Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Malware Industrial Complex

Soulskill posted about a year and a half ago | from the but-don't-worry-they're-just-1s-and-0s dept.

Security 32

holy_calamity writes "MIT Technology Review reports that efforts by U.S. government agencies and defense contractors to develop malware to attack enemies is driving a black market in zero-day vulnerabilities. Experts warn that could make the internet less secure for everyone, since malicious code is typically left behind on targeted systems and often shows up on untargeted ones, providing opportunities for reverse engineering. '"On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices," says Soghoian, who says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects’ computers or mobile phones.'"

Sorry! There are no comments related to the filter you selected.

What is particularly insane... (5, Insightful)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#42888119)

What is especially crazy about promoting a less secure environment for everyone, just so that you can hack your enemies, is that the US is among the more dependent on hackable IT systems...

Sure, neither computers nor good hackers are free; but they are cheap and broadly available enough that more or less any country that isn't starving to death in its own filth(and some that are) can trivially afford some. Even relatively petty gangs can run a profit by fielding a few. Vulnerability, though, is something that you accrue as your society becomes increasingly dependent on electronic communications and finance, SCADA-controlled industrial base, etc.

So, if you reduce security overall, you increase your own vulnerability to every last hellholistani intelligence service, nationalist script kiddie, and slimy pin-skimmer gang, in order to infiltrate the systems of people who probably depend less on computers than you do.

Genius, really.

Re:What is particularly insane... (2)

stewsters (1406737) | about a year and a half ago | (#42888407)

Totally agree. This kind of behavior does not benefit a large country with a lot of technology and military presence. The small countries who would not dare launch a physical invasion now have an opportunity to strike back on a smaller scale with less repercussions. Do you think that you are the only country those hackers are selling those exploits to? If those are not patched, your own infrastructure will be in danger.

Re:What is particularly insane... (1)

Anonymous Coward | about a year and a half ago | (#42888551)

The government just doesn't understand how computers work besides checking their email and watching youtube...

Hey! (0)

Anonymous Coward | about a year and a half ago | (#42894293)

I resemble that remark!

It's like a high speed arms race (4, Interesting)

DickBreath (207180) | about a year and a half ago | (#42888569)

Unlike the old arms race which required time to manufacture physical weapons, this can go a lot faster. Like an arms race on steroids.

On one hand, your enemies can use those same vulnerabilities against you.

But on the other hand, since you know about them first, you can get your systems protected from those vulnerabilities. But if the fix is propagated too quickly, then you've just immunized your enemy.

A logical way to fix the vulnerability is to have more sophisticated detection at the border gateways into your private network. Like an intrusion detection and prevention system at the router. That way you don't actually release the fix, at least not too soon, to the whole world. The knowledge of the zero day exploit is only in the code to attach your enemy and in your border defenses. But not in the OSes, not in the browsers and whatever other general purpose software is being exploited.

If your friends, say the power grid people, need protection, you can provide it to them, without disclosing what the vulnerabilities are, by providing them with the same border defenses you use. Eventually, whenever you deem necessary, you can disclose the vulnerabilities to the vendors and let them fix it directly in the affected software.

A side effect of all this is to generally improve the security situation for everyone, eventually. Assuming there are not an infinite number of vulnerabilities, and that after the low hanging fruit is picked, the vulnerabilities get fewer and more difficult to exploit, then everyone's system, including your enemy's has become pretty secure.

If the security situation becomes bad enough, it might forcibly change the way we approach writing software. Just like when type safety was introduced into languages decades ago, our very programming languages may make it harder to have security flaws. Preventing programming errors must have some overlap with preventing security flaws. If your language doesn't allow direct access to pointers, had garbage collection (to prevent double delete, memory leaks, reference after delete), doesn't allow array index out of bounds (preventing lots of problems), you have excluded some types of vulnerabilities that had been common in the past. The language cannot fix all security problems, just some of the most basic ones.

Some work could be done in the language to help the libraries prevent certain classes of attacks. Introduce a new kind of type checking where you have, say, Html-Safe strings and must go through some function to convert Unsafe String into an Html-Safe strings. They are not assignment compatible. Similarly you could have another type of Sql-Safe strings. If the language mechanism were extensible, then you (or your library designer) could introduce other types like JavaScript-Safe strings, or XML-Safe strings, or Postscript-Safe strings, just to make up a few examples. In short you would have to go through well defined functions to convert from an unsafe string. You couldn't pass an Unsafe String to the format string parameter of, say, printf() so you would eliminate accidental format string attacks, just as you would prevent rendering an Unsafe string on an ASP/JSP/PHP or whatever you call it page that has embedded scripts. Widgets in your active pages could not accept unsafe strings from the "controller" objects. The language, api's and libraries would work together to prevent accidental "assignment" of the wrong kind of strings, just as decades ago they prevented assigning integers to strings.

Re:It's like a high speed arms race (1)

Jah-Wren Ryel (80510) | about a year and a half ago | (#42889299)

A logical way to fix the vulnerability is to have more sophisticated detection at the border gateways into your private network.

That sort of functionality has seemed like a no-brainer to me for about a decade. I desperately want something that runs on my home router that monitors all connections, in and out, with both real-time in a user-friendly interface (not just a eyeball destroying table of ip addresses and port numbers but some sort of graphical summary) and generates reports on a hourly/daily/weekly basis. It should also incorporate a nice high-level way to kill off some behaviours - don't make me manually write a bunch of iptables rules for each case.

So far everything I've seen that comes close in either native firmware or any of the DD-WRT variants is still terribly painful to use, if it is functional at all.

Re:It's like a high speed arms race (2)

DeSigna (522207) | about a year and a half ago | (#42889973)

Snort and associated tools aren't too bad, and should run on most Linux/BSD-based custom firmwares if the hardware has enough juice. A Cisco ASA with an IDS module is less good, but servicable. You'd need to use ASDM for monitoring unless you want to buy a super expensive monitoring suite.

The main issue is the amount of processing power and RAM required, especially if you're pumping through a lot of traffic. I run pfSense in ESXi on a little HP Microserver as my router. Using default settings with Snort, pushing through ~20Mbit of WAN traffic makes the poor little box bulge at the seams. It can be tweaked and the rulesets rejigged or disabled, but for Snort it's a RAM vs CPU tradeoff, and disabling rules reduces the level of protection. There is no way a cheap consumer router could have the resources to do it properly.

You're looking at more the SonicWall (ugh)/WatchGuard/NetGear/etc SMB/UTM router space. None of them qualifies as anything other than "terribly painful to use" for IDS/IPS.

Re:It's like a high speed arms race (1)

DickBreath (207180) | about a year and a half ago | (#42895303)

> The main issue is the amount of processing power and RAM required

But that cost may not matter if the goal is to protect against vulnerabilities that YOU know about, but that you wish to keep secret -- and also possibly have a secret way to offer a box to your friends to protect them too, while maintaining the secrecy of the vulnerability.

Blowback (1)

tinkerton (199273) | about a year and a half ago | (#42895967)

I think the main effect will be that the free malware market gets hold of the malware products made by your national security organisations and uses them to upgrade all their projects, making your enemies the least of your worries.

Re:What is particularly insane... (1)

Anonymous Coward | about a year and a half ago | (#42888613)

Not sure having more zero day vulnerabilites *known* is a less secure environment.

It'll force everyone to do updates on software/OS/etc.

There will be no more blind 'I didn't know' excuses. Everything will have holes and everything will have to have those holes patched.

a proper superpower (3, Funny)

circletimessquare (444983) | about a year and a half ago | (#42888177)

would just mandate secret backdoors built into the OS/ browser/ plugin by the company that builds the OS/ browser/ plugin

Re:a proper superpower (2)

multiben (1916126) | about a year and a half ago | (#42888231)


Re:a proper superpower (2)

icebike (68054) | about a year and a half ago | (#42888779)

Either that, or they could put in a "Copyright, United States Government" in the malware. That would stop those reverse engineering freetards.

Seen first hand (4, Interesting)

Anonymous Coward | about a year and a half ago | (#42888249)

Posting A/C and being more vague than I would like... sigh... A certain company I used to work for based their whole product on the ability to install what was essentially a rootkit. My role was to pull data off the network. I didn't have too much problem with that, since if you're porn surfing on company or government networks, or leaking info, you sort of get what you deserve. Say what you will about Bradley Manning, but he had to know what he was getting into. OTOH, they wanted to push me around in various ways I didn't like, and the thought of persuing a career there where my work would be less about legitimate protection of the network, and more about ubiquitous surveillance... it just left a bad taste in my mouth. I thought I might end up working on the rootkit, and the whole idea stuck in my craw, not only because of the increasing fascist tone of the US approach; but because of the inherently fucked up approach to security. I mean, if we can do this to their computers, they can do it to ours.... the whole thing, just more and more sour. My career has yet to recover, because I was pretty much groomed to be a military-industrial coder at that point, and wanted nothing to do with it. It's pretty much impossible to transfer over to the happy-bouncy-fun world of phone apps in your 40s, and all of that stuff is morphing into surveillance anyway. One of these days I might just unplug all the computers and chuck 'em.

Re:Seen first hand (2)

CanHasDIY (1672858) | about a year and a half ago | (#42888325)

Hey, man, good on you for having some fucking scruples.

Too rare among government employees these days, and the fact that your having decent morals caused you to lose your quite lucrative career is a sad sign of how royally fucked up the government 'Of the People, By the People, and For the People' has become.

he has neither scruples nor decent morals (1)

r00t (33219) | about a year and a half ago | (#42894005)

He is failing to serve his country. He'd rather let all the success go to lovely bastions of freedom and rightousness like China, Russia, North Korea, and Iran.

Re:he has neither scruples nor decent morals (0)

Anonymous Coward | about a year and a half ago | (#42895565)

I hope you're attempting humour.

Re:Seen first hand (1)

Anonymous Coward | about a year and a half ago | (#42888905)

Yeah... as we've pushed increasingly towards centralization of the whole communications infrastructure, we've also encouraged the "surveillance state" for computing. I'm more a sysadmin than a software coder, but also in my 40's now, and definitely feel the "souring" at every turn. Back when I poured most of my waking hours into running and building the best local bulletin board system I could come up with, I think most of us felt nothing but excitement for the future of connected computing. Computers (plus modems) seemed like a natural evolution of communications and the sky was the limit.

But that was so decentralized, with hundreds of bulletin board systems running in any major city at a time, and users dialing directly in to them to use them. The Internet's growth and ISP consolidation really took a huge toll on individual privacy, increased security risks a thousand-fold, and generally brought out everything negative about networked computing......

I've devoted my whole working life to working with computers and I.T. -- but I, too, might eventually be another one who winds up chucking all of them and getting off the Internet "grid".

This is how Oracle & Adobe make all their mone (0)

Anonymous Coward | about a year and a half ago | (#42888279)

I mean, Oracle & Adobe's programmers can't be that stupid.

Java, flash & acrobat are so full of holes so that one of their subsidiaries (shielded by many layers of corporate ownership) can turn around and sell exploit info to all sorts of people.

Blowback ... (-1)

Anonymous Coward | about a year and a half ago | (#42888307)

is a bitch.

Re:Blowback ... (1)

DickBreath (207180) | about a year and a half ago | (#42895313)

> Blowback . . . is a bitch.

Not necessarily true. Some people actually like it.

Sauce for the goose (0)

Anonymous Coward | about a year and a half ago | (#42888315)

They created their own problem, and they also use malware on other people, so turn about is fair play.

I fail to see any difference (0)

Cute and Cuddly (2646619) | about a year and a half ago | (#42888433)

The US government has been acting that way for as long as I know. The only diffrence is that they are using software now. You could well argue that the US government is on one hand complaining about terrorism and on the other hand, the CIA commit numerous acts of terrorism in multiple countries (Kidnaps, renditions, torture, etc). They also support other countries that commit serious murderous attacks on civilians to steal their land (In case you do not notice, I'm refering to Israel). Nothing has changed, they are just using a different tool and they are being as two faced as they have always been.

conflict of interest: obDilbert (1)

GlobalEcho (26240) | about a year and a half ago | (#42888485)

One of my favorite Dilbert cartoons ever treated this situation (20 years ago): []

This will be a nice new revenue stream for software developers.

After the Gold Rush (1)

Anonymous Coward | about a year and a half ago | (#42888617)

This is a classic Gold Rush scenario. There's only a fixed number of zero days, and the gold rush to find them is in full swing.

More eyes find more bugs; this is going to eliminate them quicker. This is a good thing in the long run.

Re:After the Gold Rush (1)

GameboyRMH (1153867) | about a year and a half ago | (#42889091)

Fixed number!? Only if the software is never updated.

Re:After the Gold Rush (1)

DickBreath (207180) | about a year and a half ago | (#42895339)

The number of vulnerabilities may not be fixed. But the amount of low hanging fruit is. Once picked, the remaining fruit is higher and higher up the tree, getting more and more difficult to reach. The height of the tree may be unlimited, but at some point the cost of reaching more fruit becomes too great* for anyone -- and at that point, everyone's systems are pretty darn secure.

*example: like the cost of colonizing Mars today. It's not impossible, it's just too costly.

Re:After the Gold Rush (1)

GameboyRMH (1153867) | about a year and a half ago | (#42895427)

There seems to be a fresh supply of "low-hanging fruit" in the JRE with every update...IE, Flash and Adobe Reader have all been bountiful as well.

Re:After the Gold Rush (1)

DickBreath (207180) | about a year and a half ago | (#42895855)

Yep. See my comment about how we may need to evolve our programming languages to help solve some of the basic security problems. Just as languages evolved to solve the most basic programming mistakes. Then the tools and runtime systems could evolve to go after progressively higher hanging fruit.

Hypocrisy by USG? (0, Insightful)

Anonymous Coward | about a year and a half ago | (#42888729)

What a contrast. On one hand the US government is lobbying for more stringent gun control laws, but on the other encouraging a cottage industry of vulnerability development with their actions. I guess malware doesn't infect computers, hackers do!

Creating an economy (1)

gmuslera (3436) | about a year and a half ago | (#42889599)

Doing this they are promoting the creation of entire industries based on finding, and "renting" zero day vulnerabilities. Once you knew it, until it get fixed, you could eventually take more advantages from it, just maybe not in a public way. Its the way the corporate world works after all, in the end what matter is maximizing benefits. If somehow that finding gets filtered to people that uses it against US companies and individuals, would be an "uh, we got hacked", and shut up about the increase in your bank account or other benefits (like zero day vulnerabilties exchange, you get more to sell, and give to the other kind of wrong people that information).

In the end, will benefit the government posture. Will be more attacks to both sides, from government to other countries, and from hackers in any place to US and the rest of the world, reason enough to claim that the other countries are the ones that are attacking and escalate to a more physical kind of war. There is no better emergency than the one that you created.

Just remember this every time government representatives claim that they didnt start the fire.

And this is why US gov buys M$ software (0)

Anonymous Coward | about a year and a half ago | (#42893393)

To fund it and to make it look legitimate.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?