CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk 66
msm1267 writes "A presenter at this week's CanSecWest security conference withdrew his scheduled talk for fear the information could be used to attack critical infrastructure worldwide. Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government. Filiol said he submitted the presentation, entitled 'Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,' to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.
'They told me that this presentation was unsuitable for being public,' Filiol said in an email. 'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries)."
'They told me that this presentation was unsuitable for being public,' Filiol said in an email. 'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries)."
hack the planet (Score:5, Insightful)
knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.
Re:hack the planet (Score:4, Insightful)
knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.
Agree. If it were a temporary "we want to close this hole first" thing then I wouldn't have an issue, but silencing disclosure seems to be seen as an alternative to securing systems, which is not only wrong but bad security.
The world is safe. (Score:5, Insightful)
withdrew his scheduled talk
That was a close one. Fortunately he withdrew his scheduled talk. Now it's impossible that anyone will ever have that information ever.
Since his lab is under supervision of the French government, he was required to review his findings with authorities.
So... There are several people in possession of a information that has a value and that has been publicly identified as valuable.
No problem. Governments only hire people immune to corruption.
Still Don't Get It? (Score:2, Insightful)
All of this stuff about security, privacy, and accountability is just academic masturbation. It has been for years. It is not going to change, because those with the power to change it aren't about to.
The oligarchs who control our governments, security forces, and political parties, own us completely. It is too late to stop them. It is a waste of time to complain and dangerous to resist.
Seriously.
Can we just drop all the faux political drama and talk about, I don't know, programming or something?
Re:It's not bad security. (Score:4, Insightful)
The government officials have forwarded the information to the appropriate security people.
Information like that is obviously not for the general public.
No - security through obscurity does not work. You are better off fixing security holes and making it public, preferably with open source so that everyone can see that its fixed and look for other weaknesses.
Re:hack the planet (Score:5, Insightful)
knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.
This. A discussion about viable "cyberwar" doesn't depend on knowing the latest and greatest weakness in Flash player. It depends on well-documented systemic weaknesses in commonly used PLCs, in protocols like ModBus; and where a practical attacker cares about "consumer" OSs, they care about exploiting the 30 year old unpatched packet drivers for NE2000 compatible cards running under MS-DOS 6.2 (it would amaze you how many "embedded" devices run DOS).
And the focus of such a serious discussion has nothing to do with glory or PII or money, but rather, "crippling infrastructure 101: Electric, water, and traffic control systems 101".
The only reason to censor this as a "threat" comes from the underlying mindset of looking for subtle systemic weaknesses rather than trying to find the digital version of "fly a plane into a building". Think how subtly Israel fucked Iran's nuclear program with Stuxnet, and you have the right idea.
Self-censored? (Score:5, Insightful)
I know he says that pulling out was the moral thing to do, but describing this as "self censorship" is a bit of a misrepresentation. He showed every tiing ahead with it until the French government got involved, and if he had wanted to go ahead with it, the French government would have stopped him.