Slashdot Mirror
Business Is Booming In the 'Zero-Day' Game
HonorPoncaCityDotCom writes "Nicole Perlroth and David E. Sanger write in the NY Times that all over the world, from South Africa to South Korea, business is booming in zero days. The average attack persists for almost a year before it is detected, according to Symantec, the maker of antivirus software. Until then it can be exploited or 'weaponized' by both criminals and governments to spy on, steal from, or attack their targets. Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google free in exchange for a T-shirt, but increasingly the market for 0-day exploits has begun to migrate into the commercial space (PDF) as the market for information about computer vulnerabilities has turned into a gold rush. Companies like Vupen charge customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale to countries who want to use the flaws in pursuit of the kind of success that the United States and Israel achieved three summers ago when they attacked Iran's nuclear enrichment program with a computer worm that became known as 'Stuxnet.' Israel, Britain, Russia, India and Brazil are some of the biggest spenders but North Korea is also in the market, as are some Middle Eastern intelligence services."
....when do we start treating these folks like arms dealers? It's not a stretch, ITAR classified cryptography as munitions....
(* cyber 'war' is a ridiculous term for something we already have words for - espionage and sabotage, both of which have been achieved using only information, for centuries now).
Source
So all I have to do is register a corp called "Highly Trusted Security Vendor", subscribe, and profit?!
should have some kind of discussion about what the protocols for vulnerability disclosures should be, and what kind of legislation, if any, should be in place to back it up. Because if there is no discussion from the tech community, Congress will eventually do it themselves.
Of course, there will always be a black hat marketplace for vulnerabilities, but there could be laws with criminal and/or civil penalties.
This "if a government does it, it is not a crime" notion needs to stop!
The big AV providers are as bad. The quality of their software is not even any good. It just gives people a false sense of security. (And costs an obscene amount of money.) Just because something is upx packed doesn't make at a virus. None of the 0 days are ever stopped by AV.
Putin had the best idea just use typewriters and have good physical secuirty and a very real threat of death well known.
you're 4th looZer BITCH :D
They would trade mutated virus strains (specially the successful ones) without worrying about an incoming pandemy.
Best strategy is not to play. Unplug from the realm of machines. .. where does that leave us ? Get out the old phone modem and use it directly connected to your peer.
There is no way to secure ANYTHING plugged on any network owned by telcos and third parties.None.
So
There is good use for modems for those who need secure communications and must do it with their computers.
Do not throw away those old computers. They may be your key to the security you seek.
are all those links mentioned safe?
try these out for size X-treme Slide-rulering circa 1976
bæ8Ã0sÃOE?5r©oÂÃ?âz:ÃÃAÃ?ÃOEÂ6fXÃ?]Â
It would seem like a trivial cost of doing business for the big software firms to subscribe to these lists themselves through some sort of proxy. In fact, it would seem insane not to have an entire team/division dedicated to crawling around on the underbelly of this stuff rooting out the worst exploits and feeding them back to be corrected.
"Been there/done that" http://it.slashdot.org/comments.pl?sid=3958509&cid=44241949 & also saw "rules" in "heuristics" like if an app uses a WinRar SFX as a distro carrier/installer, then "it is a virus" (WTF?). Worse ones too, like if an app has networking code in it, and uses the "lowest common denominator" like NetScape 3.0 as its user-agent string, it too will be marked falsely as a "virus" - again, WTF!
The hilarious part? The app's been vetted as not a "virus/spyware" etc. free by folks in the security community itself, & they host it for me in fact (malwarebytes is 1 of them):
APK Hosts File Engine 9.0++ 32/64-bit:
http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74
If you see the list of enumerated points it has there yielding better online speed, security, reliability & even anonymity to an extent? It'll truly make you wonder where they hell they were coming from classifying it as a "malware"... in the end? They all ended up removing it from their lists of malware. Bottom-line: When the people creating these programs can't even do their job correctly? "Houston, we have a problem!" & especially regarding my program, which works on a very simple principle: "What you can't touch, can't harm you"
APK
P.S.=> I got "the last laugh" & they "ate their words" (heuristics rules) vs. myself! No, & that's not a 1st either! I went thru the same with Computer Associates who hid they did the same to another app of mine years ago, not even letting me know about it (had to find it out myself). I took their removal test passed all 21 questions & on the advice of an attorney I do so! So I did - what'd they do? Lowered it to "zero threat levels". I passed all removal questions. So why was it not removed then? They don't follow their own rules! CA was caught in accounting scandals afterwards ... apk
South Korea is the best South.
Yeah, that sounds dumb even to me.
Sometimes I think that using the Internet for anything other than publicly available static HTML (e.g. Wikipedia) is a mistake. Nice idea, but not every good idea works out well.
Now that we know that Microsoft and other American companies will arm the NSA with vulnerabilities that are reported to them, anyone finding a vulnerability might as well realize the commercial value themselves. Why would anyone not publish or sell?
In a way this is proof that the existing approaches to computer security have gone completely bust. They're big business so there's money in keeping it that way, not so much in actually fixing anything. Besides, patching does not fundamentally improve the software. All it does is wipe away visible blemishes.
This fits well with the blind leading the blind approach to reporting about computer security, where everybody and his dog is a "hacker" even if he's really a rent-a-cop trying to defraud his employer by sticking a usb keylogger stick into some machines*.
There is nothing new going on here. Whether you're styling yourself a "white" or a "black" or even, superfluously, a "green" hat, you're no hacker. Green hats? Yes, they're in it for the money. Get it, green? Only both the white and the black hats are in it for the money too. Have been for a while. So that is a superfluous distinction.
Doesn't matter that there are laws against "hacking", as they are equally vague. I'd say needlessly, but that isn't quite the word for it. Laws need to be precise, and using vague terms like "hacking" in the popularly uninformed "anything potentially bad vaguely involving something computer-y somehow" meaning, implies that the law can be applied inconsistently, at the attorney general's whim. And random justice is not justice. The Aaron Schwarz case is a clear case of AG bullying by piling up the accusations. Now imagine that enshrined in law. It usually doesn't go too spectactularly wrong, but if the law was a car it'd be neither street legal nor safe to drive.
There's irony here. Originally "hacking" had strong connotations of doing new and interesting things. Things that had you go "I didn't know it could do that!?!" -- bonus points if the original creator of the thing made to do new things had that reaction. Thus the first buffer overflow, the first SQL injection, the first remote code injection and succesful execution were "hacks". But the nine thousanth? Not so much.
Yet what we're seeing here is a veritable industry with a thriving market on both sides of the legality fence. Plenty of people doing their often quite specialised thing and making money, somethimes quite a lot of money, out of it. That's not "hacking", and so nobody doing that is a "hacker". Worse, even the white hats are not meaningfully pushing the state of the art of computer security forward. It's all patching holes in the notional swiss cheese. No fundamental research, like research into model checking (which appears to be "strictly harder than NP", quite the intellectual challenge foregone), no nothing, Just churning, grinding, more of the same.
That this is a confused field is clear from the "ethical hacker" term. No, if you need a prefix you're no hacker. Hacking is not inherently unethical, or ethical. If you need a prefix (or a hat) to defend what you're doing, you're doing it wrong.
The black hats are doing us a disservice by exploiting us for their monetary gain. And the white hats? Likewise, plus they're not meaningfully contributing to research thwarting the black hats. Everyone is a green hat now. None are hackers.
Semantics are important, and the semantics of the IT security industry mean that it's a racket dressed up in fancy words it hasn't earned. It's a racket full of FUD, that you can see in most every press release and blog. And until we understand the semantics, until we stop using the wrong words, and start recognising what is really going on, we can't even begin fixing the problem because we can't see it, we can't talk about it, we can't identify just what is bugging us. Semantics are important, and so far we have been doing it wrong.
* Actual tech-rag reporting, indeed using the "hacker" moniker for describing exactly that.
I was a teenage pinheaded computer hacker, back in the day. ("Pinheaded" in the sense that I never stole anything, or caused any damage...I would break into a system and then do the computer equivalent of bouncing around like Daffy Duck — "Woo hoo! Woo hoo! Woo hoo!" The owners of the system would quickly realize that someone had broken in, and then work to close the hole.)
But my 18th birthday rolled around, and I decided to clean up my ethics, and only program for legitimate purposes.
WHAT AN IDIOT I WAS!
If I had kept up with it, upgraded my hacking skills to the Internet era, and worked to find security flaws created by lazy/stupid programmers, I would not only be working for the government, but I'd be hella rich.
Instead, I have to work with those lazy/stupid programmers on a daily basis, and have to deal with their sullen vitriol when I happen to point out that the code they squeezed out of their ass isn't the crown of creation.
I am so dumb. For this reason alone, I deserve my lousy career.
"Once we've identified and embraced our sickness, we'll have strength...and that's when we get dangerous." - John Waters
If these developers are so good at consciously creating vulns, you'd think they'd be better at NOT creating them too, now wouldn't you? After all, software shouldn't require /hundreds/ of these backdoors, just a handful that were constructed carefully enough.. They certainly shouldn't be getting discovered by independent researchers without all these necessary criminal and Military Industrial connections you describe.
Reality does not support your hypothesis here I'm afraid, I think your tinfoil hat might have been backdoored...
You're now adopting your "masters" viewpoint of the ends justify the means (as long as we the 1%'ers who sold our soul come out on top. Yea, great. On top of a heap of shit is no major accomplishment). Only WE the 1%'ers are 'smart enough' (despite our shitty results economically, being caught spying on you, being caught abusing the powers of the IRS to target opponents, making wars you pay for and we 1%'er controllers profit by, etc.) to run things. Run 'em right into the ground, who the hell cares, we got ours! You must not be part of the masonic order secret handshake billionaire boys club or a "religious cult" doing the same on the other side of the fence (starts with j) then. If you were, you'd have long ago adopted the principles (or lack of them, along with a conscience and consideration for others, and no long term thinking for the good either) you speak of.
You jest, but he is not the only one...
You ALL need to see this scene http://www.youtube.com/watch?v=UrOZllbNarw and that film character had it right as far back as 1997.
"Linux is the least secure modern kernel out there. It offers no heap, stack, ASLR, or even DEP (It may offer this as of 3.0?)"
..
That's because only the Windows kernel really needs heap, stack, ASLR and DEP. Putting user-mode application in the kernel (to speed up graphical rendering) was the dumbest thing Microsoft ever did
AccountKiller
MS has not done this since Windows 98/ME. Even IE is in userspace and has been for a long time. The graphical drivers are in kernel space because you can not talk to a highspeed video device without it and expect good performance. Linux too has nvidia and framebuffer drives in the kernel as well. No different.
All modern kernels need the above if they are expected to be on the internet. I think the Android kernels include some of these in patches.
http://saveie6.com/
I'm disappointed this ain't about the warez scene. :P
All the more reason to consider using new programming languages like Rust which are built with memory safety in mind. Better programming languages are by no means a silver bullet for security problems, but they help.
Or at least the sort of computer design that deliberately walked away from having security built into all levels.
With that said, the Web acquired some customs that are hostile to security: Routine execution of automatically retrieved code, coding pages as composites from many third party sites, and the ad industry's negligent attitude toward malware are a few.
Also, neither PC nor Web architecture attempted to make certificates and keys into palpable first-class entities that users could more easily understand and manipulate, so the potential for verification and privacy were not realized.
Right now, some of the best stopgaps against this miserable history are projects like Qubes, Tor and I2P. Qubes lets me handle each thing I do in separate hardware-and-GUI enforced domains. Tor enables privacy for web and is familiar to many people. I2P gives me more than web connectivity, and the expectation that sites I connect to won't need Javascript (hardly ever) and is more future-proof than Tor.
Windows shill. You may stop talking now.
When legal hackers get prosecuted it's no wonder they flock to the black markets.
Infested faster than Win3.x-9x were - Most used = most attacked on any given computing platform: Proven over time fact. As far as rootkit not being same as a virus? Please: Quit the bullshit word games. Malware in general suit you better?? You fail, and so does your nitpicking bullshit vs. that argument. Made me laugh for many years here while the Penguins spouted their bullshit of "Viruses can't touch Linux". Funny how ANDROID changed ALL that crap, eh? Not.