Slashdot Mirror
When China Hoards Its Hackers Everyone Loses (engadget.com)
An anonymous reader shares a report: For over a decade Pwn2Own -- happening this week -- has brought together security talent from across the globe in a friendly hacking competition that is a cornerstone of research and advancement on par with Black Hat and Def Con. China's hackers routinely win, sweeping the board -- notably, the Tencent and Keen teams. Pwn2Own is good-natured, and all in the name of researchers finding big bugs, nabbing great bounties and drawing attention to security holes and zero-days that need to be fixed. But this year, according to Pwn2Own manager Brian Gorenc, China is no longer allowing its researchers to compete. Prior to the start of Pwn2Own this week, Gorenc told press "There have been regulatory changes in some countries that no longer allow participation in global exploit contests, such as Pwn2Own and Capture the Flag competitions."
One thing's for certain: yearly champions Tencent's Keen Labs and Qihoo 360's 360Vulcan team are nowhere to be found and Trend Micro, the conference organizer, has confirmed to Engadget that there are no Chinese competitors in this year's competition. [...] It's a worrying development in the direction of isolationism and away from the benefits of competition in the spirit of improving security for all. It comes at a time when relations between the US and China strain under the weight of Huawei security concerns, which are not at all new, but are certainly coming to a head as American companies sever business ties with the firm.
One thing's for certain: yearly champions Tencent's Keen Labs and Qihoo 360's 360Vulcan team are nowhere to be found and Trend Micro, the conference organizer, has confirmed to Engadget that there are no Chinese competitors in this year's competition. [...] It's a worrying development in the direction of isolationism and away from the benefits of competition in the spirit of improving security for all. It comes at a time when relations between the US and China strain under the weight of Huawei security concerns, which are not at all new, but are certainly coming to a head as American companies sever business ties with the firm.
Why would you want to reveal your capabilities to your enemy? They have confirmed now they have the best in the world. They don't need to prove anything any more. Now they can build their army behind the curtain. And they will. Better hope your firewalls are up to the challenge. And you might want to start teaching Chinese in elementary school (says Wernher von Braun).
that's all I read when I see these complaints and accusations. For decades their NSA and CIA engaged in cyber espionage and sabotage, literally acts of war, and now that they get beat in their own game, they are crying about it.
You should've chosen a more peaceful and diplomatic way. Now you have to suck it up instead.
There are many ways to lose a trade war. I'm not that thrilled about the Chinese government, but for anybody who's a true-blue (or red) free marketer, which is better (i.e., more profitable):
A. a market of 340 million Americans
B. a market of 1.4 billion Chinese, or
C. a market of 7 billion humans?
I don't like Trump either, but I doubt his trade war stupidity is the issue. More likely, China wants to keep any Chinese-discovered exploits in-house to aid in it's Orwellian pursuit of 100% monitoring and control over its citizens (and, probably, others beyond its borders).
#DeleteChrome
A lot of this is the result of not turning off features that people don't use.
Every program and protocol is stuffed with bells and whistles that no one uses.
Unused features are frequently not disabled which means they're just sitting there in some default state waiting for someone to come in and blow gently in its ear to pervert that feature to take control over whatever.
We need to get better about disabling features we don't use.
First step on that road is getting a really good list of all the features that even exist for whatever we're setting up or managing.
Second step is actually understanding which of those we actually use...
Third step is turning all that shit off by whatever means is most reasonable.
That all by itself is going to preclude most of the problems we've been seeing lately.
The NEXT big problem is that most features are themselves too complicated and too comprehensive in their robust feature set. If you want to do X, that typically only means X in a specific context. But the feature allows that X to happen in a large number of contexts which you probably don't want to happen. Typically, you can't even turn off these other contexts. You have to make them hard to do by eliminating things that allow those other contexts. But what if we made the features more anal about how they worked. So you had to explicitly enable certain contexts and things you didn't... didn't work?
Just spit balling here.
What I'm getting at is that functionality and capability are literally the vectors used to hack our systems. If the system literally cannot do something no matter what level of access you have to it... then the hacker can't make it do that bad thing.
We need to be careful about what we let our systems do. We have to start seeing INABILITY as a feature in and of itself.
I refer to this as breaking the legs of certain programs and appliances. I literally go in and damage the programs so that they cannot do the bad thing with any level of access unless someone first goes in and fixes the program.
This isn't novel. I know a lot of people do this sort of thing. But it gets to a security philosophy that I think is underrepresented.
I want to make things impossible. Literally impossible. A bird with no wings cannot fly. An appliance that has hardware writelocked configurations cannot have its configurations changed.
I've been dealing on and off with a long list of technologies that are very prone to being compromised and this is the security philosophy that has worked. Our systems are not penetrated. We set things up so that everything only works "just so"... and if anything separates from the rules... it stops working. Not because permissions were not granted in most cases... even though they also were not... but because the programs and appliances can't even operate outside of that context. Like trying to connect to a bluetooth device with a ham radio... the idea is to make things either impossible or so absurdly difficult that it won't happen.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
FIFY
The USA wants to keep any US-discovered exploits in-house to aid in it's Orwellian pursuit of 100% monitoring and control over its citizens (and, probably, others beyond its borders).
Are you off your meds again ???
Yep, it was Trump that just abolished term limits. Oh Wait...
FIFY
The USA wants to keep any US-discovered exploits in-house to aid in it's Orwellian pursuit of 100% monitoring and control over its citizens (and, probably, others beyond its borders).
The United States are not the ones banning their citizens from competition, dumbass.
I'm a capitalist myself but shouldn't a free market be equal too all players ? Aka like if you pollute and dump whatever into the atmosphere should you be able to compete with someone who spends more on cleaning after themselves ? Same goes for other more subtle and indirect state interventions. It's human nature to want to gain every advantage possible over the competition, this is just objective fact.
Also not sure there is such a thing as a market of 7 billlion humans except if you're selling... air/water ?
Whut
If the media would bother to post the numbers, you might note there is a serious imbalance in trade between the US and China which favors China pretty heavily. The " trade war " as the media is calling it, is simply the inevitable outcome of the fact that China doesn't do anything by asking them nicely. They're looking out for China, period and fuck everyone else in the process. The past administrations have all played ball with China by their rules and it's done nothing but screw us over in the process.
Fast forward to today, where the current administration is pretty much giving China the middle finger. The tariffs will go into play, we're going to keep sailing by their " sovereign " bullshit man made piles of sand in the South China Sea and we're probably about to start talking to Taiwan like they're a real country instead of China's whipping boy. The point is, WE DON'T GIVE A SHIT WHAT CHINA THINKS ABOUT ANY OF IT.
Or maybe we do and all this is designed to show the world how full of shit they are on all fronts because you can only bluff for so long before you're forced to show your hand.
China is the ultimate paper fucking tiger. They're all talk and hype about how amazing they are and what their capabilities are, but absolutely none of it has ever been battlefield tested. Not. One. Bit.
They talk up a great game, but in the end, that's all it is.
All talk.
they don't get anything out of it that they don't already know and don't want to show everybody else how far out they are.
Windows 2000 - from the guys who brought us edlin
Orwellian pursuit of 100% monitoring and control over its citizens (and, probably, others beyond its borders).
Much like the NSA does. The WannaCry attacks were enabled by NSA-developed weapons which the NSA lost control of. The NSA knew about these exploits for years, weaponized them, and never told Microsoft because they wanted their weapon to be viable for as long as possible.
There are no cleanskins here.
Everyone loses, really?
I wonder what people would think if Americas best and brightest security researchers/hackers were going to China to be involved in paid bug-hunts.
I am suspecting the reaction would border on claiming treason, there would certainly be calls for them to be cut out of any real security work, and their personal lives would probably be destroyed also...
but no, apparently EVERYONE loses if China doesnt send their best and brightest over to help out American corps..
Grow up.
If trump wants to win in 2020 (if he is still President), he needs a war.
I'm pretty sure this is part of the security mindset which Linus Torvalds claims makes all the security-above-all-else types incredible.
Those who do not learn from commit history are doomed to regress it.
if you have a link to him talking about that, it would be appreciated...
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Cleanskin brings to mind why China does not want it best hackers exposed, they mind end up working in a awkwardly secure location, that the government of China of even a Chinese corporation might desire to be temporarily less secure. Instead of making things more secure the fuckwits at the CIA and NSA decided that playing Sir Hacksalot would be more sensible. We have yet to see the full ramifications for that stupidity in a growing corporate conflict, hack and expose you opposition and your market share will go up, as will your share price and your opposition will crash, literally billions of dollars at stake on a successful hack and the fucking morons at the CIA and NSA led the way. This instead a global shared practice of internet security with treaties to lock down investigation and prosecution, no can't have that, else how could the fuckwit moronic security services play, idiots.
Chaos - everything, everywhere, everywhen
This is part of Emperor Xi's crack down on foreign interactions generally. If you want to control a country and its IT in particular, then the last thing you want is your hackers interacting with foreigners.
For get Putin and Russia. China will give us more grief. And Putin will go after one more term, whereas Xi is no in for life, and by all accounts his health is good.
I would hate to be living in China now, even if the economy is booming. For the time being at least.
China has or is tightening restrictions across the board on sharing research. Agriculture research labs for instance in some cases at least can't get funding if they work together with groups in america. And I'm sure the same thing is true for other fields. China has no problem taking or stealing the research of others but keeps a very jealous grasp on their own.
Nope, but he definitely likes the idea!
Hmm.
His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
the idea is to make things either impossible or so absurdly difficult that it won't happen.
You underestimate how much time and determination some people have. It only takes one.
I tend to rant.
Mod up; only someone with non-existent reading comprehension skills would've modded this "flamebait."
You forgot to mention, they have to buy jet engines for their aircraft from elsewhere; I find that rather telling...
My standard of almost impossible is rather extreme. When I say "almost impossible"... I tend to mean some james bond shit would have to happen.
And really nothing is going to stop that. The guy will tell everyone his name, kill/have sex with all your guards, and break into whatever using rocket packs and lasers...
As I said before, I'm a big fan of security through literally disabling or breaking features in programs that aren't used or can't be secured.
James Bond will get physical access to whatever we've stored our top secret whatever on... so we're screwed there. Can't keep things secure if you lose physical security... not without some really hilarious encryption. Like... 1:1 encryption... That stuff is funny.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Think of it like welding doors shut that you don't intend to ever open again.
Lock picks won't get through that. The lock in question might even just be slagged.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.