Slashdot Mirror
Hacking Team Breach Leaks Zero-Days, Renews Fight To Regulate Cyberweapons
Patrick O'Neill writes: In the days following a massive hack that confirmed Hacking Team's dealings with repressive regimes around the world, experts are wondering once again how to stop Western technology companies from equipping certain governments with weapons meant to attack journalists, human rights activists, and ordinary civilians. Regulation's backers say that "this is an industry that has failed to police itself," ACLU's Christopher Soghoian argued, but many including the EFF warn that overly broad legislation would harm more than help. In addition, wiredmikey points out that a number of exploits have been released in the wake of the hacking: Several exploits have been discovered, including ones for zero-day vulnerabilities, in the hundreds of gigabytes of data stolen by a hacker from the systems of surveillance software maker Hacking Team. Researchers at Trend Micro analyzed the leaked data and uncovered several exploits, including two zero-days for Adobe Flash Player. A readme document found alongside proof-of-concept (PoC) code for one of the Flash Player zero-days describes the vulnerability as "the most beautiful Flash bug for the last four years since CVE-2010-2161." In addition to the Flash Player exploits, researchers spotted an exploit for a Windows kernel vulnerability, a flaw that fortunately has already been patched. Adobe told SecurityWeek that it's aware of the reports and expects to release a patch on Wednesday.
experts are wondering once again how to stop Western technology companies from equipping certain governments with weapons meant to attack journalists, human rights activists, and ordinary civilians.
Are their any governments left that DON'T do this as a matter of practice?
SJW's don't eliminate discrimination. They just expropriate it for themselves.
Wait, why? Why does that have to be so black and white? There's a world of difference between an adobe flash exploit and the availability of a gun that can mow down a large number of people in a matter of seconds.
First, the entire idea of cyberweapons is laughable. Exploits are only possible because of flaws in the code. That is no more a weapon than an unlocked door.
Second, you cannot regulate them as they are immaterial. It would be possible to discover a previously unknown vulnerability, and then not record the finding anywhere. Congratulations, you have a cyberweapon in your brain. Good luck regulating that.
Why should an ideological stance on the regulation of guns and computers be the same? They clearly are different tools with much different uses.
Am I allowed to oppose dumping raw mercury into rivers & streams, if I support freedom to travel by airplane? After all, both are forms of pollution in the same sense that computers and guns can both be used as weapons.
This is nuts. The industry has been working hard on this (and the large quantity of security, firewall, anti-virus speaks to that), but it's a difficult problem. Do you really think the bad actors (individuals, groups, and governments) are going to dissuaded by some regulation?
So, who, effectively, is going to regulate them? They'll just find a place where the regulatory regime will permit (if not actively encourage) their activities. The regulation argument is hilarious.
Help save the critically endangered Blue Iguana
You are allowed to dislike anything you want. What you do about it, however, needs to be consistent. If you want government to fight pollution, for example, you should support governmental efforts to fight all of it. If, instead, you prefer the problem be solved by boycotts and lawsuits by the people actually suffering from the ill-effects, then that too view should, also apply to all kinds of pollution.
That said, could you not have come up with a less contrived example? Raw mercury is too valuable for anybody to just dump it into a river...
In Soviet Washington the swamp drains you.
Are you making a serious argument in comparing people getting shot and the NYSE shutdown? This is the hill that you're going to make your stand on?
Why should an ideological stance on the regulation of guns and computers be the same? They clearly are different tools with much different uses.
I think you are wrong about that. The ideological stance on gun ownership in the bill of rights had a lot to do with empowering people to overthrow their corrupt government. Guns no longer have that power for the most part. Computers do. When was the last time a Deer Rifle toppled a world power? When was the last time twitter did? The answer is 2011 Or maybe even 2014
Computers aren't the same thing as guns, in fact they are a lot more powerful.
What fight to regulate cyberweapons? What cyberweapons? Jesus are people really that nuts now?
This is my sig. There are many like it, but this one is mine.
Regulation's backers say that "this is an industry that has failed to police itself,"
Would you expect liquor stores to self-regulate and decide the drinking age is too low?
Self-regulation might work for some cheap and easy things, but no industry is going to refuse to sell to a massive portion of the market voluntarily. If you want to stop them you need legal enforcement.
I stole this Sig
ahem, agenda much?
> You are more likely to be killed driving home tonight.
That's why I tell my employer I have to get home before sunset.
Pull my finger for my public key.
Consistency is the hobgoblin of a small mind.
They were basically selling zero day exploits in pre-packaged kits to anyone with money. So... is that legal? Because it sounds like a winner.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
Is it just me or does Adobe's software have the worst engineering practices practices in the industry. Every other fucking week there's an Adobe vulnerability. Scratch your ass, Adobe Vulnerability. Sneeze? Adobe Vulnerability. Walk your dog? Adobe Vulnerability.
This company needs to just be banned from producing any software, period, unless they provide the source code as well.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
> If you take out the liberal run towns with the highest gun violence, you'll find that gun deaths are indeed fairly rare.
Ah, there it is, that's the real reason for your argument. See I was missing how you were equating identity theft (which while a headache is less of a headache than death) with getting shot, but then I realized that this was your opportunity to take a jab at liberals.
You're twisting information to suite your narrative. You've also neglected to mention that (based on whatever uncited source you're claiming to get your information about gun crimes from) that Republican led states have much higher levels of crime than Democrat states. This information was based off of the analysis of the 2008 Uniform Crime Reports. You can find that analysis here: http://editions.lib.umn.edu/sm...
Of course there's also more recent studies (seen here: https://www.americanprogress.o...) that show a link between lax gun laws and higher gun crime rates. More directly it shows that states with the highest gun crimes (which are typically conservative states) have the highest crime rates. In fact Alaska, Louisiana, Montana, and Alabama rank higher (per capita) in firearm deaths than Democratic states. For comparison while all of the above states were at least 4 points above the national average of 10.26 deaths/100,000 people Illinois was ~2 points LOWER than the national average.
I suppose it's easier to just throw out random uncited sources and half-baked facts without researching the overall data. Especially when your entire goal is to slander a political view that you apparently disagree with. But the short of the long is that none of the above discussion is a valid answer on why everything should be black and white. I personally think you're just trolling -- even if it's not a conscious decision to troll.
You do your cause no good when you edit out crucial words.
The actual quote: "A foolish consistency is the hobgoblin of little minds".
"I don't know, therefore Aliens" Wafflebox1
I think he is right to do. Human life clearly has a dollar value. I would argue not an especially high one either. Consider there are 8 Billion of us. You can't get much more commodity than that. The world as a whole would arguable be better off with fewer people too.
Value has a great deal to do with what has been invested in them in terms of education, care, feeding etc. Than you need to consider things like survival rates. Certainly a healthy teenager is more valuable than a newborn. Much of the risk premature death has been removed, as has the possibility for many debilitating conditions being unknown. We can make a lot assumptions about future productivity as well based on physic, intelligence, etc.
While we can never say Bob over there is worth a half a million but we can certainly say in the abstract sense the average 22 year old native born American is worth $X. To that end we can measure the cost of the NYSE being down in lives.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Anyone can kill a person. It takes everyone to kill a government.
There's a world of difference between an adobe flash exploit and the availability of a gun that can mow down a large number of people in a matter of seconds.
There is not. Shutting down NYSE [slashdot.org], for example, cost billions of dollars. At $10 mln per life [wikipedia.org], that's hundreds of lives right there...
Are you making a serious argument in comparing people getting shot and the NYSE shutdown? This is the hill that you're going to make your stand on?
It's a very poor example but a valid point. A much better example would be fraud [identity theft], ransomware, spam, etc. With computers you can easily steal time from people on an unimaginable scale.
Suppose someone hacks me, and I get off relatively "easy". I may spend 1 hour of my time canceling a credit card, activating the new card when it comes, and changing all the passwords of all the accounts that the credit card number is associated with. That's probably on the very low end of what a hack can cost an individual.
The hacker doesn't stop there. They repeat their act 1,000,000 times. That's a fairly successful and prolific hacker, but not unheard of, espeicially if the attack vector is a business. At just an hour apiece per victim, 1 million victims is 114 total man-years spent cleaning up. Nobody died, but an entire lifetime has been stolen.
The Target hack(s) affected "up to 110 million people". If we take that figure at face value, and each victim spent only an hour dealing with it, that's 12,557 years or roughly 148 lifetimes. Even if I count injured people, I can't find a mass shooting that comes anywhere near 148 lifetimes.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
"High crime in Republican states" can mean high crime in Democratic-run areas within Republican states.
For the people that think my post is a troll:
http://dailycaller.com/2012/04...
http://townhall.com/tipsheet/k...
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
"High crime in Republican states" can mean high crime in Democratic-run areas within Republican states.
Yeah it could. Of course he doesn't know that, because he didn't do even a cursory review of the data before he formed his opinions. Of course I don't either, but that's also because who runs a district is pretty irrelevant to a discussion of whether district, state and federal policy combinations are leading to a particular outcome.
For comparison: mass shootings of the type the US have do not occur in the developed world at anything like the frequency they do in the US. And the US has had to redefine "mass" in the media to mean more then 3-4 people at the same time.
The key difference is that if you spend an hour sorting out your credit card you continue to live the rest of your life afterwards with few ill effects.
So-called cyber weapons can kill people. Governments use them to target people they don't like, and sometimes it ends in murder. More often it ends up in lives ruined, people rotting in jail. We don't allow people to supply physical weapons to those governments, so perhaps we shouldn't allow them to supply cyber ones either,
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
You forgot to include the usual Illiberal imploration to Please, don't hate.
In Soviet Washington the swamp drains you.
The key difference is that if you spend an hour sorting out your credit card you continue to live the rest of your life afterwards with few ill effects.
Steve Jobs persuaded an engineer to reduce boot time lower than the engineer though possible by making the equivalence argument. It goes something like this:
Average human life expectancy is 71 years.
Humans are on average conscious for 16 hours per day.
Doing the math, this means you would only have to force 414,915 people to spend an hour "sorting out their credit card" before you've effectively done the equivalent time-damage of killing someone.
Shutting down NYSE changes the distribution of some electronic assets, a cost for some and a gain for others ... I wouldn't even be 100% certain the attack decreased GDP.
Why? Because you said so? That's hardly a compelling argument.
Only if you throw out the legal theory of making someone whole. The only reason a court assigns a value to a life is that it doesn't have the option of resurrection. But whatever that value is, you can't tell me honestly that the family of the deceased feels just fine about it if you pay $X for killing Dad.
Only if you throw out the legal theory of making someone whole.
Which is a sensible thing to do here. After all, most decisions which harm people are made by people concerning their own health and safety.
Either I don't understand what you're trying to say or it simply doesn't follow.
I think a better example is that money can be used to save lives. There's a whole lot of different ways to save lives using money, a few examples are medical research, medical care, reducing pollution, safety equipment, reducing poverty, reducing stress. Clearly, at least some people value money more than lives -- or at the very least, choose money over lives. And by "some people" I mean "basically everyone, although they wouldn't admit it even to themselves".
Don't worry though -- if our species spent every single moment of our lives doing everything humanly possible to avoid loss of life, we'd be totally worthless and accomplish nothing.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
For example, if you aren't willing to spend $5000 on an airbag, that would improve your chances of survival by %0.1, then you value your own life at less than $5 mln.
Nah, that proves that 0.1% doesn't exist and is really 0%.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
So according to you, if you must be consistent than...
Statists must support regulating security research, gun-ownership, gay marriage, abortion and everything else.
Libertarianists must oppose regulating security research, gun-ownership, gay marriage, abortion and everything else.
Or can people support regulating some things and oppose regulating other things?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
The real problem here is willingness to fund what is necessary - refactoring all code used in critical systems to ensure they are secure - and to maintain that approach over time in an iterative basis.
We should touch code (at least to review it) - every year - which research indicates is the sweet spot for zero-day exploits. We get more benefits if we refactor the code - effectively resetting the clock for exploit writers to find a new zero day, and develop applications to exploit it.
Working in IT today, I can tell you from experience no one is willing to spend money to constantly refactor code without delivering new functionality (read 'revenue generating functionality'). This approach also is counterintuitive to software engineers trained to value code reuse over rewriting or building new solutions.
Instead, they focus on cosmetic bandaids - such as firewalls, antivirus, patch updates, and policy management. All of these things are important - but in the scheme of things will not stop a zero day exploit - particularly given that most patches for zero days are not available until the zero day is discovered - and then the time it takes the developer/company in question to put out a fix - on average 6 months to a year after the zero day is discovered and reported. Meanwhile the network is wide open to anyone who has figured it out (which is roughly 6 months to a year after a new piece of software is deployed on the network). The problem is related more to how humans learn systems than any particular coding practice. Your code refactor efforts just need to fall inside of that curve - leading rather than following.
Finally - the proposed fixes, such as more regulations, will not fix the problem - and will only serve to drive people out of the business, at the precise time when we need more developers than ever to address the problem effectively.
Steps:
1. Pay for what is needed in IT instead of being cheap. If you get more specific regulation of this - you might not have a choice (e.g. Sarbanes-Oxley)
2. Let your developers as a whole spend some time on evaluating code - the more eyeballs you have the better.
3. Move away from expensive water-fall projects to more flexible agile methods, and adjust your funding protocols to match.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Follow the facts to the obvious conclusion: Adobe is being *paid* to add exploits to one of the most ubiquitous pieces of software on the net - tellingly even a requirement for some banking and bill paying sites. Given this seemingly endless fountain of suck, the only logical answer: Adobe is an NSA shop.
I haven't ever used a website using .bit, anecdotally, it doesn't seem to be working that well.
Change is certain; progress is not obligatory.
Where I was going was that, individually to the people who care about us we are all priceless. Most of us would spend every last cent we had to save our child or spouse etc. When it comes to civil judgments and the like making people whole is a good enough system. A court can look at the individual situation and do something that is 'fair'.
At the macro social policy level its a different story. We MUST make decisions about how much we are willing to spend on counter terrorism, or social safety net programs, or health care etc. To do that rationally we do need to put some gross value numbers on people.
It really is the case that at least based on my reasoning that society for example has an interest in effecting a stronger security posture at a high school than at an elementary school, because at least to society Teenagers are actually more valuable than young children. Putting quantitative values on people in aggregate is useful and necessary if we want to rationally allocate public resources.
However while I'll believe government needs to act quantitatively and not look at the individual, I am still a libertarian. I believe simultaneously that we need to concentrate as much power and choice as possible with the individual rather than with society, because I know the intangibles are important, sometime more important than anything else. Often the only people who can recognize the true value of something or even other people are those are immediately around it.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
It is a useful tool for finding relative risks and figuring out what we can afford to do, but it breaks down when we try to use it to valuate human death vs. economic losses. It is important to remember that there is a limit to how far the fiction of valuation of life can go.
A prominent example of that error is the rather infamous Ford Pinto case.
It becomes much more problematic when compounded with another thing (in this case liberty) that is hard to place a proper value on.
Personally, while I don't find it hypocritical to support regulating one and not the other, I am a supporter of 2nd amendment rights and the right to own and produce hacking tools. It's the uses of them and knowingly providing them for unacceptable uses I support regulating.
For me, the reason I'm anti-dictatorship is the remote possibility that I might not get to be the dictator.
Of course I don't either, but that's also because who runs a district is pretty irrelevant to a discussion of whether district, state and federal policy combinations are leading to a particular outcome.
See Baltimore for demonstrable reproof of your simplistic belief. The results of poor leadership are happening every day. But the idiot mayor won't be held into account by the voters, and the Police Commissioner just got scapegoated.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Hey, just an FYI, two minutes on this thing called "Google" found the exact page that was 404ed, probably due to a website reconfiguration by the FBI (like going to HTTPS)!
https://www.fbi.gov/about-us/c...
So, does this new information change your snarky attitude?
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Do you also reject the free market, because of the remote possibility you might lose in all that competition?
Competition isn't the only game in free markets.
Do you decide to work more or less of your life, or to work riskier or less risky jobs because of the legal theory of making someone whole? And there are a host of risky activities done merely for the thrills, like sky diving or skiing.
I guess the bottom line is that there are a variety of harms you can't make whole just by paying money or other restitution, such as death. It's not possible to spend money to reverse someone's death and make them whole (that is, put them back in the position they were in before the harm occurred). So by that legal theory, human life has value that can't be quantified with money. But in practice, we don't act like our lives have infinite value.
First, the members of the Hacking Team that knew about the sales to embargoed countries should be prosecuted. Then worry about how to regulate cyber weapons. Otherwise, the most evil of the members (i.e. the ones who knew about the selling to genocidal governments like Sudan) might just go into hiding and offer their services to other evil organizations like the mafia.
Yes, but only because you can't be ordered to pay infinite money. We are forced by reality to make the plaintiff whole in the financial sense only.
However, that doesn't make the comparison of financial loss to loss of life correct or proper since the loss of life also carries an irreparable harm.
The law treats willingly accepted risks differently from imposed risks.
And my point is that the scenario does not.
Ok, so there are even more possibilities for you to not succeed on the free market.
Of course not. I refer instead to the satisfying of wants. You won't fail to buy and eat a hamburger because khallow outcompeted you for your hunger or the money in your pocket.
However, that doesn't make the comparison of financial loss to loss of life correct or proper since the loss of life also carries an irreparable harm.
Huge financial losses are also irreparable.
In practice, they sometimes can't be repaid, but loss of life cannot be properly compensated even in theory.
In practice, they sometimes can't be repaid, but loss of life cannot be properly compensated even in theory.
Unless you're not following that legal theory. And "practice" is what you are actually doing.
It doesn't matter what legal theory you're following. The theory of making the plaintiff whole sets policy in a civil suit, it doesn't alter the facts.
The theory of making the plaintiff whole sets policy in a civil suit, it doesn't alter the facts.
I agree. We aren't and can't fully follow the "making one whole" theory however. And I consider that particularly relevant to the discussion of what happens when one destroys actual wealth (if only by making society a bit less efficient).
People are not perfect automatons - therefore you always run the risk, and probably will see new bugs and vulnerabilities. However, that is okay - in the sense that it will still reset the clock (assuming you caught the existing zero days in the process). Now the hackers will have to start over - and it will take them another 6 to 12 months to figure out an exploit to the bugs you introduced - assuming they are actually exploitable. Therefore it makes sense to review and refactor code on a recurring basis. The benefits outweigh the costs.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Ensuring all developers in the industry are competent is a pipe dream. Take a look at the most exacting careers you can think of - and you'll find varying levels of competence.
People are imperfect (in the sense that they can have a bad day, and let typos slip by from time to time - even the very best of us). Additionally the real software lifecycle is not like frozen water. It is more like all the different states of water - solid, liquid, and gas, changing as its environment changes on a continuum from birth to death.
I agree we should do something. I think that 'something' should be more than just training and hoping they use what they've learned.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain