Slashdot Mirror
Hacks Raise Fear Over NSA's Hold on Cyberweapons (nytimes.com)
Nicole Perlroth, and David Sanger, writing for The New York Times: Twice in the past month, National Security Agency cyberweapons stolen from its arsenal have been turned against two very different partners of the United States -- Britain and Ukraine. The N.S.A. has kept quiet, not acknowledging its role in developing the weapons (alternative source). White House officials have deflected many questions, and responded to others by arguing that the focus should be on the attackers themselves, not the manufacturer of their weapons. But the silence is wearing thin for victims of the assaults, as a series of escalating attacks using N.S.A. cyberweapons have hit hospitals, a nuclear site and American businesses. Now there is growing concern that United States intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands. On Wednesday, the calls for the agency to address its role in the latest attacks grew louder, as victims and technology companies cried foul. Representative Ted Lieu, a California Democrat and a former Air Force officer who serves on the House Judiciary and Foreign Affairs Committees, urged the N.S.A. to help stop the attacks and to stop hoarding knowledge of the computer vulnerabilities upon which these weapons rely.
Only my opinion, but I really dislike this ter, "cyberweapon". Actually, anything with "cyber" other than "cybersex" sets me off a bit...
If you want news from today, you have to come back tomorrow.
Even worse than that is they expect us to believe that they can securely escrow master keys to break all encryption. What a bunch of jokers.
Unlike real weapons, these weapons can be multiplied easily. Try that with a tank.
That alone should mean that these "virtual guns" are under a tighter control. Even a nuke can only detonate once, but one such "weapon" can be used all over the globe billions of times.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Never create a weapon that you wouldn't want to fall into the hands of your worst enemy.
Anons need not reply. Questions end with a question mark.
Your statement doesn't even make sense. So if I shoot a rocket at the cracked part of a wall the rocket ceases to be a weapon?
The analogy is that these are very much like biological weapons. If you're going to use those, you have to be damn sure that the "good guys" all have vaccines, and that the weapon can't mutate.
There is a very good reason that biological weapons are NOT used.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
The NSA. It pooped it's pants right there in the public square. And rather than trying to clean up, it just stands there yelling "MY SHIT DON'T STINK!" while continuing to make squeaky farts..
This is probably go to a new school next year level public humiliation, but they apparently have no shame.
If you should see someone who works for the NSA, hand them a roll of toilet paper.
Exactly. The problem here is that people are trying to apply pre- information age thinking to post- information age constructs. This idea that you can build a cyber "weapon" that can only attack "bad" people and cannot be trivially altered to ignore whatever protections you put into place to keep it from being used against "good" people, is ludicrous.
Yes, exactly like guns. It's ludicrous to think you can proliferate millions of guns to "good" people, and they won't be also used by "bad" people.
But the silence is wearing thin for victims of the assaults, as a series of escalating attacks using N.S.A. cyberweapons have hit hospitals, a nuclear site and American businesses.
IMHO it's just getting started. The source code to a whole BUNCH of their tools has gotten out - a treasure trove for the bad guys. Now they don't have to design this stuff themselves - it's all there, ready to be customized. We're just seeing the leading edge from the early adopters.
Now there is growing concern that United States intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands.
Well, DUH! If you've got the source it's anywhere from reasonably easy to trivial to disable or change any kill switch. Changing vulnerable mechanisms key to the operation are more difficult, but still doable. So even if they did spend extra engineer time to build in the equivalent of "gun smart chips" - and they worked - it would, at best, be initially mitigating but ultimately futile.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
One other aspect to keep in mind- For YEARS now, the intelligence services of the USA have been pouring millions of dollars a year into the Black Hat Black Markets, where these vulnerabilities are traded and sold. They aren't some bit player, occasionally picking up a new trick, they are the primary source of funding to many of these marketplaces.
The bugs would still exist either way, but the government has been intentionally funding organized crime into developing these vulnerabilities, and making the situation much worse. Since they are the primary entity putting money into this marketplace, they are playing the key role to allow black hats to quit their day job and focus on writing exploits.
The thing about vulnerabilities is one single entity can't find everything. If you're then disclosing those to get everything patched you are harming your offensive capabilities. It may impact another party's offensive capabilities as well, but it's very likely they have vulnerabilities that you don't know about. So then you have a double edged sword. Do you keep the exploit to use offensively and risk the undisclosed exploit being used against you, or disclose it and still risk another undisclosed exploit you don't know about still being used against you? Exploits are a limited resource and they expire. Once used they have an even shorter shelf life before discovery. You don't know when things will get discovered by another party as well. They need a constant influx of new vulnerabilities because the ones they have may not be useful against an assigned target tomorrow. Your warhead, information collection, and mission ability is all determined by the offensive software you have at your disposal. Everyone else will call it malware. A reachable known target can be implanted with a non-replicating tool. These are the most covert, but also the most difficult as you may not have a direct path to the target machine. That goes into getting access to a well defended network. That requires something that spreads on it's own so it can possibly reach the machines you need coverage on. This is also a double edged sword as putting in limitations to spreading also gives away the fact it's not a random infection. Those type of tools always end up spreading to unintended places and getting examined by security researchers. If a worm component is added then you cross into the realms of epidemiology and outbreaks though without geographic isolation as a barrier. It only takes one user in a network to get infected and then it'll spread until AV and OS patches catch up. So disclosing vulnerabilities isn't always an option if you want to remain effective offensively. It becomes a lot like a classic game theory problem The strategic choice would be to hang onto as many vulnerabilities as long as they can, and that's what everyone does.
And this is why, every day, so many shootings are interrupted or prevented by good guys with guns. Obviously the media don't report these incidents. If we could only further increase gun ownership we might be able to stop mass-shootings entirely.