Security quotes of the week
Those customers, after all, don’t aim to fix Google’s security bugs or those of any other commercial software vendor. They’re government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the explicit intention of invading or disrupting the computers and phones of crime suspects and intelligence targets.
In the rest of this post I'm going to talk about this, and give a few potential mitigations. I want to stress that this post is mostly a thought-exercise. Please do not re-engineer OpenSSL around any of the 'advice' I give herein (I'm looking at you, Dan Kaminsky), and if you do follow any of my advice, understand the following:
When it all goes terribly wrong, I'll quietly take down this post and pretend I never wrote it.
At a closed-door briefing, the senators were shown how a power company employee could derail the New York City electrical grid by clicking on an e-mail attachment sent by a hacker, and how an attack during a heat wave could have a cascading impact that would lead to deaths and cost the nation billions of dollars.Why isn't the obvious solution to this to take those critical electrical grid computers off the public Internet?
Posted Mar 23, 2012 1:49 UTC (Fri)
by mgedmin (subscriber, #34497)
[Link]
Posted Mar 24, 2012 9:18 UTC (Sat)
by man_ls (guest, #15091)
[Link] (6 responses)
Posted Mar 28, 2012 15:30 UTC (Wed)
by njwhite (guest, #51848)
[Link] (5 responses)
According to the article they sell "only to NATO governments and “NATO partners.”" So then, nothing to worry about, right? Oh wait...
Posted Mar 28, 2012 19:58 UTC (Wed)
by man_ls (guest, #15091)
[Link] (4 responses)
Posted Mar 29, 2012 9:11 UTC (Thu)
by njwhite (guest, #51848)
[Link] (3 responses)
Posted Mar 29, 2012 10:51 UTC (Thu)
by man_ls (guest, #15091)
[Link] (2 responses)
Posted Apr 11, 2012 12:45 UTC (Wed)
by massimiliano (subscriber, #3048)
[Link]
Well, your government has a right to break into your house and confiscate your computers. That is not negotiable at this point in History (and pretty much at any point).
This is in some way fair: sometimes breaking into somebody's house is necessary to provide security for everybody else.
What's creepy about "legally" exploiting zero days exploits is that if the police breaks into my house at least I know it, I can require the police to show me why they did it, and I can arrange some kind of legal defense if I think I deserve it.
If the authorities "legally" break into my computer I have no notification at all... this is what makes me feel it's "plain wrong".
Posted Apr 11, 2012 20:53 UTC (Wed)
by mathstuf (subscriber, #69389)
[Link]
That's a power, not a right.
Security quotes of the week
Selling exploits in the open, had to come sooner or later. (Shivers.) Are now "government agencies" opposed to computer security? Is this limited to US agencies, or will these vulnerabilities be available to (even) more sinister governments? Is this even legal? Whatever happens to responsible disclosure now? (This last question is purely rhetoric; I see this development as somehow opposed to full disclosure.)
Talk about black markets
Talk about black markets
Yes, that is reassuring. NATO members include human rights champions as Turkey, Albania or the US. As NATO partners we find right about everyone: Afghanistan, Russia, Egypt, Israel or Pakistan. Reassuring indeed!
Talk about black markets
Talk about black markets
Well, your government has a right to break into your house and confiscate your computers. That is not negotiable at this point in History (and pretty much at any point). But supposedly we as citizens have certain guarantees, or least we can be aware of the risks. But having 0-day exploits for browsers means that other governments can break into computers remotely and without any due process.
Talk about black markets
Talk about black markets
Talk about black markets