Hacker News new | past | comments | ask | show | jobs | submit login

TFA says that Ernst and Young was the company to crack the laptop. Ernst and Young would not burn a zero-day exploit on an auditing job.



Then TFA was wrong.

E&Y’s own reports say that it was the Applicant’s own “expert” that tried to break in.

The applicant is the founder’s widow.

The expert doesn’t seem to have much of a specialization for breaking into computers. Who knows what kind of mess he caused.

S. 12

https://documentcentre.eycan.com/eycm_library/Quadriga%20Fin...


Applying a zero-day exploit without making it public doesn't burn anything. After all, no one knows how they did it.


But would they even risk raising suspicion?


Why would it? If no one else knows the password, just say it was a weak password (or even that you got lucky). There's $137m missing, so clearly something went wrong - one more mistake wouldn't be hard to believe. Even if it does, does it matter? "There's a vulnerability in <OS>" is not exactly news or useful.


I'm confused why anyone in this thread chain would think a firm like Ernst and Young would have access to zero-days?


0days are not magic. Stare enough at code and you will find them. E&Y and the other Professional Services companies have a big pentesting team, and they would have made discoveries on their own regarding system security. Any company with a large security / research team would have 0days. What they do with them, (report, sit, burn, etc) is up the organizational and individual ethics of the operator.


Because 0-days are accessible to anyone with money. And Ernst and Young would have a ton of money, and plenty of opportunities where clients would come to them and hire them privately about issues like this.

Coming up with 0-days is moderately hard with your own cracking team. Buying them is an easy thing to do.

Ultimately, that's what 0-days are for in the wider market. You find one and sell it.


Ernst and Young are huge and do a lot of very sophisticated forensic accounting work. If they don't have people in house, they almost certainly have the phone number to someone who does.


they probably do this every day. At this level, it would have needed to be packaged similar to the way the NSA tools were.

A package of tools that comes on a hardened usb key, just plug it in in the field and it runs through the 0days that it knows about.


If fees were x and the bought exploit cost a lot less, why not?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: