Hi to all
Recently I have answered to a journalist from the Economist about the Vupen case, to explain to him the different aspects of the vulnerabilities/0-Days market (history, prices, strategic and tactical issues, what to think about vulnerabilities…). I have just discovered this paper today and I would like to react to some of his claims that are totally wrong. I have explained to him that contrary to Vupen and companies working in this area, we are nither working nor using vulnerabilities at all, except for teaching purposes (in our Master course for example) and very seldom to validate part of our results regarding defense techniques.
All of our research deals with algorithmics and design concept weaknesses. So we are absolutely not interested in this kind of research since we mostly focus on mathematical aspects. For implementation vulnerabilities, there are companies that do the job very nicely.
I am heading a R&D lab not a business and whenever we find some security issues we publish it for free in hacking conferences or on the present blog after having contacted the editor. Implementation flaws are not interesting from my point of view since they can be patched and therefore their lifetime is very limited contrary to mathematical flaws or conceptual backdoors. Anyone who knows about our research can confirm that we do not work on implementation flaws and that we have never taken part to any reversing challenge.
I am a bit disappointed by the Economist (an excellent newspaper) and with journalists whose only interest is to make buzz while we simply try to educate people.