|
|
Log in / Subscribe / Register

Security quotes of the week

[Posted March 21, 2012 by jake]

“We wouldn’t share this with Google for even $1 million,” says [Vupen's Chaouki] Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”

Those customers, after all, don’t aim to fix Google’s security bugs or those of any other commercial software vendor. They’re government agencies who ­purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the ­explicit ­intention of invading or disrupting the computers and phones of crime suspects and intelligence targets.

-- Forbes on security research firms selling exploits to governments

The more complicated answer is that many bad things can happen if your RNG breaks down, and some are harder to deal with than others.

In the rest of this post I'm going to talk about this, and give a few potential mitigations. I want to stress that this post is mostly a thought-exercise. Please do not re-engineer OpenSSL around any of the 'advice' I give herein (I'm looking at you, Dan Kaminsky), and if you do follow any of my advice, understand the following:

When it all goes terribly wrong, I'll quietly take down this post and pretend I never wrote it.
-- Matthew Green

[An] otherwise uninteresting article on Internet threats to public infrastructure contains this paragraph:
At a closed-door briefing, the senators were shown how a power company employee could derail the New York City electrical grid by clicking on an e-mail attachment sent by a hacker, and how an attack during a heat wave could have a cascading impact that would lead to deaths and cost the nation billions of dollars.
Why isn't the obvious solution to this to take those critical electrical grid computers off the public Internet?
-- Bruce Schneier
to post comments

Security quotes of the week

Posted Mar 23, 2012 1:49 UTC (Fri) by mgedmin (guest, #34497) [Link]

What is the background behind that shout out to Dan Kaminsky?

Talk about black markets

Posted Mar 24, 2012 9:18 UTC (Sat) by man_ls (guest, #15091) [Link] (6 responses)

Selling exploits in the open, had to come sooner or later. (Shivers.) Are now "government agencies" opposed to computer security? Is this limited to US agencies, or will these vulnerabilities be available to (even) more sinister governments? Is this even legal? Whatever happens to responsible disclosure now? (This last question is purely rhetoric; I see this development as somehow opposed to full disclosure.)

Talk about black markets

Posted Mar 28, 2012 15:30 UTC (Wed) by njwhite (guest, #51848) [Link] (5 responses)

> Is this limited to US agencies, or will these vulnerabilities be available to (even) more sinister governments?

According to the article they sell "only to NATO governments and “NATO partners.”" So then, nothing to worry about, right? Oh wait...

Talk about black markets

Posted Mar 28, 2012 19:58 UTC (Wed) by man_ls (guest, #15091) [Link] (4 responses)

Yes, that is reassuring. NATO members include human rights champions as Turkey, Albania or the US. As NATO partners we find right about everyone: Afghanistan, Russia, Egypt, Israel or Pakistan. Reassuring indeed!

Talk about black markets

Posted Mar 29, 2012 9:11 UTC (Thu) by njwhite (guest, #51848) [Link] (3 responses)

But then it's mistaken to assume that *anybody* should have the right to break into your computer. Some governments have better publicised human rights violations than others (depending significantly on your source of news, naturally,) but ultimately none should be granted the tools to do it more efficiently.

Talk about black markets

Posted Mar 29, 2012 10:51 UTC (Thu) by man_ls (guest, #15091) [Link] (2 responses)

Well, your government has a right to break into your house and confiscate your computers. That is not negotiable at this point in History (and pretty much at any point). But supposedly we as citizens have certain guarantees, or least we can be aware of the risks. But having 0-day exploits for browsers means that other governments can break into computers remotely and without any due process.

Talk about black markets

Posted Apr 11, 2012 12:45 UTC (Wed) by massimiliano (subscriber, #3048) [Link]

Well, your government has a right to break into your house and confiscate your computers. That is not negotiable at this point in History (and pretty much at any point).

This is in some way fair: sometimes breaking into somebody's house is necessary to provide security for everybody else.

What's creepy about "legally" exploiting zero days exploits is that if the police breaks into my house at least I know it, I can require the police to show me why they did it, and I can arrange some kind of legal defense if I think I deserve it.

If the authorities "legally" break into my computer I have no notification at all... this is what makes me feel it's "plain wrong".

Talk about black markets

Posted Apr 11, 2012 20:53 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

> Well, your government has a right to break into your house and confiscate your computers.

That's a power, not a right.


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds