Slashdot Mirror
When China Hoards Its Hackers Everyone Loses (engadget.com)
An anonymous reader shares a report: For over a decade Pwn2Own -- happening this week -- has brought together security talent from across the globe in a friendly hacking competition that is a cornerstone of research and advancement on par with Black Hat and Def Con. China's hackers routinely win, sweeping the board -- notably, the Tencent and Keen teams. Pwn2Own is good-natured, and all in the name of researchers finding big bugs, nabbing great bounties and drawing attention to security holes and zero-days that need to be fixed. But this year, according to Pwn2Own manager Brian Gorenc, China is no longer allowing its researchers to compete. Prior to the start of Pwn2Own this week, Gorenc told press "There have been regulatory changes in some countries that no longer allow participation in global exploit contests, such as Pwn2Own and Capture the Flag competitions."
One thing's for certain: yearly champions Tencent's Keen Labs and Qihoo 360's 360Vulcan team are nowhere to be found and Trend Micro, the conference organizer, has confirmed to Engadget that there are no Chinese competitors in this year's competition. [...] It's a worrying development in the direction of isolationism and away from the benefits of competition in the spirit of improving security for all. It comes at a time when relations between the US and China strain under the weight of Huawei security concerns, which are not at all new, but are certainly coming to a head as American companies sever business ties with the firm.
One thing's for certain: yearly champions Tencent's Keen Labs and Qihoo 360's 360Vulcan team are nowhere to be found and Trend Micro, the conference organizer, has confirmed to Engadget that there are no Chinese competitors in this year's competition. [...] It's a worrying development in the direction of isolationism and away from the benefits of competition in the spirit of improving security for all. It comes at a time when relations between the US and China strain under the weight of Huawei security concerns, which are not at all new, but are certainly coming to a head as American companies sever business ties with the firm.
Why would you want to reveal your capabilities to your enemy? They have confirmed now they have the best in the world. They don't need to prove anything any more. Now they can build their army behind the curtain. And they will. Better hope your firewalls are up to the challenge. And you might want to start teaching Chinese in elementary school (says Wernher von Braun).
Worthless comment.
.... China gears up for a cyber war.
These are the wages of empowering stupidity.
It won't be long now before they attack after they remotely shutdown the entire power grid and disable the military network.
that's all I read when I see these complaints and accusations. For decades their NSA and CIA engaged in cyber espionage and sabotage, literally acts of war, and now that they get beat in their own game, they are crying about it.
You should've chosen a more peaceful and diplomatic way. Now you have to suck it up instead.
Trump is certainly all of those, but he is hardly the first President of the US to fit that description. Not even the first in my lifetime.
There are many ways to lose a trade war. I'm not that thrilled about the Chinese government, but for anybody who's a true-blue (or red) free marketer, which is better (i.e., more profitable):
A. a market of 340 million Americans
B. a market of 1.4 billion Chinese, or
C. a market of 7 billion humans?
Well it sure seemed worthy of your reply.
A lot of this is the result of not turning off features that people don't use.
Every program and protocol is stuffed with bells and whistles that no one uses.
Unused features are frequently not disabled which means they're just sitting there in some default state waiting for someone to come in and blow gently in its ear to pervert that feature to take control over whatever.
We need to get better about disabling features we don't use.
First step on that road is getting a really good list of all the features that even exist for whatever we're setting up or managing.
Second step is actually understanding which of those we actually use...
Third step is turning all that shit off by whatever means is most reasonable.
That all by itself is going to preclude most of the problems we've been seeing lately.
The NEXT big problem is that most features are themselves too complicated and too comprehensive in their robust feature set. If you want to do X, that typically only means X in a specific context. But the feature allows that X to happen in a large number of contexts which you probably don't want to happen. Typically, you can't even turn off these other contexts. You have to make them hard to do by eliminating things that allow those other contexts. But what if we made the features more anal about how they worked. So you had to explicitly enable certain contexts and things you didn't... didn't work?
Just spit balling here.
What I'm getting at is that functionality and capability are literally the vectors used to hack our systems. If the system literally cannot do something no matter what level of access you have to it... then the hacker can't make it do that bad thing.
We need to be careful about what we let our systems do. We have to start seeing INABILITY as a feature in and of itself.
I refer to this as breaking the legs of certain programs and appliances. I literally go in and damage the programs so that they cannot do the bad thing with any level of access unless someone first goes in and fixes the program.
This isn't novel. I know a lot of people do this sort of thing. But it gets to a security philosophy that I think is underrepresented.
I want to make things impossible. Literally impossible. A bird with no wings cannot fly. An appliance that has hardware writelocked configurations cannot have its configurations changed.
I've been dealing on and off with a long list of technologies that are very prone to being compromised and this is the security philosophy that has worked. Our systems are not penetrated. We set things up so that everything only works "just so"... and if anything separates from the rules... it stops working. Not because permissions were not granted in most cases... even though they also were not... but because the programs and appliances can't even operate outside of that context. Like trying to connect to a bluetooth device with a ham radio... the idea is to make things either impossible or so absurdly difficult that it won't happen.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Hackers stay home...and crash the rest of the world remotely. While if they're at conferences they're too busy to do any damage. So yes hoarding is bad.
Yep, it was Trump that just abolished term limits. Oh Wait...
In most high end buildings have bomb shelters, Xi has extended his presidency, China has improved the great firewall to control the message, China has economically reinforced it's rare earth metals and increased is asymmetric warfare capabilities. I am not saying which country the war will be with but America is so divided now, the infrastructure is crumbling, wealth inequality is destroying support for the government and there is an idiot for president that cares more about his wealth than the people of America.
If I wanted to knock the US off it's high and might, late 2019, early 2020 would be the optimal time frame.
I'm a capitalist myself but shouldn't a free market be equal too all players ? Aka like if you pollute and dump whatever into the atmosphere should you be able to compete with someone who spends more on cleaning after themselves ? Same goes for other more subtle and indirect state interventions. It's human nature to want to gain every advantage possible over the competition, this is just objective fact.
Also not sure there is such a thing as a market of 7 billlion humans except if you're selling... air/water ?
Apparently the Chinese think they win if they don't tell the US about it's crappy buggy software.... Title of the post is off just a bit.
they don't get anything out of it that they don't already know and don't want to show everybody else how far out they are.
Windows 2000 - from the guys who brought us edlin
Love child of Richard M. and William J.? Though the con man I feel needs some more genes. How about Bernie L.? Yeah. That's it. Or, okay, Donald J. He and Bernie can bunk together.
At least half a dozen times I've started to write documentation for a fairly popular open source program. At about a chapter in, I realize that I'm either using features that are completely undocumented, or else either so poorly documented or implemented that they do the opposite of what the design speck claims it does.
Oh boy, crippled software that can't do anything. What a great idea. Inability as a feature. Don't give Google more ideas. As if things weren't bad enough already.
Everyone loses, really?
I wonder what people would think if Americas best and brightest security researchers/hackers were going to China to be involved in paid bug-hunts.
I am suspecting the reaction would border on claiming treason, there would certainly be calls for them to be cut out of any real security work, and their personal lives would probably be destroyed also...
but no, apparently EVERYONE loses if China doesnt send their best and brightest over to help out American corps..
Grow up.
If anything, China wins. They still get to see all of the exploits used in the competition while hoarding their own exploits.
If China is the smartest person in the room, they aren't losing anything by leaving. It is all of the people dumber than them that lose out.
The eastern Europeans and Asians have already proven that their universities have better programmers than the Americans since they dominate the ICPC every year.
I don't blame China for using the leverage that it has. Maybe the US needs to step its game up.
If trump wants to win in 2020 (if he is still President), he needs a war.
I'm pretty sure this is part of the security mindset which Linus Torvalds claims makes all the security-above-all-else types incredible.
Those who do not learn from commit history are doomed to regress it.
Nope, but he definitely likes the idea!
if you have a link to him talking about that, it would be appreciated...
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
This is part of Emperor Xi's crack down on foreign interactions generally. If you want to control a country and its IT in particular, then the last thing you want is your hackers interacting with foreigners.
For get Putin and Russia. China will give us more grief. And Putin will go after one more term, whereas Xi is no in for life, and by all accounts his health is good.
I would hate to be living in China now, even if the economy is booming. For the time being at least.
China has or is tightening restrictions across the board on sharing research. Agriculture research labs for instance in some cases at least can't get funding if they work together with groups in america. And I'm sure the same thing is true for other fields. China has no problem taking or stealing the research of others but keeps a very jealous grasp on their own.
Nope, but he definitely likes the idea!
Hmm.
His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
the idea is to make things either impossible or so absurdly difficult that it won't happen.
You underestimate how much time and determination some people have. It only takes one.
I tend to rant.
Very poor quality post, Xi. Two social demerit points.
Sure sure Chink. Its alllllll Amerikkka's fault and you just innocent small penises.
KYS
Trump benefits from a communist country interfering in our election.
Trump says something a communist leader is doing is a good idea.
American communists who want the same thing: LOSING THEIR SHIT.
My standard of almost impossible is rather extreme. When I say "almost impossible"... I tend to mean some james bond shit would have to happen.
And really nothing is going to stop that. The guy will tell everyone his name, kill/have sex with all your guards, and break into whatever using rocket packs and lasers...
As I said before, I'm a big fan of security through literally disabling or breaking features in programs that aren't used or can't be secured.
James Bond will get physical access to whatever we've stored our top secret whatever on... so we're screwed there. Can't keep things secure if you lose physical security... not without some really hilarious encryption. Like... 1:1 encryption... That stuff is funny.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Think of it like welding doors shut that you don't intend to ever open again.
Lock picks won't get through that. The lock in question might even just be slagged.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.