Hacking Team Breach Leaks Zero-Days, Renews Fight To Regulate Cyberweapons 123
Patrick O'Neill writes: In the days following a massive hack that confirmed Hacking Team's dealings with repressive regimes around the world, experts are wondering once again how to stop Western technology companies from equipping certain governments with weapons meant to attack journalists, human rights activists, and ordinary civilians. Regulation's backers say that "this is an industry that has failed to police itself," ACLU's Christopher Soghoian argued, but many including the EFF warn that overly broad legislation would harm more than help. In addition, wiredmikey points out that a number of exploits have been released in the wake of the hacking: Several exploits have been discovered, including ones for zero-day vulnerabilities, in the hundreds of gigabytes of data stolen by a hacker from the systems of surveillance software maker Hacking Team. Researchers at Trend Micro analyzed the leaked data and uncovered several exploits, including two zero-days for Adobe Flash Player. A readme document found alongside proof-of-concept (PoC) code for one of the Flash Player zero-days describes the vulnerability as "the most beautiful Flash bug for the last four years since CVE-2010-2161." In addition to the Flash Player exploits, researchers spotted an exploit for a Windows kernel vulnerability, a flaw that fortunately has already been patched. Adobe told SecurityWeek that it's aware of the reports and expects to release a patch on Wednesday.
You mean, like *all* governments? (Score:5, Interesting)
experts are wondering once again how to stop Western technology companies from equipping certain governments with weapons meant to attack journalists, human rights activists, and ordinary civilians.
Are their any governments left that DON'T do this as a matter of practice?
Re: (Score:2)
Do you think the US and UK treat journalists and human rights activists the same way they are treated in Egypt and Sudan?
Re: (Score:2)
Do you think the US and UK treat journalists and human rights activists the same way they are treated in Egypt and Sudan?
Depends on whether the human rights activists are fighting oppressors the US likes, or doesn't like.
Re: (Score:3)
Do you think the US and UK treat journalists and human rights activists the same way they are treated in Egypt and Sudan?
Of course not. When it comes to using spyware and backdoors to spy on journalists, the US and UK are *MUCH* worse.
Re: (Score:2)
Are their any governments left that DON'T do this as a matter of practice?
Greece, because they don't have the money.
Re: (Score:2)
You cannot regulate cyberweapons. (Score:5, Interesting)
First, the entire idea of cyberweapons is laughable. Exploits are only possible because of flaws in the code. That is no more a weapon than an unlocked door.
Second, you cannot regulate them as they are immaterial. It would be possible to discover a previously unknown vulnerability, and then not record the finding anywhere. Congratulations, you have a cyberweapon in your brain. Good luck regulating that.
Re: (Score:2)
Re: (Score:3)
You can use a firearm to....scratch your back
Wow, some people really shouldn't be gun owners.
Re: (Score:2)
Re: (Score:2)
You're conflating the vulnerability with the weapon. The weapon is not the vulnerability, the weapon is the piece of code that exploits or attacks the vulnerability. Those pieces of code are most certainly material.
Re: (Score:2)
First, the entire idea of cyberweapons is laughable. Exploits are only possible because of flaws in the code. That is no more a weapon than an unlocked door.
I also find the idea of lockpicks laughable. Lockpicking is only possible because of fundamental design flaws in locks. They are no more a weapon in a thief/spy's arsenal than an unlocked door.
Re: (Score:2)
Exploits are not cyberweapons. That's not what the word means.
Look at what this company offers. It's a suit of software, with on-going updates and support, designed to make attacks on people's computers. It's a number of exploits that have been turned into a useful and complex tool, supported and maintained. They will even sell you boxes with it pre-installed and set up for your needs, just plug in and start oppressing.
Regulating such things is easy. They require significant amounts of work to develop, and
Their customers are governments. (Score:2)
So, who, effectively, is going to regulate them? They'll just find a place where the regulatory regime will permit (if not actively encourage) their activities. The regulation argument is hilarious.
Re: (Score:2)
That said, it's an imperfect analogy. I can't make myself and everyone else immune to a 5.56mm round from a rifle simply by knowing about its existence, wha
What the hell? (Score:2)
What fight to regulate cyberweapons? What cyberweapons? Jesus are people really that nuts now?
Of course it won't regulate itself (Score:2)
Regulation's backers say that "this is an industry that has failed to police itself,"
Would you expect liquor stores to self-regulate and decide the drinking age is too low?
Self-regulation might work for some cheap and easy things, but no industry is going to refuse to sell to a massive portion of the market voluntarily. If you want to stop them you need legal enforcement.
stop Western technology companies (Score:2)
Re: (Score:2)
Of course not!! *Obviously* the Chinese and Russian governments have have a long history of secular humanism and effective promotion of their citizens' welfare.
(Oh, wait. That's Denmark & Sweden back when they didn't have many dark-skinned immigrants.)
Wasn't their a rule about selling exploits? (Score:2)
They were basically selling zero day exploits in pre-packaged kits to anyone with money. So... is that legal? Because it sounds like a winner.
Re: (Score:3, Insightful)
Re: (Score:2)
The EU is not a lawless wasteland - although it may seem like it on some days :)
Yet again Adobe (Score:5, Insightful)
Is it just me or does Adobe's software have the worst engineering practices practices in the industry. Every other fucking week there's an Adobe vulnerability. Scratch your ass, Adobe Vulnerability. Sneeze? Adobe Vulnerability. Walk your dog? Adobe Vulnerability.
This company needs to just be banned from producing any software, period, unless they provide the source code as well.
Re: (Score:2)
This company needs to just be banned from producing any software, period, unless they provide the source code as well.
And you should be banned from holding any public office.
Re: (Score:2)
What about other companies? :(
Logical conclusion (Score:2)
Follow the facts to the obvious conclusion: Adobe is being *paid* to add exploits to one of the most ubiquitous pieces of software on the net - tellingly even a requirement for some banking and bill paying sites. Given this seemingly endless fount
Re: (Score:2)
Their CQ (now AEM) website CMS product also has more holes than a sieve. When they produce 'security packs', they refuse to tell you what areas they touch with it "for your security". In other words, they just give you a binary blob that may, or may not, break random aspects of your application but don't tell you what areas to test. Funnily enough, this isn't something Gartner bothered to look into before they took the money to put CQ into the 'magic quadrant'.
It's not so much they can't write code, its tha
Re: (Score:2)
Do we even need Adobe software any more? Okay, they do some good productivity stuff, but all the vulnerabilities are in Flash and Reader. Flash has been replaced by HTML 5, and is mostly used for adverts anyway. Chrome seems to have the right idea, built it in and heavily sandbox it if you have to run it at all. Reader is just crapware for the most part, it offers nothing that other more secure software does. In fact I'd recommend pdf.js instead of their browser plug-in, for improved browser security.
Oh, an
The Problem: code not seeing the light of day... (Score:2)
The real problem here is willingness to fund what is necessary - refactoring all code used in critical systems to ensure they are secure - and to maintain that approach over time in an iterative basis.
We should touch code (at least to review it) - every year - which research indicates is the sweet spot for zero-day exploits. We get more benefits if we refactor the code - effectively resetting the clock for exploit writers to find a new zero day, and develop applications to exploit it.
Working in IT tod
Re: (Score:2)
Re: (Score:2)
Ensuring all developers in the industry are competent is a pipe dream. Take a look at the most exacting careers you can think of - and you'll find varying levels of competence.
People are imperfect (in the sense that they can have a bad day, and let typos slip by from time to time - even the very best of us). Additionally the real software lifecycle is not like frozen water. It is more like all the different states of water - solid, liquid, and gas, changing as its environment changes on a continuum fr
Prosecute first lest the crooks join the mafia (Score:1)
Re:Statism vs. Libertarianism again (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3)
I think he is right to do. Human life clearly has a dollar value. I would argue not an especially high one either. Consider there are 8 Billion of us. You can't get much more commodity than that. The world as a whole would arguable be better off with fewer people too.
Value has a great deal to do with what has been invested in them in terms of education, care, feeding etc. Than you need to consider things like survival rates. Certainly a healthy teenager is more valuable than a newborn. Much of the r
Re: (Score:2)
Only if you throw out the legal theory of making someone whole. The only reason a court assigns a value to a life is that it doesn't have the option of resurrection. But whatever that value is, you can't tell me honestly that the family of the deceased feels just fine about it if you pay $X for killing Dad.
Re: (Score:2)
Only if you throw out the legal theory of making someone whole.
Which is a sensible thing to do here. After all, most decisions which harm people are made by people concerning their own health and safety.
Re: (Score:2)
Either I don't understand what you're trying to say or it simply doesn't follow.
Re: (Score:2)
Re: (Score:2)
The law treats willingly accepted risks differently from imposed risks.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes, but only because you can't be ordered to pay infinite money. We are forced by reality to make the plaintiff whole in the financial sense only.
However, that doesn't make the comparison of financial loss to loss of life correct or proper since the loss of life also carries an irreparable harm.
Re: (Score:2)
However, that doesn't make the comparison of financial loss to loss of life correct or proper since the loss of life also carries an irreparable harm.
Huge financial losses are also irreparable.
Re: (Score:2)
In practice, they sometimes can't be repaid, but loss of life cannot be properly compensated even in theory.
Re: (Score:2)
In practice, they sometimes can't be repaid, but loss of life cannot be properly compensated even in theory.
Unless you're not following that legal theory. And "practice" is what you are actually doing.
Re: (Score:2)
It doesn't matter what legal theory you're following. The theory of making the plaintiff whole sets policy in a civil suit, it doesn't alter the facts.
Re: (Score:2)
The theory of making the plaintiff whole sets policy in a civil suit, it doesn't alter the facts.
I agree. We aren't and can't fully follow the "making one whole" theory however. And I consider that particularly relevant to the discussion of what happens when one destroys actual wealth (if only by making society a bit less efficient).
Re: (Score:2)
Re: (Score:2)
Do you also reject the free market, because of the remote possibility you might lose in all that competition?
Competition isn't the only game in free markets.
Re: (Score:2)
Ok, so there are even more possibilities for you to not succeed on the free market.
Of course not. I refer instead to the satisfying of wants. You won't fail to buy and eat a hamburger because khallow outcompeted you for your hunger or the money in your pocket.
Re: (Score:2)
Where I was going was that, individually to the people who care about us we are all priceless. Most of us would spend every last cent we had to save our child or spouse etc. When it comes to civil judgments and the like making people whole is a good enough system. A court can look at the individual situation and do something that is 'fair'.
At the macro social policy level its a different story. We MUST make decisions about how much we are willing to spend on counter terrorism, or social safety net progr
Re: (Score:2)
It is a useful tool for finding relative risks and figuring out what we can afford to do, but it breaks down when we try to use it to valuate human death vs. economic losses. It is important to remember that there is a limit to how far the fiction of valuation of life can go.
A prominent example of that error is the rather infamous Ford Pinto case.
It becomes much more problematic when compounded with another thing (in this case liberty) that is hard to place a proper value on.
Personally, while I don't find i
Re:Statism vs. Libertarianism again (Score:4, Interesting)
There's a world of difference between an adobe flash exploit and the availability of a gun that can mow down a large number of people in a matter of seconds.
There is not. Shutting down NYSE [slashdot.org], for example, cost billions of dollars. At $10 mln per life [wikipedia.org], that's hundreds of lives right there...
Are you making a serious argument in comparing people getting shot and the NYSE shutdown? This is the hill that you're going to make your stand on?
It's a very poor example but a valid point. A much better example would be fraud [identity theft], ransomware, spam, etc. With computers you can easily steal time from people on an unimaginable scale.
Suppose someone hacks me, and I get off relatively "easy". I may spend 1 hour of my time canceling a credit card, activating the new card when it comes, and changing all the passwords of all the accounts that the credit card number is associated with. That's probably on the very low end of what a hack can cost an individual.
The hacker doesn't stop there. They repeat their act 1,000,000 times. That's a fairly successful and prolific hacker, but not unheard of, espeicially if the attack vector is a business. At just an hour apiece per victim, 1 million victims is 114 total man-years spent cleaning up. Nobody died, but an entire lifetime has been stolen.
The Target hack(s) affected "up to 110 million people". [cnn.com] If we take that figure at face value, and each victim spent only an hour dealing with it, that's 12,557 years or roughly 148 lifetimes. Even if I count injured people, I can't find a mass shooting [wikipedia.org] that comes anywhere near 148 lifetimes.
Re: (Score:2)
The key difference is that if you spend an hour sorting out your credit card you continue to live the rest of your life afterwards with few ill effects.
So-called cyber weapons can kill people. Governments use them to target people they don't like, and sometimes it ends in murder. More often it ends up in lives ruined, people rotting in jail. We don't allow people to supply physical weapons to those governments, so perhaps we shouldn't allow them to supply cyber ones either,
Steve Jobs argument and time-damage... (Score:3)
The key difference is that if you spend an hour sorting out your credit card you continue to live the rest of your life afterwards with few ill effects.
Steve Jobs persuaded an engineer to reduce boot time lower than the engineer though possible by making the equivalence argument. It goes something like this:
Average human life expectancy is 71 years.
Humans are on average conscious for 16 hours per day.
Doing the math, this means you would only have to force 414,915 people to spend an hour "sorting out their credit card" before you've effectively done the equivalent time-damage of killing someone.
Re: (Score:2)
You are completely missing the point. An hour wasted for half a million people is not equivalent to the loss of one life, at least not for the person who died or their family and friends. The loss of premature death cannot be measured in monetary or man-hour terms. The courts only look at it that way because they can't bring the person back to life, so money is the only way to compensate.
Re: (Score:2)
I think a better example is that money can be used to save lives. There's a whole lot of different ways to save lives using money, a few examples are medical research, medical care, reducing pollution, safety equipment, reducing poverty, reducing stress. Clearly, at least some people value money more than lives -- or at the very least, choose money over lives. And by "some people" I mean "basically everyone, although they wouldn't admit it even to themselves".
Don't worry though -- if our species spent every
Re: (Score:2)
For example, if you aren't willing to spend $5000 on an airbag, that would improve your chances of survival by %0.1, then you value your own life at less than $5 mln.
Nah, that proves that 0.1% doesn't exist and is really 0%.
Re: (Score:2)
You forgot to include the usual Illiberal imploration to Please, don't hate.
Re: (Score:3)
Shutting down NYSE changes the distribution of some electronic assets, a cost for some and a gain for others ... I wouldn't even be 100% certain the attack decreased GDP.
Re:Statism vs. Libertarianism again (Score:5, Funny)
> You are more likely to be killed driving home tonight.
That's why I tell my employer I have to get home before sunset.
Re: (Score:3, Informative)
Ah, there it is, that's the real reason for your argument. See I was missing how you were equating identity theft (which while a headache is less of a headache than death) with getting shot, but then I realized that this was your opportunity to take a jab at liberals.
You're twisting information to suite your narrative. You've also neglected to mention that (based on whatever un
Re: (Score:3)
"High crime in Republican states" can mean high crime in Democratic-run areas within Republican states.
Re: (Score:2)
"High crime in Republican states" can mean high crime in Democratic-run areas within Republican states.
Yeah it could. Of course he doesn't know that, because he didn't do even a cursory review of the data before he formed his opinions. Of course I don't either, but that's also because who runs a district is pretty irrelevant to a discussion of whether district, state and federal policy combinations are leading to a particular outcome.
For comparison: mass shootings of the type the US have do not occur in the developed world at anything like the frequency they do in the US. And the US has had to redefine "mass
Re: (Score:2)
Of course I don't either, but that's also because who runs a district is pretty irrelevant to a discussion of whether district, state and federal policy combinations are leading to a particular outcome.
See Baltimore for demonstrable reproof of your simplistic belief. The results of poor leadership are happening every day. But the idiot mayor won't be held into account by the voters, and the Police Commissioner just got scapegoated.
Re: (Score:3, Informative)
For the people that think my post is a troll:
http://dailycaller.com/2012/04... [dailycaller.com]
http://townhall.com/tipsheet/k... [townhall.com]
Re: (Score:2)
Hey, just an FYI, two minutes on this thing called "Google" found the exact page that was 404ed, probably due to a website reconfiguration by the FBI (like going to HTTPS)!
https://www.fbi.gov/about-us/c... [fbi.gov]
So, does this new information change your snarky attitude?
Re:Statism vs. Libertarianism again (Score:4, Insightful)
Am I allowed to oppose dumping raw mercury into rivers & streams, if I support freedom to travel by airplane? After all, both are forms of pollution in the same sense that computers and guns can both be used as weapons.
Re: (Score:2, Informative)
You are allowed to dislike anything you want. What you do about it, however, needs to be consistent. If you want government to fight pollution, for example, you should support governmental efforts to fight all of it. If, instead, you prefer the problem be solved by boycotts and lawsuits by the people actually suffering from the ill-effects, then that too view should, also apply to all kinds of po
Re:Statism vs. Libertarianism again (Score:5, Interesting)
Why should an ideological stance on the regulation of guns and computers be the same? They clearly are different tools with much different uses.
I think you are wrong about that. The ideological stance on gun ownership in the bill of rights had a lot to do with empowering people to overthrow their corrupt government. Guns no longer have that power for the most part. Computers do. When was the last time a Deer Rifle toppled a world power? When was the last time twitter did? The answer is 2011 [wikipedia.org] Or maybe even 2014 [wikipedia.org]
Computers aren't the same thing as guns, in fact they are a lot more powerful.
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
Re:Statism vs. Libertarianism again (Score:5, Insightful)
You do your cause no good when you edit out crucial words.
The actual quote: "A foolish consistency is the hobgoblin of little minds".
Re: (Score:2)
Why? Because you said so? That's hardly a compelling argument.
Re: (Score:2)
So according to you, if you must be consistent than...
Statists must support regulating security research, gun-ownership, gay marriage, abortion and everything else.
Libertarianists must oppose regulating security research, gun-ownership, gay marriage, abortion and everything else.
Or can people support regulating some things and oppose regulating other things?