From: lexfridman
Zeroday vulnerabilities and exploits are critical elements in the realm of [[computer_security_vulnerabilities | computer security]]. These vulnerabilities refer to the software flaws that are unknown to the vendor and thus unpatched, giving potential attackers a window of opportunity to exploit these weaknesses.
> [!info] Definition
>
> A zeroday vulnerability is a flaw in software that is unknown to the software vendor. When a hacker discovers such a vulnerability, it is dubbed "zeroday" because the engineers have had zero days to fix the problem <a class="yt-timestamp" data-t="01:01:34">[01:01:34]</a>.
## Exploiting Zeroday Vulnerabilities
The minute a zeroday is identified, engineers are immediately on the clock to develop a patch. Until a patch is available, attackers can create programs known as zeroday exploits to take advantage of these vulnerabilities. These exploits can be incredibly valuable, particularly to governments and spy agencies looking to monitor individuals without their knowledge <a class="yt-timestamp" data-t="01:01:59">[01:01:59]</a>.
### Types of Exploits
A zeroday exploit can be a local or remote exploit. Remote zeroday exploits are particularly coveted, especially those that require no user interaction, such as remote, zero-click exploits on devices like iPhones or Androids. Such exploits can allow attackers to access everything from location data and contacts to photos and even activate cameras and microphones without the victim's knowledge <a class="yt-timestamp" data-t="01:02:05">[01:02:05]</a>.
## Market for Zeroday Exploits
There is a significant [[market_for_cyber_weapons_and_surveillance | market for cyber weapons and surveillance]], which includes a substantial trade in zeroday exploits. These can sell for millions of dollars, especially if they are potent enough to remotely exploit popular operating systems like iOS or Android. The trading of these exploits often operates in secrecy, with buyers and sellers entering agreements that ensure exploits remain undisclosed, thus maintaining their value <a class="yt-timestamp" data-t="01:04:11">[01:04:11]</a>.
## Ethical and Security Implications
The sale and use of zeroday exploits raise significant [[role_of_ethics_and_motivations_in_hacking | ethical considerations]]. Some argue that creators of these exploits are merely providing a service to meet demand, capitalizing on security flaws present in widely used software. Others contend that these activities leave software vulnerable to [[social_engineering_attacks]], espionage, and even [[nationstate_cyber_attacks_and_espionage | nation-state cyber attacks]] <a class="yt-timestamp" data-t="01:06:47">[01:06:47]</a>.
> [!quote] "Are most of these attacks targeted to cover a large population or specific individuals?"
>
> The nature of zeroday exploitation can vary widely. While some attacks are designed to target specific individuals, such as in potential terrorist investigations, others can impact large swaths of populations, as seen with the targeting of Uyghurs through a watering hole attack <a class="yt-timestamp" data-t="01:08:39">[01:08:39]</a>.
## Defense and Future Directions
To combat the threat posed by zeroday vulnerabilities, companies and governments have established bug bounty programs to incentivize the disclosure of vulnerabilities prior to their exploit by malicious actors. Despite these efforts, the market remains lucrative and lives in the shadows due to the potential windfall for sellers <a class="yt-timestamp" data-t="01:13:03">[01:13:03]</a>.
Ultimately, ensuring cybersecurity rests on a robust combination of ethical hacking, proactive defense, and global consensus on the limitations of [[the_influence_and_operations_of_anonymous_and_lulzsec | cyber warfare]] techniques. As new technologies develop, the challenge will be maintaining security without infringing on personal freedoms.