Forgot your password?
typodupeerror
Security Censorship

CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk 66

Posted by Unknown Lamer
from the security-through-obscurity dept.
msm1267 writes "A presenter at this week's CanSecWest security conference withdrew his scheduled talk for fear the information could be used to attack critical infrastructure worldwide. Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government. Filiol said he submitted the presentation, entitled 'Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,' to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.

'They told me that this presentation was unsuitable for being public,' Filiol said in an email. 'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries)."
This discussion has been archived. No new comments can be posted.

CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk

Comments Filter:
  • hack the planet (Score:5, Insightful)

    by trdtaylor (2664195) on Tuesday March 11, 2014 @04:09AM (#46453001)

    knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.

    • Re:hack the planet (Score:4, Insightful)

      by Chrisq (894406) on Tuesday March 11, 2014 @04:30AM (#46453039)

      knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.

      Agree. If it were a temporary "we want to close this hole first" thing then I wouldn't have an issue, but silencing disclosure seems to be seen as an alternative to securing systems, which is not only wrong but bad security.

      • Agree. If it were a temporary "we want to close this hole first" thing then I wouldn't have an issue, but silencing disclosure seems to be seen as an alternative to securing systems, which is not only wrong but bad security.

        When I read what you wrote a feeling of sadness suddenly surged ...

        Have we become so pre-programmed by TPTB that we start having second thoughts of our own liberties ?

        Look around us ... The American journalists are doing exactly the same.

        Instead of reporting what needs to be reported, however bad/ugly the news be, they begin to modify the story in such a way that it can "easier be consumed" and/or "not rocking the boat" and/or "not jeopardizing the country", and so on, and so forth.

        So much so that S

        • by plover (150551)

          Why should he hold back from publishing? You doubted three specific claims:

          A. The terrorists would have the technological know how to carry out the sabotage

          People already have carried out technological sabotage on various infrastructure elements. These are generally not publicized because there is negative value in making this information public -- creating panic without a solution is the desire of the attacker. Some information about these attacks is shared in industry appropriate discussions, but these are not public forums, and participants are invited only on a need-to-know basis.

    • by Quixadhal (45024)

      How's that old saying go? Security through obscurity is not security at all?

      • Yeah, but other saying goes: You don't have to help the terrorists by making it easy for them.

        • by Cenan (1892902)

          Bullshit. Why do people like you always assume that the fabled terrorist doesn't already know about these holes? Or are actively searching for them? If you've been following security for any length of time, you would know that in most cases the "bad guys" are many steps ahead of the researchers, if not on a whole other playing field. This renders the standard security by obscurity irrelevant, if not straight up dangerous.

          But, suppose an imaginary terrorist group has decided that they wish to conduct some go

          • The fabled terrorist has had decades to exploit these weaknesses. And judging from the suppression of this research, he will have decades more after this. Where is he? So-called 'terrorist' attacks are very rare despite the huge number of airports, malls, sporting events, weddings, schools, subway trains, busy shipping ports, train stations, popular landmarks, etc etc etc. Yes there is a threat, just like any other sort of crime. But you are right, let's not imagine there are 'terrorists' sitting out there
            • by Cenan (1892902)

              My use of the term "terrorist" was also meant as a jab against the mentality of thinking of Arab guys with gun belts and AK-47s. You don't need to blow up a train station to have an impact on people's daily lives, as witnessed time and time again when some BigCorp gets their entire customer catalog siphoned off.

              The real threat is not some religious nut job in a cave somewhere, its the ingenious people who spend months or years researching an attack vector, setting up the heist and making off with millions.

              • My use of the term "terrorist" was also meant as a jab against the mentality of thinking of Arab guys with gun belts and AK-47s. You don't need to blow up a train station to have an impact on people's daily lives, as witnessed time and time again when some BigCorp gets their entire customer catalog siphoned off.

                That's not terrorism, it's larceny.

                Terrorism is defined, at least by Google, as "the use of violence and intimidation in the pursuit of political aims."

                Stealing credit card info isn't violent, nor intimidating. Let's stop conflating "terrorist" with "petty criminal," since doing so only makes it easier for governments around the globe to whittle away at our civil liberties.

                • by Pope (17780)

                  Since when does Google define anything? It's a search engine.

                  • Since when does Google define anything? It's a search engine.

                    Well, I would have said, "Terrorism is defined, at least by the website Google references," but for some reason they stopped putting the referenced site's name or URL with the definitions. I presume Dictionary.com is still the favored source.

          • by Fnord666 (889225)

            By keeping your mouth shut about these holes, you are pretty much guaranteeing that they will remain open for exploitation. People in positions with the authority to make decisions about patching the holes will remain oblivious, because let's face it, very few of said people have a fucking clue.

            Security by obscurity does not work. I believe that we can all agree on that. On the other hand, responsible disclosure means talking to the people who can do something about a discovered issue should be the first step. Once the issue has been addressed, then a wider disclosure is reasonable.

        • Yeah, but other saying goes: You don't have to help the terrorists by making it easy for them.

          By giving the information to a government, they are helping the terrorists. [google.com]

      • by DarkOx (621550)

        The corollary however is "loose lips sink ships".

        I generally come down on the side of disclosure because when it comes to keeping secrets humans are not very good.

        First some engineer has a few beers with his cousin, and starts a story out "the boss said don't tell anyone but..." and lets it slip it would possible to enable the thermal cleaning operation of some pressure probe on a gas line without first shutting off the gas, and things could get exciting and you could totally do this without authentication

      • by tsqr (808554)

        How's that old saying go? Security through obscurity is not security at all?

        As usual, generalizations aren't woth a damn.

        Should the Imperial Navy gave told the US Navy they were coming in 1941? Should Ike have let Adolf know it was going to be Normandy? Maybe the Brits should have told the Germans about Bletchley Park?

        Sometimes obscurity is all you have to begin with. Sometimes it's all you'll ever have.

        • Should the Imperial Navy gave told the US Navy they were coming in 1941?

          Well, kinda [wikipedia.org], yeah.

          • by tsqr (808554)

            Should the Imperial Navy gave told the US Navy they were coming in 1941?

            Well, kinda [wikipedia.org], yeah.

            Kinda, sorta... well, not really. The notification that the Japanese ambassador was supposed to deliver 30 minutes before the attack, but didn't deliver until after the attack had started, wasn't a declaration of war, or a warning that Hawaii was going to be attacked; it was a formal notification that negotiations were being broken off.

            There is no denying that there were breakdowns in communication within US government and military that lessened the chances that we would figure out that an attack was immin

    • Re:hack the planet (Score:5, Insightful)

      by pla (258480) on Tuesday March 11, 2014 @05:54AM (#46453291) Journal

      knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.

      This. A discussion about viable "cyberwar" doesn't depend on knowing the latest and greatest weakness in Flash player. It depends on well-documented systemic weaknesses in commonly used PLCs, in protocols like ModBus; and where a practical attacker cares about "consumer" OSs, they care about exploiting the 30 year old unpatched packet drivers for NE2000 compatible cards running under MS-DOS 6.2 (it would amaze you how many "embedded" devices run DOS).

      And the focus of such a serious discussion has nothing to do with glory or PII or money, but rather, "crippling infrastructure 101: Electric, water, and traffic control systems 101".

      The only reason to censor this as a "threat" comes from the underlying mindset of looking for subtle systemic weaknesses rather than trying to find the digital version of "fly a plane into a building". Think how subtly Israel fucked Iran's nuclear program with Stuxnet, and you have the right idea.

    • by Anonymous Coward

      Having spent some time in the industrial controls space recently, it's not that simple. There is no such thing as a "quick patch". The ICS vendors frequently have little security experience (even now), there are no limited or no contractual clauses to enforce security updates and refresh periods for ICS system can be in the >15 year timelines.

      It's getting better. Buyers are getting smarter and mandating this stuff for new installations, but if a vendor won't certify a patch for the system that operates

  • by cascadingstylesheet (140919) on Tuesday March 11, 2014 @04:39AM (#46453069)
    He acted like a human? We can't have that.
    • I think acting like a human and making course corrections is why "some" of my fellow Americans have issues with the French. They mistrust and fear that thing called empathy and reflection.

  • The world is safe. (Score:5, Insightful)

    by Thanshin (1188877) on Tuesday March 11, 2014 @04:49AM (#46453103)

    withdrew his scheduled talk

    That was a close one. Fortunately he withdrew his scheduled talk. Now it's impossible that anyone will ever have that information ever.

    Since his lab is under supervision of the French government, he was required to review his findings with authorities.

    So... There are several people in possession of a information that has a value and that has been publicly identified as valuable.

    No problem. Governments only hire people immune to corruption.

    • And, you know, no terrorist organization/malicious foreign government/etc has ever built a lab and done research once they know something can be done...

      Without knowing what the vulnerabilities are the users can't take steps to protect themselves other than researching to find the vulnerabilities. Attackers will be researching the vulnerabilities anyway. Censorship like this makes people less safe.
    • by Tom (822)

      So... There are several people in possession of a information that has a value and that has been publicly identified as valuable.

      No problem. Governments only hire people immune to corruption.

      There's an important difference. Yes, this information can be obtained by a determined adversary with considerable resources. Making it public, however, would mean every blabbering fool in a cave with an Internet connection has it.

      That is quite a difference. We're all constantly going on about how we realize that there's no 100% security - this is just such a case. Making critical information hard to obtain is precisely what security is all about.

  • All of this stuff about security, privacy, and accountability is just academic masturbation. It has been for years. It is not going to change, because those with the power to change it aren't about to.

    The oligarchs who control our governments, security forces, and political parties, own us completely. It is too late to stop them. It is a waste of time to complain and dangerous to resist.

    Seriously.

    Can we just drop all the faux political drama and talk about, I don't know, programming or something?

    • by Thanshin (1188877)

      Can we just drop all the faux political drama and talk about, I don't know, programming or something?

      All of that stuff about programming is just academic masturbation. It has been for years. It is not going to change, because those with the power to change it aren't about to.

      The oligarchs who control our CEOs, own us completely. It is too late to stop them. It is a waste of time to complain and dangerous to resist.

      Jokingly.

  • Self-censored? (Score:5, Insightful)

    by Bogtha (906264) on Tuesday March 11, 2014 @06:25AM (#46453385)

    Since his lab is under supervision of the French government, he was required to review his findings with authorities. [...] They told me that this presentation was unsuitable for being public [...] Filiol said his research is now classified.

    I know he says that pulling out was the moral thing to do, but describing this as "self censorship" is a bit of a misrepresentation. He showed every tiing ahead with it until the French government got involved, and if he had wanted to go ahead with it, the French government would have stopped him.

  • 'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries).

    Should we really believe that the so called terrorists don't already know what he's talking about? And why should we believe that, just because it hasn't been exploited on a large, TERRORIST, scale?

    I mean, be them terrorists, but very likely, they're not stupid. If he in 4 months "discovere

  • by azav (469988)

    Can we stop using the term, "cyber" to mean "on or over the internet"?

  • We're no safer for his withdrawing the paper, but at least any attacks can't be traced back to info provided by him (even if it's accessible elsewhere). I'm guessing this is a CYA move. Hopefully he shares any info on security flaws with people from the relevant organizations.

Vitamin C deficiency is apauling.

Working...