Slashdot Mirror
The Malware Industrial Complex
holy_calamity writes "MIT Technology Review reports that efforts by U.S. government agencies and defense contractors to develop malware to attack enemies is driving a black market in zero-day vulnerabilities. Experts warn that could make the internet less secure for everyone, since malicious code is typically left behind on targeted systems and often shows up on untargeted ones, providing opportunities for reverse engineering. '"On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices," says Soghoian, who says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects’ computers or mobile phones.'"
What is especially crazy about promoting a less secure environment for everyone, just so that you can hack your enemies, is that the US is among the more dependent on hackable IT systems...
Sure, neither computers nor good hackers are free; but they are cheap and broadly available enough that more or less any country that isn't starving to death in its own filth(and some that are) can trivially afford some. Even relatively petty gangs can run a profit by fielding a few. Vulnerability, though, is something that you accrue as your society becomes increasingly dependent on electronic communications and finance, SCADA-controlled industrial base, etc.
So, if you reduce security overall, you increase your own vulnerability to every last hellholistani intelligence service, nationalist script kiddie, and slimy pin-skimmer gang, in order to infiltrate the systems of people who probably depend less on computers than you do.
Genius, really.
would just mandate secret backdoors built into the OS/ browser/ plugin by the company that builds the OS/ browser/ plugin
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Posting A/C and being more vague than I would like... sigh... A certain company I used to work for based their whole product on the ability to install what was essentially a rootkit. My role was to pull data off the network. I didn't have too much problem with that, since if you're porn surfing on company or government networks, or leaking info, you sort of get what you deserve. Say what you will about Bradley Manning, but he had to know what he was getting into. OTOH, they wanted to push me around in various ways I didn't like, and the thought of persuing a career there where my work would be less about legitimate protection of the network, and more about ubiquitous surveillance... it just left a bad taste in my mouth. I thought I might end up working on the rootkit, and the whole idea stuck in my craw, not only because of the increasing fascist tone of the US approach; but because of the inherently fucked up approach to security. I mean, if we can do this to their computers, they can do it to ours.... the whole thing, just more and more sour. My career has yet to recover, because I was pretty much groomed to be a military-industrial coder at that point, and wanted nothing to do with it. It's pretty much impossible to transfer over to the happy-bouncy-fun world of phone apps in your 40s, and all of that stuff is morphing into surveillance anyway. One of these days I might just unplug all the computers and chuck 'em.
I mean, Oracle & Adobe's programmers can't be that stupid.
Java, flash & acrobat are so full of holes so that one of their subsidiaries (shielded by many layers of corporate ownership) can turn around and sell exploit info to all sorts of people.
They created their own problem, and they also use malware on other people, so turn about is fair play.
One of my favorite Dilbert cartoons ever treated this situation (20 years ago):
http://dilbert.com/strips/comic/1995-11-13/
This will be a nice new revenue stream for software developers.
Unlike the old arms race which required time to manufacture physical weapons, this can go a lot faster. Like an arms race on steroids.
On one hand, your enemies can use those same vulnerabilities against you.
But on the other hand, since you know about them first, you can get your systems protected from those vulnerabilities. But if the fix is propagated too quickly, then you've just immunized your enemy.
A logical way to fix the vulnerability is to have more sophisticated detection at the border gateways into your private network. Like an intrusion detection and prevention system at the router. That way you don't actually release the fix, at least not too soon, to the whole world. The knowledge of the zero day exploit is only in the code to attach your enemy and in your border defenses. But not in the OSes, not in the browsers and whatever other general purpose software is being exploited.
If your friends, say the power grid people, need protection, you can provide it to them, without disclosing what the vulnerabilities are, by providing them with the same border defenses you use. Eventually, whenever you deem necessary, you can disclose the vulnerabilities to the vendors and let them fix it directly in the affected software.
A side effect of all this is to generally improve the security situation for everyone, eventually. Assuming there are not an infinite number of vulnerabilities, and that after the low hanging fruit is picked, the vulnerabilities get fewer and more difficult to exploit, then everyone's system, including your enemy's has become pretty secure.
If the security situation becomes bad enough, it might forcibly change the way we approach writing software. Just like when type safety was introduced into languages decades ago, our very programming languages may make it harder to have security flaws. Preventing programming errors must have some overlap with preventing security flaws. If your language doesn't allow direct access to pointers, had garbage collection (to prevent double delete, memory leaks, reference after delete), doesn't allow array index out of bounds (preventing lots of problems), you have excluded some types of vulnerabilities that had been common in the past. The language cannot fix all security problems, just some of the most basic ones.
Some work could be done in the language to help the libraries prevent certain classes of attacks. Introduce a new kind of type checking where you have, say, Html-Safe strings and must go through some function to convert Unsafe String into an Html-Safe strings. They are not assignment compatible. Similarly you could have another type of Sql-Safe strings. If the language mechanism were extensible, then you (or your library designer) could introduce other types like JavaScript-Safe strings, or XML-Safe strings, or Postscript-Safe strings, just to make up a few examples. In short you would have to go through well defined functions to convert from an unsafe string. You couldn't pass an Unsafe String to the format string parameter of, say, printf() so you would eliminate accidental format string attacks, just as you would prevent rendering an Unsafe string on an ASP/JSP/PHP or whatever you call it page that has embedded scripts. Widgets in your active pages could not accept unsafe strings from the "controller" objects. The language, api's and libraries would work together to prevent accidental "assignment" of the wrong kind of strings, just as decades ago they prevented assigning integers to strings.
I'll see your senator, and I'll raise you two judges.
This is a classic Gold Rush scenario. There's only a fixed number of zero days, and the gold rush to find them is in full swing.
More eyes find more bugs; this is going to eliminate them quicker. This is a good thing in the long run.
What a contrast. On one hand the US government is lobbying for more stringent gun control laws, but on the other encouraging a cottage industry of vulnerability development with their actions. I guess malware doesn't infect computers, hackers do!
Doing this they are promoting the creation of entire industries based on finding, and "renting" zero day vulnerabilities. Once you knew it, until it get fixed, you could eventually take more advantages from it, just maybe not in a public way. Its the way the corporate world works after all, in the end what matter is maximizing benefits. If somehow that finding gets filtered to people that uses it against US companies and individuals, would be an "uh, we got hacked", and shut up about the increase in your bank account or other benefits (like zero day vulnerabilties exchange, you get more to sell, and give to the other kind of wrong people that information).
In the end, will benefit the government posture. Will be more attacks to both sides, from government to other countries, and from hackers in any place to US and the rest of the world, reason enough to claim that the other countries are the ones that are attacking and escalate to a more physical kind of war. There is no better emergency than the one that you created.
Just remember this every time government representatives claim that they didnt start the fire.
To fund it and to make it look legitimate.
He is failing to serve his country. He'd rather let all the success go to lovely bastions of freedom and rightousness like China, Russia, North Korea, and Iran.
I resemble that remark!
> Blowback . . . is a bitch.
Not necessarily true. Some people actually like it.
I'll see your senator, and I'll raise you two judges.
I think the main effect will be that the free malware market gets hold of the malware products made by your national security organisations and uses them to upgrade all their projects, making your enemies the least of your worries.