was already hardened by requiring authentication, but didn't do any testing (or were unaware of this endpoint being a thing in the software they use).
I mean evidently enough people go to Facebook for them not seeing the need to raise the price on bug reports, or else they'd probably do just that.
The barrier for most people to sell data to criminals is high, both because it's illegal and because most people have at least enough of an ethical compass to not sell their services to scammers.
I’m not a security researcher but I disagree with this rationale on a number of levels.
First, just intuitively it feels wrong. It’s like saying that if you need a $20 permit for camping, but if you get caught camping illegally the fine should only be as much as the permit. Clearly it should be more.
More specific issues:
- Who determines how long the hack took?
- A security researcher is guaranteed the $350/hour whether or not they find the exploit. The bug hunter only gets paid if they find an exploit. Thus, if you follow this out logically every bug hunter should really just be a contracted security researcher and the only bugs being uncovered would be the ones companies were paying upfront to find. In other words, freelance bug hunting is deincentivized.
Maybe you're thinking false equivalence? What I'm pointing out that just because you can make a lot of money by doing something illegally doesn't mean you should expect to similar amounts of money using those skills in a legal way. Walter White would back me up on this.
I think it depends on team dynamics. On a team I was on (Fortune 100 company), a techlead would just buddy up with a very junior one, and have them rubber stamp their code review. The techlead almost committed a bug similar to one in this post- I had to step in and leave a review comment to prevent this vulnerability. I almost wanted to have it shipped to get back at at these code review buddies, but decided against it as I valued not having a vulnerability more.
You would be surprised how little effort sometimes goes into code reviews or security scans.
Up until recently the team I was dropped into didn’t have any authentication for all their endpoints, I pointed this out and secured them all, except for one. This one endpoint was only used internally, but was still exposed.
During multiple security scans and a penetration test, this didn’t even come up.
I even had a hard time convincing our product manager this should be secured, and could be done in an hour or two, if I could get some time.
Judging my the response letter it seems they think he only managed to reset a password... not setting the password. Will be interesting to read the follow up.
> Judging my the response letter it seems they think he only managed to reset a password
That wouldn't really make sense, would it? As it allowed him to log in.
> So let’s get back to see what I’ve done here, I sent random requests using intruder with a CSRF token and random emails with a new password to this endpoint /savepassword
> Now I went to the login page and I put the login email and the new password and BOOM I logged in Successfully into the application and I can enter the admin panel
He's using Burp Suite for things, but writes about "fuzzing" for directories as if he's not using Burp for that (the plural on "tools" sort of suggests he's using something like dirbuster).
Exploiting a vulnerability to learn and then reveal trade secrets is probably a crime. You have Facebook's tacit permission to look for vulnerabilities, but not to use them or pivot from them.
It is not trade secret.
It would be in the public interest. Just let me remember you that we are speaking about Facebook and user's privacy...
As we have discovered through recent scandals, a lot of people are not aware of the level of abuse on their privacy they expose themselves by using Facebook.
But just reusing the devil's argument, if they have nothing bad to hide, there is no issue to be transparent...
> That's not how that works at all. You absolutely do not have a right to hack into private companies "in the public interest".
Well, not as a private individual, certainly. You have to work for a nation-state's Advanced Persistent Threat group like the NSA's Tailored Access Operations.
It's kinda cool that because this webapp is evidently so little used in public, if you just do a Web search for "facebook tapprd" you're pretty much just gonna find bug bounty writeups ( e.g. https://medium.com/@amineaboud/story-of-a-weird-vulnerabilit... ).
Interesting post, but I have troubles understanding the "SSL vulnerability with the exposed IP address" part. SSL does not prevent knowing IP addresses...
So in this case he actually changed someone's password - don't they have a policy saying that you have to only do this kind of stuff with your own account or in a sandbox? Or is this exempt because such a thing is not possible since it's internal?
How much would an exploit like this be worth on the black market? What's the potential loss / liability on Facebook's side? Hundreds of thousands? Millions?
There is no easily accessible "black market" for a hack like this. As an average person what is your alternative really? Pick up the phone and call the government of Iran?
It is far more convenient (and safer) to just take the guaranteed ~$10K and move on with your life.
Even if it did, you wouldn’t want to do it. Someone like that can dispatch goons after the deal, to make sure they’ll be the only ones to know the hole.
It doesn't have to be "easily accessible" to be valuable.
Corporate espionage exists, insider trading exists (and is more common than you might think), there's any number of parties who might pay for insider info (once properly laundered) about Facebook activities.
Why would "the government of Iran" care about what Facebook is up to? Isn't FB banned in Iran?
You forget that intelligence and espionage goes both ways. Iran could use FB in some way to attack the US, just like Russia did, just as it could shield itself from FB.
A "market" needs a bit more than "is worth something".
What multiplier of the $7500 bounty would you want for the trouble of committing a crime? Who's the buyer (FB afaik doesn't buy a whole lot of publicly traded companies, so it probably needs to be someone who can get into the deals, and quickly)? How do you find them? How do you convince that buyer that your deal is worth the money and the hassle of committing a crime? How do you trust the buyer? How do you handle it if the hole gets closed before the buyer can profit? How do you value the risk it gets closed before you got your deal? Does all that work out in a way that you really don't want to take the bounty?
People buying backdoor access into companies probably happens occasionally, but it's probably not the easy high-profit thing compared to bounties many people think, but rather on the level of selling account information by the dozen for a few bucks - and for something like that you'll burn them quickly.
I believe a good way to think about the market for vulnerabilities is this:
There are markets for vulnerabilities that slot seamlessly into existing business processes. In other words, you can tend to find a buyer for a vulnerability that would replace another vulnerability already being used, that accomplishes pretty much exactly the same thing as that vulnerability. The more people run that business process, the more likely it is that there's a liquid market.
Lots of organizations have business processes that rely on browser RCEs. Generally, there aren't many organizations that have business process that rely on serverside vulnerabilities in line-of-business applications that have instantaneous half-lives, because once the patch is developed they're gone.
Interesting. I guess a real-world analogy is theft of valuables. If you steal random money, that's easy to turn into value. There's a harder to access criminal industry smelting down gold, which will equally reduce jewelry and priceless museum artifacts to material value. And a unique well-known painting is pretty much impossible to sell if you aren't already connected to a buyer with a specific interest.
Didn’t say it was easy to monetize.
I do recall a bust, some time ago, of a ring that used prerelease (?) announcement pdfs already placed on publicly accessible servers (?) as a source of insider alpha.
(‘?’ because I’m on my third whiskey and about to turn in :)
Yeah, the response is purely in context of the mentions of "black market" value higher up the thread. Being able to turn potential gain for someone into actual money for you is the key issue.
> Months earlier, when Pepsi received the trio’s initial letter, they’d promptly forwarded it to Coca-Cola, and informed them they had a leaker. In turn, Coca-Cola had brought in the FBI to conduct an undercover investigation.
> On July 5, 2006, Williams, Dimson, and Duhaney were arrested on charges of wire fraud and unlawfully stealing and selling trade secrets.
I can’t speak for Thomas- but generally you’d want to invest your money in a vuln that is rather static. Web applications with attack surfaces that are constantly changing are not a good fit for a sophisticated attack with potentially huge blowback.
Where are you going to go to sell it? are you going to go find some tor hidden service with a forum that you can post your exploit on and hope that somebody will give you some bitcoins for it? You think that those are not under heavy surveillance already? The "black market" for this kind of thing is way overblown. And if you think you can just go sell it to some nation state, think again. That's an easy way to end up in a federal supermax.
With that kind of skill you should just be working website and buying PlayStations, shoes and other high demand goods in bulk. You can make moths than 7k per week
Even in my 1 weekend web apps I ensure password reset tokens are secured against their user and token type, but Facebook, a $720,000,000,000 company, can't do it for their ADMIN site?
There’s fundamentally no difference between a large corp with thousands of employees (who can either use best practice and the secure rails given to them or go wild in their implementations) and a one person company.
well, I wasn't gonna to comment about this subject, but here we go: I find this value ($7,500.00) kind of low for a discovery like this.
The other day, someone shared a link to an app [1] that estimastes how much a only fan user makes. I got tell, it got to me. I was never money orientated and I don't plan to become; but seeing how much someone makes by being naked in front of a web cam vs a software engineer salary is kinda sad.
some of the only fans users makes in a month what a plain SE would make in a year. besides the fact that there are some serious wrong thing with the world, I thought this kind of skill would be more rewarded. Giving the fact that you could exploit this vulnerability to make a lot more money (or am I mistaken?).
Describing that work as "being naked in front of a webcam" is like calling software development "typing at a computer". You can make any job sounds trivial and downplay its value by describing it in a way that removes the skill and effort involved.
I'm not sure why you feel the need to imply some else's work isn't valuable to make the point that this work should be more valuable.
Besides the obvious falsehood that being attractive is being 'born attractive', onlyfans and such sites are full of very attractive people who suck at marketing, customer engagement, etc, who essentially make beer money being naked (with the hope that things will spike up 'real soon now').
The people at the top have a lot of hard-work, skill, and "being born attractive". Sex work is work.
I personally find that super attractive if they lack all skills and intelligence and their only redeemable feature is being hot. If I was the type to pay for OnlyFans, I would certain shell out for a girl like that.
Like a lot of businesses in the addiction space, cam workers make a lot of their money off whales. So the profit comes from high effort relationship maintenance / customer service.
And software engineers make way more money than most healthcare workers... "There's something seriously wrong with the world"...
Main reason this is so is because of scale. One healthcare worker can look after a ward at most, one software engineer can write software that affects millions in a very small way, and some onlyfans accounts hit a smaller scale but with more revenue per user on average.
The same argument I made for SE could be easily done for health workers. They are very important.
but I'll say this: I saw everywhere how underrated health workers are, and I agree. They should be paid a lot more; even more than athletes, in my book.
but how about SE and CS, have you heard anything? the whole economy would crumble, if weren't for online business. internet, apps, video chats, smart phones... I'm yet to see an AD saying thank you for what those brilliant CS and SE people have done for the world.
>but seeing how much someone makes by being naked in front of a web cam vs a software engineer salary is kinda sad.
>some of the only fans users makes in a month what a plain SE would make in a year
I'm sure if you could think of a way to make software engineers as appealing as naked women, you'd probably find yourself a pretty great job paying well over the people on onlyfans.
well, I might. I finish college back in 2019 and my teacher who was my counselor, runs several projects trying to make SE and CS more attractive to girls. I guess she'll have a harder job to do now, knowing that a girl could rely on her beauty to makes thousands of dollars exposing herself to strangers.
Damn it, I have a two year old niece, I guess me and my brother better think something fast, so when shes a teenager she'll be interested in STEM.
So... that's just not how any of that works. Do you really think most of the women you know are choosing to be on onlyfans and are making huge money off it? Hint, no. Not a choice most would make and most accounts there are not making anykind of money like that.
But you seem really upset about all this. To be clear, what you are mad about is how there are lots of men willing to pay to see naked and sexual content online, right? That really upsets you?
not at all. sex workers will exists forever. I guess my beef is how easy it is for young girls to become one now. Are you struggling with calculus? Is physics giving you a hard time? Well, let me tell you about only fans...
Joke apart, the appeal were already there. making money from the comfort of your bed. Seeing the how much money you can make thought, that's what really broke my back.
That money is coming from men (mostly men) willing to pay it, I think that's what you ought to be upset about if the situation upsets you, although I don't really understand what about it "broke your back".
I think you are hugely overestimating the number of women making any kind of significant money on onlyfans, let alone the kind of "in a month what a software engineer earns in a year" money you're talking about. That's very few people. If that makes you feel better for whatver reason.
Like every other internet hustle (say instagram "influencers"), so many people are hustling and maybe being taken advantage of and making very little. Who does make serious money is some combination of luck, business sense, aptitude, and lots of work. Some women get rich being models too (and this is of course a kind of modeling, or at least that's part of it), but it's not like any woman can just decide to become rich by modeling.
I'm not sure what you're alarmed about, but if you are foreseeing a future where all women choose to pursue no career but onlyfans, which seems to be literally what you are describing being alarmed about, I don't think you have to worry about that, so perhaps you can sleep better.
Also not sure why we're talking about this on a post about Facebook security vulnerability and their bounty program, but ok.
>who was my counselor, runs several projects trying to make SE and CS more attractive to girls.
This is a good thing. Sorry if my above comment was dismissive and callous. Honestly, it is kind of sad as a society, that's what ends up being valued more highly.
>knowing that a girl could rely on her beauty to makes thousands of dollars exposing herself to strangers.
That's not really anything new. Such things have always existed.
To be honest, my comment was mainly in reference to the business model itself. It's hard to compare a salary or wage with lots of money from donations or subscriptions.
I'm sure there's people on onlyfans that make barely anything and there's lots of software engineers with high paying jobs.
>Damn it, I have a two year old niece, I guess me and my brother better think something fast, so when shes a teenager she'll be interested in STEM.
I dunno, teach her self respect and explain the value in success using ones talents and abilities as opposed to exploiting their appearance or bodies.
There's always been the option for girls to do the second one. I'm glad your teacher and people like her are trying hard to give girls more options like the first.
It was always thus. In fact, until the ‘60s, a girl had to rely on her beauty and personality to eat and survive, i.e. by marrying.
I have a daughter and, while obviously I’d prefer she didn’t end up on onlyfans, I really don’t want to limit what she should do or what talent she should leverage to reach happiness and/or prosperity.
> It was always thus. In fact, until the ‘60s, a girl had to rely on her beauty and personality to eat and survive, i.e. by marrying.
The way this is framed today by people is soo disgusting.
1) Women did work before 1960.
2) Two incomes are better than one. Married couples are better off financially. Many women worked part time while the children were at school or in the evenings when the husband was back at home. I know this because my grandmother did and many of her friends.
3) A married couple typically provides the best environment for raising children. Most people want children.
4) Most people were dirt poor in the past in the western world by today's standards.
The disgust is very much in the eye of the beholder, I guess. The reality is that priority n.1 for a woman pre-1960s was to get married and priority n.2 was to bear kids; otherwise, men-dominated society would see her as “useless” and ostracise or abuse her, consider her inferior and unworthy, and effectively condemn her to a life of poverty (unless she had an inheritance to manage). That was the case for centuries, or rather millennia; the further back you go, the more violence was so widespread that a single woman (outside the elites) could not practically defend herself in everyday situations, hence making it basically impossible to have an independent life. Being disgusted by the strategies devised to survive this situation is like being disgusted at animals evolving to escape their predators.
We now see the vestigial remains of this “natural state” in western countries, thanks to the changes brought by mass-industrialization and consumerism (both forces being constantly hungry for bodies, and hence working as Great Levellers between sex, race, age, culture, etc) but it’s still very much present all over the world - the problems in Afghanistan or Pakistan are well-reported, for example, but hardly unique.
> The way this is framed today by people is soo disgusting.
> Most people were dirt poor in the past in the western world by today's standards.
You have just adjusted one simplification to end up over exaggerating another one. A boomer's family could live off one salary. Since then women have joined the workforce and kind of the whole world by moving (migrating) or remote. While it is definitely true that those "none westerners were dead poor in the past compared to today" there is a 20+ year long wage stagnation in the west and increase in prices on some of the very fundamental needs like housing, which results in memes about gen XYZ not being able to afford them, create stable conditions, have a spouse and then a family (kids).
Anyway, we are in this together, always on(line), connected, one global world and it depends how you view it: Appreciate the advancements the non-western world has made or focus on the gap they still have to the west. Though this all comes to the expense of the western world, which is kind of required to close the global gap.
If I were your tech agent I'd demand Facebook pay out $75,000 minimum for this specific problem.