|
|
Subscribe / Log in / New account

Google’s top security teams unilaterally shut down a counterterrorism operation (Technology Review)

[Posted March 26, 2021 by corbet]

Technology review covers the controversy that has resulted from Google's disclosure and fixing of a number of security vulnerabilities being exploited by Western intelligence agencies. "Instead of focusing on who was behind and targeted by a specific operation, Google decided to take broader action for everyone. The justification was that even if a Western government was the one exploiting those vulnerabilities today, it will eventually be used by others, and so the right choice is always to fix the flaw today."
to post comments

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 26, 2021 13:58 UTC (Fri) by vadim (subscriber, #35271) [Link] (29 responses)

I'm going to side with Google here.

A security bug is a security bug, it should be fixed. Ideally it shouldn't have existed at all, anyway. Any vulnerability out there might be being used for some good end (however that is defined), so that shouldn't be a justification for leaving it unpatched, otherwise nothing would ever be fixed.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 26, 2021 14:01 UTC (Fri) by vbabka (subscriber, #91706) [Link]

Yes, that should not be controversial.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 26, 2021 14:56 UTC (Fri) by dskoll (subscriber, #1630) [Link] (18 responses)

I mostly side with Google. However, just as there's responsible disclosure to give companies time to fix flaws, I think Google should have worked with security agencies so they could have had a heads-up. (Maybe they already did this, in which case I think they behaved perfectly well.)

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 26, 2021 19:17 UTC (Fri) by josh (subscriber, #17465) [Link] (6 responses)

"responsible disclosure" is designed to make sure vendors can prepare and coordinate patching efforts, to make it more likely people will have patched their systems in time to avoid an exploit.

"responsible disclosure" does not include notifying *attackers* that their vulnerabilities will stop working.

On the contrary, one goal of responsible disclosure is to maximize the amount of time that defenders know and attackers don't.

These issues were already being exploited in the wild, so the right thing to do was patch the issues as fast as possible.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 26, 2021 19:25 UTC (Fri) by dskoll (subscriber, #1630) [Link] (5 responses)

Yes, sure. But when there's the potential for people's lives to be at stake, I don't think it's unreasonable to give some kind of heads-up (and it may well be that Google did that.)

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 26, 2021 22:36 UTC (Fri) by josh (subscriber, #17465) [Link]

It's absolutely unreasonable to expect any security researcher to notify an attacker that their exploit will stop working.

Lives may be at stake either way. Any vulnerability can be used by any attacker. Security researchers should not be in the business of leaving vulnerabilities unfixed, or evaluating how much they agree with the attackers exploiting them. Fix them all, and let attackers find out via the public announcements along with everyone else.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 27, 2021 1:20 UTC (Sat) by mjg59 (subscriber, #23239) [Link]

When exploitable vulnerabilities exist in Google's products, lives are already at stake. Removing those vulnerabilities is absolutely the right thing to do regardless of who's exploiting them at a specific point in time - there's no way to know whether someone else will be exploiting them 5 minutes from now.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 29, 2021 6:21 UTC (Mon) by Seegras (guest, #20463) [Link]

An intelligence agency which keeps vulnerabilities secret is putting the security of its own infrastructure, police, army government, power plants, hospitals and lives of its people at stake.

It's wholly irresponsible to do that in the first place, because of course, not just criminals (#wannacry?), but terrorists could use these vulnerabilities as well.

The "counterterrorism"-argument is a straw man, this isn't about that, it's about surveillance and control on the side of intelligence agencies, directly harming the security of the people they're supposed to protect.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 30, 2021 2:31 UTC (Tue) by gdt (subscriber, #6284) [Link]

The "agent's life at risk" scenario raises other questions; particularly intelligence officers being honest with agents about the risks involved.

0-days have a tenuous existence. Sure there are 0-day projects, but 0-days can also close due to software source code analysis, or even by adding a new feature to the software leading to an alteration of the code. The motivation for the change doesn't matter: if the action is deliberate or incidental doesn't matter -- in the "agents at risk" scenario then when the change happens then the agent is killed.

Intelligence agencies which claim "agents life at risk" when discussing 0-day exploits need to explain how they intend to continue to recruit agents when they so clearly value the lives of their agents so little as to risk an agent's life with each software update.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Apr 5, 2021 6:52 UTC (Mon) by riking (subscriber, #95706) [Link]

I modestly submit that if the attackers wanted a notification that the bug was about to be fixed, they should have included their contact details in the exploit.

:)

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 26, 2021 21:04 UTC (Fri) by amarao (guest, #87073) [Link] (7 responses)

> I think Google should have worked with security agencies so they could have had a heads-up.

It's really funny to read this without clarifying what country agencies you are talking about.

... There was a heated discussion between Google and Russian General Intelligence Directorate on topic of delaying the fix for the vulnerability used to penetrate into protected networks of adversary Senate.

Oh, sorry, it was FBI and Duma. I always mess them up.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 27, 2021 0:25 UTC (Sat) by dskoll (subscriber, #1630) [Link] (6 responses)

The story mentioned Western intelligence agencies. I assumed we were all on the same page there.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 27, 2021 10:45 UTC (Sat) by zdzichu (subscriber, #17118) [Link]

How do we draw the line? I see Russia as quite western society, therefore russian intelligence agencies should be "western".
The opposition would be Eastern agencies. Countries like China, Korea, India, maybe Israel, Pakistan, Vietnam…

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 27, 2021 11:33 UTC (Sat) by gray_-_wolf (subscriber, #131074) [Link] (4 responses)

> The story mentioned Western intelligence agencies. I assumed we were all on
> the same page there.

Well yes, but as someone who is not US citizen, I basically do not have *any*
legal protection from US spying. So for me personally, it does not really
matter. All of Russia, USA and China are and should be considered enemies for
regular person who want to keep his privacy.

So either google is a independent company that should protect its users, or
a partner to US security agencies and in that case should be treated as possible
attack vector.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 27, 2021 16:11 UTC (Sat) by Wol (subscriber, #4433) [Link] (3 responses)

> or a partner to US security agencies and in that case should be treated as possible
attack vector.

EXACTLY.

And as a non-American, even though the Americans are our "friends", I very much consider them a loose cannon ...

Cheers,
Wol

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 28, 2021 18:13 UTC (Sun) by ermo (subscriber, #86690) [Link] (2 responses)

Any state-sponsored actor with licence to act indiscriminately and unilaterally in covert operations is to be considered a "loose cannon" as you put it.

In terms of behaviour, the only difference between criminal operations and state-sponsored actors seems to be the thin veneer of government control of the latter.

And even then, recent history shows that government only really cares when it involves its own citizens (and if the stakes are high enough, maybe not even then). Non-citizens are always fair game insofar as the ends appear to justify the means.

In any case, history clearly shows that "Friends" and "Allies" are both nebulous concepts when it comes to nation states and their intelligence agencies.

All of the above is my roundabout way of suggesting that security flaws should be fixed, no matter who exploits them. As a corollary, encryption/security should obviously not be weakened to support intelligence operations, since they're just as likely to exploited by enterprising criminal operations.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 28, 2021 19:29 UTC (Sun) by zlynx (guest, #2285) [Link]

> All of the above is my roundabout way of suggesting that security flaws should be fixed, no matter who exploits them. As a corollary, encryption/security should obviously not be weakened to support intelligence operations, since they're just as likely to exploited by enterprising criminal operations.

And intelligence operations and criminals are often tightly tied together. Need some off the books money? Criminals. Fake ID? Criminals. A little quid-pro-quo and your "warrants only intelligence loophole" becomes an organized crime loophole.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 29, 2021 19:40 UTC (Mon) by rmayr (subscriber, #16880) [Link]

Yup, Austria is well known to be an active target of US intelligence agencies, not only because Vienna hosts one UNO site. We have exactly zero legal protection against such actions, and I am pretty sure the agents have no ethical or moral qualms about attacking any other EU citizen either. Yes, sometimes their actions may mean a net good for the global society, but many other times they may not. So please forgive me about not seeing the point of giving such agencies a break by not fixing open security vulnerabilities they are actively abusing. Everybody has a right to security.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 27, 2021 7:21 UTC (Sat) by rodgerd (guest, #58896) [Link] (2 responses)

I dunno. Were these Western intelligence agencies driving Jean Seaberg to her death? Helping Suharto murder dissidents? Aiding Pinochet?

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 28, 2021 17:18 UTC (Sun) by NightMonkey (subscriber, #23051) [Link] (1 responses)

Just a typo correction: It's Jean Seberg: https://en.wikipedia.org/wiki/Jean_Seberg

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 28, 2021 21:04 UTC (Sun) by rodgerd (guest, #58896) [Link]

Thanks - hopefully no-one was too confused by that.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 26, 2021 15:14 UTC (Fri) by jmfrancois (guest, #86068) [Link] (7 responses)

Intelligence agencies will always claim they are acting for good, one would be foolish to trust them. In the former CIA director own words, "we lied, we cheated, we stole... we had entire training courses".

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 26, 2021 19:27 UTC (Fri) by dskoll (subscriber, #1630) [Link] (6 responses)

Intelligence agencies always use underhanded methods (lying, cheating, stealing to quote you.) It is not the case, however, that their end goals are always bad. Sometimes they are; sometimes not. That has to be decided on a case-by-case basis.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 26, 2021 22:27 UTC (Fri) by josh (subscriber, #17465) [Link] (4 responses)

> That has to be decided on a case-by-case basis.

No, that has to be completely ignored because security researchers should not be determining which vulnerabilities "should" be fixed. Fix them all.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 27, 2021 0:24 UTC (Sat) by dskoll (subscriber, #1630) [Link] (3 responses)

I am not saying vulnerabilities should not be fixed; you are mischaracterizing my position.

I'm saying when lives are at stake, there is a case to be made for coordination with intelligence agencies.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 27, 2021 1:53 UTC (Sat) by josh (subscriber, #17465) [Link]

Such coordination could lead to fixing the vulnerability slower or not at all, incurring legal risk (suppose the response to your communication is an injunction), or otherwise not protecting users of the software as effectively.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 27, 2021 4:48 UTC (Sat) by felixfix (subscriber, #242) [Link]

When the only people who say lives are at stake are the ones who have admitted to lying under oath, who have lied for decades, who have lied to their civilian bosses, to courts, and to the public -- why should anyone trust anything they say?

Further, why should anyone assume these self-proclaimed smart guys are actually smarter than everybody else; so smart, in fact, that they alone of all the intelligence agencies around the world have discovered the exploit?

Combine those two, and ask again, why should anyone trust these people to tell the truth about themselves, about their opponents, or about anything?

Shut down every security whole, as soon as possible. Anything else is specious.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 27, 2021 9:49 UTC (Sat) by kunitz (subscriber, #3965) [Link]

If Google can detect the security bugs independent of "friendly" security agencies there is a chance that "non-friendly" intelligence agencies can find it as well. We all are better off if the security bugs are fixed.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 27, 2021 1:28 UTC (Sat) by Nahor (subscriber, #51583) [Link]

That assumes that a security bug is exploited only for one and one one case, or only for good and only good cases. More likely than not, a bug is exploited for both good and bad at the same time.

And then there will always be an active case that could make use of the bug, so there wouldn't be any good time to fix it.

And by the way, it would also be nice if we could introduce new bugs to make those investigations even easier... Oh wait, that the backdoors that the triple-letters agencies keep wanting to introduce.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 26, 2021 20:51 UTC (Fri) by nix (subscriber, #2304) [Link]

Quite. Further, if a vulnerability is bad enough that friendly intelligence agencies are using it to entrap enemies of (say) the US, that means it's almost certainly possible that unfriendly intelligence agencies can exploit it to entrap *their* enemies, i.e. the very people the friendly intelligence agencies are meant to be protecting! In fact, given that intelligence agencies have as a significant part of their actual job spying on each other, and they're very good at it, it's probably more likely than not that these friendly-use vulns are already in use by hostile powers as well.

Fix them all. It's the only way to be safe. I wouldn't even risk notifying the "friendly attackers" in advance: there's too much danger that this will leak straight to hostile powers, and we've just seen the sort of frantic exploit-everything rush job they can do when that happens with MS Exchange. Notifying friendly intelligence agencies in advance could well mean that *every single vulnerable system on the Internet* promptly gets owned by hostile powers, and that's an outcome I don't think we want to see happen again.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 26, 2021 15:27 UTC (Fri) by tytso (subscriber, #9993) [Link]

Given how well the NSA's "vulernability equities process" worked in the case of "Eternal Blue", the vulnerability which the NSA kept closely held and which was eventually used in Ransomware and Malware such as WannaCry, Not Petya, Tesla Crypt, and others, sure, we should trust the US Government and turn a blind eye when we could make the internet more secure by closing their zero-days. Not!

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 26, 2021 22:31 UTC (Fri) by flussence (guest, #85566) [Link]

With the amount of terror western rulers (corporatocracy notwithstanding) have been causing consequence-free lately, I'm more inclined to believe Project Zero is the real CT operation here.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 27, 2021 9:11 UTC (Sat) by zauguin (subscriber, #138185) [Link]

Why is there even a "controversy"? We know that US intelligence agencies spy on their allied governments and engaging in industrial espionage with no relevance to terrorism. According to their own statements US officials don't know what their intelligence agencies are doing but according to the article still have significantly better oversight then "other western democracies". And we can expect that it only gets worse when we don't believe such official comments. So even if one believes that security disclosures should be held back for counterterrorism reasons, there is no reason to trust western intelligence agencies enough to believe that they actually restrict themselves to such usage.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 27, 2021 16:15 UTC (Sat) by kleptog (subscriber, #1183) [Link]

So the US Government has a system to weigh up the costs and benefits of disclosing an issue so it can be fixed. Ok. But because it's 'more formal, transparent, and expansive than anyone else' it's perfectly fine and we should trust it. Say what?!

One thing I can be sure about is that the US Government isn't taking me into account in their calculations. If you're going to hoard 0-days at least be honest about it and admit you're doing it for selfish reasons.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Mar 31, 2021 8:59 UTC (Wed) by simlo (guest, #10866) [Link]

If we go along the spies, security updates are weaponized, and we need ITAR restrictions to access them.

Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

Posted Apr 1, 2021 12:58 UTC (Thu) by mvdwege (guest, #113583) [Link]

Why do any intelligence operations going on have any relevance? That's not the responsibility of the vendor. If they find a vulnerability, they close it. Intelligence agencies should know that this the regular cost of operations. But instead of simply doing their work, they run to friendly media and politicians with scare stories about how Google is letting the scary terrorists off the hook.

This is not a controversy. This a bunch of lazy spooks who'd rather engage in propaganda, at the same time undermining security for the larger public, than do their bloody job.

Government-sponsored cybercrime is still cybercrime

Posted Apr 1, 2021 18:00 UTC (Thu) by ecree (guest, #95790) [Link]

> How one treats intelligence activity or law enforcement activity driven under democratic oversight within a lawfully elected representative government is very different from that of an authoritarian regime.

That argument assumes a lot of its conclusion, especially given how many "lawfully elected representative governments" have been acting in authoritarian ways lately.

And CT units whining that their favourite vuln just got taken away are acting *awfully* entitled. Rather like how police forces the world over constantly whine that encryption shouldn't be allowed unless it has LE backdoors, because "we've always been able to wiretap people in the past, therefore it's our God-given right to do so".

Kudos to Google; however much we might gripe about other things the company do or don't do, Project Zero continues to Do The Right Thing with admirable regularity and consistency.


Copyright © 2021, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds