Slashdot Mirror
Researchers Catch Microsoft Zero-Day Used To Install Government Spyware (vice.com)
An anonymous reader quotes a report from Motherboard: Government hackers were using a previously-unknown vulnerability in Microsoft's .NET Framework, a development platform for building apps, to hack targets and infect them with spyware, according to security firm FireEye. The firm revealed the espionage campaign on Tuesday, on the same day Microsoft patched the vulnerability. According to FireEye, the bug, which until today was a zero-day, was being used by a customer of FinFisher, a company that sells surveillance and hacking technologies to governments around the world. The hackers sent a malicious Word RTF document to a "Russian speaker," according to Ben Read, FireEye's manager of cyber espionage research. The document was programmed to take advantage of the recently-patched vulnerability to install FinSpy, spyware designed by FinFisher. The spyware masqueraded as an image file called "left.jpg," according to FireEye.
Who has caused the most damage for American citizens?
NORTH KOREA or THE NSA?
The guy still had to download and open the Word doc.
And I hope FireEye isn't trying to claim to be some kind of hero in this. The timing of their "revelation" is highly suspicious.
“He’s not deformed, he’s just drunk!”
This is pretty much why I can't help but snicker every time someone says "But the Russians...". The harm "the Russians" can do to you are minimal compared to what your very own government can.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Interesting, is it a zero-day or a backdoor?
Everything I write is lies, read between the lines.
Also, if MS put out a patch today then it wasn't a zero day until today.
Zero day = the manufacturer doesn't know about it at all. Not how many days has a patch been available.
If it's a backdoor then it was never a zero day as the manufacturer always knew it was there.
Those guys are playing with evil forces.
FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.
RTF -> VBScript -> PowerShell -> Chtulhu awakens
lucm, indeed.
The NSA doesn't care about elections. They will get funded no matter who is elected.
There was, however, a concerted effort by the media to skew election polling results so they could keep saying the other guys are losing. They were wrong BTW. The media is always full of shit. Especially how badly they're covering EquiFUCKED, trying to do everything they can to not blame Equifuckers...
This is pretty much why I can't help but snicker every time someone says "But the Russians...". The harm "the Russians" can do to you are minimal compared to what your very own government can.
I wonder if we might be able to concentrate on more than one issue at a time.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Brian Malacchia was one of the authors of .NET. I had the pleasant experience of hearing him speak at MIT about the upcoming "Trusted Computing" software. What made it fun was that Richard Stallman was in the room, which Brian was *not* expecting, and proceeded to call into question the entire "Microsoft holds the private keys, and revolcation keys for all your hardware and software" security model. Brian pointed out that if Microsoft ever did the pernicious tricks Richard Stallman was worried about, that he and ethical engineers like him would resign.
I managed to rivet the room by pointing out "just like you resigned from the .NET project for their violations of basic security"? The fact that he hopped from security from .NET to Trusted Computing, and .NET *had government backdoors built in*, is precisely why we should trust neither project. He *knew* it was flawed, and instead of resigning he just went to the next security project that has nothing to do with actual user security. It's about digital rights management, at every single level, and about giving Microsoft access to user's private keys in their own private and uncontrolled escrow storage.
Microsoft knew about it for far further back than today. To patch an exploit, it first has to be reported. Then it has to be reported by a reputable source, with information on how to recreate it, in order to prove there is a flaw that can be exploited. Then the developers have to come up with a solution to the exploit, and then spend man hours coding the remedy into a patch. The patch must then be tested to make sure it doesn't break existing functionality. If it breaks anything then a judgement call regarding the patchability of the flaw, or a rewrite of the patch will be required. Once the patch passes internal QA testing, it must then be rolled into the patch distribution system, and vendors notified of the patch's release and availability. The time it takes depends on the severity of the exploit, the complexity of the code affected, and the experience and creativity of the programmers resolving the issue. I'd expect the time Microsoft knew about this flaw to be "days" at minimum, especially given a standard release schedule of once month.
It's not a backdoor nor a vulnerability. It's a government feature that was discovered and MS locked the feature. Now the 3 letters agencies will have to revert to their other features to get into people's computers.
I think that's a bit disingenuous. Both things are threats to our liberty, in different ways and to different degrees. Just because I am concerned about Russia interfering in our elections doesn't mean that I am not concerned about the rise of the surveillance state.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
p>How do we begin to fix it? Vote in the Democratic primary (The Rethuglicans are lost) and vote for the candidate most likely to actually work toward cutting down the surveillance state. And NEVER vote for a Rethuglican. Vote a straight Democratic ticket in EVERY general election, not just the Presidential ones.
A better way to fix it is to break the chains binding you to a particular party. The "us versus them" mentality is a distraction. It has been carefully cultivated by both parties in varying degrees, blinding people to the fact that neither the Democrat nor Republican parties represent the average person, regardless whether you believe they did at some point in the past.
We are mice voting for white versus black cats.