CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk 66
msm1267 writes "A presenter at this week's CanSecWest security conference withdrew his scheduled talk for fear the information could be used to attack critical infrastructure worldwide. Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government. Filiol said he submitted the presentation, entitled 'Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,' to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.
'They told me that this presentation was unsuitable for being public,' Filiol said in an email. 'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries)."
'They told me that this presentation was unsuitable for being public,' Filiol said in an email. 'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries)."
hack the planet (Score:5, Insightful)
knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.
Re: (Score:3)
Your mom is calling. Dinner is ready.
Re:hack the planet (Score:4, Insightful)
knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.
Agree. If it were a temporary "we want to close this hole first" thing then I wouldn't have an issue, but silencing disclosure seems to be seen as an alternative to securing systems, which is not only wrong but bad security.
Re:It's not bad security. (Score:4, Insightful)
The government officials have forwarded the information to the appropriate security people.
Information like that is obviously not for the general public.
No - security through obscurity does not work. You are better off fixing security holes and making it public, preferably with open source so that everyone can see that its fixed and look for other weaknesses.
Re: (Score:3)
No - security through obscurity does not work. You are better off fixing security holes and making it public, preferably with open source so that everyone can see that its fixed and look for other weaknesses.
That works for you chat program or web browser.
Doesn't quite work that way for your power grid infrastructure.
Have we become so pre-programmed ? (Score:1)
Agree. If it were a temporary "we want to close this hole first" thing then I wouldn't have an issue, but silencing disclosure seems to be seen as an alternative to securing systems, which is not only wrong but bad security.
When I read what you wrote a feeling of sadness suddenly surged ...
Have we become so pre-programmed by TPTB that we start having second thoughts of our own liberties ?
Look around us ... The American journalists are doing exactly the same.
Instead of reporting what needs to be reported, however bad/ugly the news be, they begin to modify the story in such a way that it can "easier be consumed" and/or "not rocking the boat" and/or "not jeopardizing the country", and so on, and so forth.
So much so that S
Re: (Score:3)
Why should he hold back from publishing? You doubted three specific claims:
A. The terrorists would have the technological know how to carry out the sabotage
People already have carried out technological sabotage on various infrastructure elements. These are generally not publicized because there is negative value in making this information public -- creating panic without a solution is the desire of the attacker. Some information about these attacks is shared in industry appropriate discussions, but these are not public forums, and participants are invited only on a need-to-know basis.
Re: (Score:3)
How's that old saying go? Security through obscurity is not security at all?
Re: (Score:2)
Yeah, but other saying goes: You don't have to help the terrorists by making it easy for them.
Re: (Score:2)
Bullshit. Why do people like you always assume that the fabled terrorist doesn't already know about these holes? Or are actively searching for them? If you've been following security for any length of time, you would know that in most cases the "bad guys" are many steps ahead of the researchers, if not on a whole other playing field. This renders the standard security by obscurity irrelevant, if not straight up dangerous.
But, suppose an imaginary terrorist group has decided that they wish to conduct some go
Re: (Score:2)
Re: (Score:3)
My use of the term "terrorist" was also meant as a jab against the mentality of thinking of Arab guys with gun belts and AK-47s. You don't need to blow up a train station to have an impact on people's daily lives, as witnessed time and time again when some BigCorp gets their entire customer catalog siphoned off.
The real threat is not some religious nut job in a cave somewhere, its the ingenious people who spend months or years researching an attack vector, setting up the heist and making off with millions.
Re: (Score:2)
My use of the term "terrorist" was also meant as a jab against the mentality of thinking of Arab guys with gun belts and AK-47s. You don't need to blow up a train station to have an impact on people's daily lives, as witnessed time and time again when some BigCorp gets their entire customer catalog siphoned off.
That's not terrorism, it's larceny.
Terrorism is defined, at least by Google, as "the use of violence and intimidation in the pursuit of political aims."
Stealing credit card info isn't violent, nor intimidating. Let's stop conflating "terrorist" with "petty criminal," since doing so only makes it easier for governments around the globe to whittle away at our civil liberties.
Re: (Score:2)
Since when does Google define anything? It's a search engine.
Re: (Score:2)
Since when does Google define anything? It's a search engine.
Well, I would have said, "Terrorism is defined, at least by the website Google references," but for some reason they stopped putting the referenced site's name or URL with the definitions. I presume Dictionary.com is still the favored source.
Re: (Score:2)
By keeping your mouth shut about these holes, you are pretty much guaranteeing that they will remain open for exploitation. People in positions with the authority to make decisions about patching the holes will remain oblivious, because let's face it, very few of said people have a fucking clue.
Security by obscurity does not work. I believe that we can all agree on that. On the other hand, responsible disclosure means talking to the people who can do something about a discovered issue should be the first step. Once the issue has been addressed, then a wider disclosure is reasonable.
Re: (Score:2)
Yeah, but other saying goes: You don't have to help the terrorists by making it easy for them.
By giving the information to a government, they are helping the terrorists. [google.com]
Re: (Score:2)
The corollary however is "loose lips sink ships".
I generally come down on the side of disclosure because when it comes to keeping secrets humans are not very good.
First some engineer has a few beers with his cousin, and starts a story out "the boss said don't tell anyone but..." and lets it slip it would possible to enable the thermal cleaning operation of some pressure probe on a gas line without first shutting off the gas, and things could get exciting and you could totally do this without authentication
Re: (Score:2)
How's that old saying go? Security through obscurity is not security at all?
As usual, generalizations aren't woth a damn.
Should the Imperial Navy gave told the US Navy they were coming in 1941? Should Ike have let Adolf know it was going to be Normandy? Maybe the Brits should have told the Germans about Bletchley Park?
Sometimes obscurity is all you have to begin with. Sometimes it's all you'll ever have.
Re: (Score:2)
Should the Imperial Navy gave told the US Navy they were coming in 1941?
Well, kinda [wikipedia.org], yeah.
Re: (Score:2)
Should the Imperial Navy gave told the US Navy they were coming in 1941?
Well, kinda [wikipedia.org], yeah.
Kinda, sorta... well, not really. The notification that the Japanese ambassador was supposed to deliver 30 minutes before the attack, but didn't deliver until after the attack had started, wasn't a declaration of war, or a warning that Hawaii was going to be attacked; it was a formal notification that negotiations were being broken off.
There is no denying that there were breakdowns in communication within US government and military that lessened the chances that we would figure out that an attack was immin
Re:hack the planet (Score:5, Insightful)
knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.
This. A discussion about viable "cyberwar" doesn't depend on knowing the latest and greatest weakness in Flash player. It depends on well-documented systemic weaknesses in commonly used PLCs, in protocols like ModBus; and where a practical attacker cares about "consumer" OSs, they care about exploiting the 30 year old unpatched packet drivers for NE2000 compatible cards running under MS-DOS 6.2 (it would amaze you how many "embedded" devices run DOS).
And the focus of such a serious discussion has nothing to do with glory or PII or money, but rather, "crippling infrastructure 101: Electric, water, and traffic control systems 101".
The only reason to censor this as a "threat" comes from the underlying mindset of looking for subtle systemic weaknesses rather than trying to find the digital version of "fly a plane into a building". Think how subtly Israel fucked Iran's nuclear program with Stuxnet, and you have the right idea.
Re: (Score:1)
Having spent some time in the industrial controls space recently, it's not that simple. There is no such thing as a "quick patch". The ICS vendors frequently have little security experience (even now), there are no limited or no contractual clauses to enforce security updates and refresh periods for ICS system can be in the >15 year timelines.
It's getting better. Buyers are getting smarter and mandating this stuff for new installations, but if a vendor won't certify a patch for the system that operates
oh dear (Score:3)
Re: (Score:2)
I think acting like a human and making course corrections is why "some" of my fellow Americans have issues with the French. They mistrust and fear that thing called empathy and reflection.
The world is safe. (Score:5, Insightful)
withdrew his scheduled talk
That was a close one. Fortunately he withdrew his scheduled talk. Now it's impossible that anyone will ever have that information ever.
Since his lab is under supervision of the French government, he was required to review his findings with authorities.
So... There are several people in possession of a information that has a value and that has been publicly identified as valuable.
No problem. Governments only hire people immune to corruption.
Re: (Score:3)
Without knowing what the vulnerabilities are the users can't take steps to protect themselves other than researching to find the vulnerabilities. Attackers will be researching the vulnerabilities anyway. Censorship like this makes people less safe.
Re: (Score:2)
So... There are several people in possession of a information that has a value and that has been publicly identified as valuable.
No problem. Governments only hire people immune to corruption.
There's an important difference. Yes, this information can be obtained by a determined adversary with considerable resources. Making it public, however, would mean every blabbering fool in a cave with an Internet connection has it.
That is quite a difference. We're all constantly going on about how we realize that there's no 100% security - this is just such a case. Making critical information hard to obtain is precisely what security is all about.
Still Don't Get It? (Score:2, Insightful)
All of this stuff about security, privacy, and accountability is just academic masturbation. It has been for years. It is not going to change, because those with the power to change it aren't about to.
The oligarchs who control our governments, security forces, and political parties, own us completely. It is too late to stop them. It is a waste of time to complain and dangerous to resist.
Seriously.
Can we just drop all the faux political drama and talk about, I don't know, programming or something?
Re: (Score:1)
Can we just drop all the faux political drama and talk about, I don't know, programming or something?
All of that stuff about programming is just academic masturbation. It has been for years. It is not going to change, because those with the power to change it aren't about to.
The oligarchs who control our CEOs, own us completely. It is too late to stop them. It is a waste of time to complain and dangerous to resist.
Jokingly.
Self-censored? (Score:5, Insightful)
I know he says that pulling out was the moral thing to do, but describing this as "self censorship" is a bit of a misrepresentation. He showed every tiing ahead with it until the French government got involved, and if he had wanted to go ahead with it, the French government would have stopped him.
Re: (Score:3)
Well, do tell. How would it make you more secure to let everyone now about them?
If it were your web browser, you could upgrade it to the latest patched version.
But how do you upgrade your local power station?
Re: (Score:2)
Wanna guess how long it would take utility companies to get going about fixing these problems if they started losing billions due to attacks?
The private utility companies would likely be in the best position. They already have security teams, they have upgrade paths, and they have incentive.
The city run utilities would be in the worst position. They typically engage an engineering company for a project to oversee the installation of systems, and train a few city workers to do basic monitoring and maintenance. Twenty years later the city still "owns and operates" the system, but they do not have anyone who understands it. Even if they recogniz
Re: (Score:2)
But how do you upgrade your local power station?
Over the WAN. Or Sneakernet, for air-gapped systems.
You do realize that power stations are quite often manned, and the ones that aren't (including substations) receive regular visits from utility workers, right?
Re: (Score:2)
No, that was not the general "you". It was the specific you. What are you going to do with this knowledge? You can not act on it in any useful way.
Re: (Score:2)
No, that was not the general "you". It was the specific you. What are you going to do with this knowledge? You can not act on it in any useful way.
That's presuming that NO ONE in the public at large works for a power company. Which, as we all know, is nonsense.
However, that's not the point - putting a vulnerability out in the open forces the people who use those systems to fix them ASAP, rather than just ignoring the problem until after someone exploits it. Not to mention, we've got a bunch of pretty smart people in the public-at-large, so maybe it wouldn't be a terrible idea to let some of them pore over the code to make sure there aren't any other p
Re: (Score:2)
That's presuming that NO ONE in the public at large works for a power company. Which, as we all know, is nonsense.
You realise you can actually inform the power company without informing the public at large?
However, that's not the point - putting a vulnerability out in the open forces the people who use those systems to fix them ASAP, rather than just ignoring the problem until after someone exploits it.
The problem is, you can't just fix these things instantly. This isn't like your web browser, as I said. You don't just push out a quick bug fix and install it. These things run terrible ancient legacy code that you don't even know if anyone knows any more. Fixing them can be a very long process. During all that time, you'll be vulnerable, and can't do anything about it.
As if... (Score:1)
Should we really believe that the so called terrorists don't already know what he's talking about? And why should we believe that, just because it hasn't been exploited on a large, TERRORIST, scale?
I mean, be them terrorists, but very likely, they're not stupid. If he in 4 months "discovere
Ugh. (Score:2)
Can we stop using the term, "cyber" to mean "on or over the internet"?
We're no safer for this, but... (Score:2)
We're no safer for his withdrawing the paper, but at least any attacks can't be traced back to info provided by him (even if it's accessible elsewhere). I'm guessing this is a CYA move. Hopefully he shares any info on security flaws with people from the relevant organizations.