Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Business Is Booming In the 'Zero-Day' Game

timothy posted about a year ago | from the pat-I'd-like-to-buy-an-exploit dept.

Security 97

HonorPoncaCityDotCom writes "Nicole Perlroth and David E. Sanger write in the NY Times that all over the world, from South Africa to South Korea, business is booming in zero days. The average attack persists for almost a year before it is detected, according to Symantec, the maker of antivirus software. Until then it can be exploited or 'weaponized' by both criminals and governments to spy on, steal from, or attack their targets. Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google free in exchange for a T-shirt, but increasingly the market for 0-day exploits has begun to migrate into the commercial space (PDF) as the market for information about computer vulnerabilities has turned into a gold rush. Companies like Vupen charge customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale to countries who want to use the flaws in pursuit of the kind of success that the United States and Israel achieved three summers ago when they attacked Iran's nuclear enrichment program with a computer worm that became known as 'Stuxnet.' Israel, Britain, Russia, India and Brazil are some of the biggest spenders but North Korea is also in the market, as are some Middle Eastern intelligence services."

cancel ×

97 comments

Sorry! There are no comments related to the filter you selected.

Is there a app for that? (-1)

Anonymous Coward | about a year ago | (#44278005)

Apple developers leave in droves for the next get rich quick scheme.
News agencies report only the top 25 vulnerabilities actually profit while the other million are used by 4 year olds.

So if 'cyberWar' is actually a thing... (5, Interesting)

databeast (19718) | about a year ago | (#44278021)

....when do we start treating these folks like arms dealers? It's not a stretch, ITAR classified cryptography as munitions....

(* cyber 'war' is a ridiculous term for something we already have words for - espionage and sabotage, both of which have been achieved using only information, for centuries now).

Re:So if 'cyberWar' is actually a thing... (-1)

Jmc23 (2353706) | about a year ago | (#44278113)

So, you're in the habit of using words you deem ridiculous and unnecessary when nobody else is using them and then complain about their use? Tighten those screws!!

Re:So if 'cyberWar' is actually a thing... (1, Informative)

databeast (19718) | about a year ago | (#44278295)

nobdy else is using them? peered out from under that rock recently? Unless you're saying within this article in particular... in which case you're also blind if you don't realize it's part of the larger context. either way, I don't care, you probably don't work in infosec and have to get bombarded with cyberwar hype every 6 hours, and your comment makes very little sense no matter how much I strain to understand your perception of the matter.

Re:So if 'cyberWar' is actually a thing... (-1, Offtopic)

Jmc23 (2353706) | about a year ago | (#44278397)

If it is a ridiculous and unnecessary term then why did you use it? Why did you bring up the term first?

There's got to be a screw loose somewhere! I'd check your logic circuit.

Re:So if 'cyberWar' is actually a thing... (0)

databeast (19718) | about a year ago | (#44278499)

Because it is the common term used to paint the broader picture here (and the source of much debate in my circles). I used it so people would know what I'm talking about - it's this thing called a framing device. I brought it up first because that the is the larger context of the topic discussed in this article. Is the written word a second language for you or something? If you don't understand this, you're not the demographic I'm speaking to anyway and are still probably happily ignorant of the whole issue; for your own sanity, I'd probably keep it that way.

Re:So if 'cyberWar' is actually a thing... (-1, Offtopic)

Jmc23 (2353706) | about a year ago | (#44278765)

So you're saying it was necessary to use it and that instead of being ridiculous it actually sets the context precisely? You sure you haven't got a screw loose for criticizing a word for not being useful for exactly the use you put it to?

As an aside, I know exactly the greater context this falls under and didn't need some quirky guy with a screw loose spouting inanities about cyber-whatever to get the bigger picture. Just trying to give you a hand with your logic analyzers.

Re:So if 'cyberWar' is actually a thing... (0)

databeast (19718) | about a year ago | (#44278841)

yet you remain blissfully unaware of my using it as a mechanism of irony to illustrate that if people are going to insist upon the term cyber -*war*, that perhaps some of the same perceptions and controls should apply to it equally? At least my brand of pedantry doesn't cause me to lose sight of the entire discussion as I crawl up my own asshole in sophistry.

Tl:Dr - "Whoosh!"

Re:So if 'cyberWar' is actually a thing... (-1, Offtopic)

Jmc23 (2353706) | about a year ago | (#44278909)

Yes irony. That's what it was, irony.

Re:So if 'cyberWar' is actually a thing... (0)

databeast (19718) | about a year ago | (#44278955)

no, it was referencing the irony of something. You really aren't very good at this comprehension thing are you, so I think I'll take my leave of this thread now and give you some space for you and your bugbears to spend some time alone.

Re:So if 'cyberWar' is actually a thing... (-1, Offtopic)

Jmc23 (2353706) | about a year ago | (#44279009)

You sure? I've got a spare shovel if yours broke.

Re:So if 'cyberWar' is actually a thing... (-1)

Anonymous Coward | about a year ago | (#44279413)

Have you ever had the impression that you've been made a real ignoramus?

Re:So if 'cyberWar' is actually a thing... (3, Interesting)

khasim (1285) | about a year ago | (#44278183)

We need rules for these articles in the future.

Cyber-war/Cyber-warfare - take a drink
Cyber-weapon - take a drink
Cyber-warrior/Cyber-soldier - chug
Cyber-command - chug
Others?

Anyway, if this is such a big risk (aside from alcohol poisoning) then why aren't other countries switching to Linux and training their own programmers so that they can "harden" it?

If they have to use something that they did not write/audit themselves then that should be completely isolated.

Wouldn't the intelligent thing to do (if this is really a threat) be to develop a 5 year goal of moving off of software written by your potential cyber-emenies (take a shot).

Re:So if 'cyberWar' is actually a thing... (2)

databeast (19718) | about a year ago | (#44278309)

...yes, that would absolutely solve the matter, because never in the history of the world have people managed to obtain software and source code that did not belong to us! "Sorry, you can't analyze our software for vulns, because we're not going to give you a license for it!". Brilliant :-P

Re:So if 'cyberWar' is actually a thing... (0)

Anonymous Coward | about a year ago | (#44278377)

Cyber attack - drink

Re:So if 'cyberWar' is actually a thing... (2)

DarkOx (621550) | about a year ago | (#44278463)

I suspect the ones that don't fit the first world template largely are switching. The rest don't because cozy international relationships are a nice way to do an end run around their own laws. They can share exploits more easily if everyone is using the same software. Then they don't have to worry about pesky Constitutional problems like our fourth amendment. NSA not allowed to gather than intel; no problem call a buddy a MI6, and vice versa.

If there is one thing the Snowden experience has proven once and for all is the tinfoil hat folks were right, and the once world government folks were right.

When you have the vice president dismissing reasonable questions like "doesn't universal background checks effective create an ersatz national gun registry?" as black helicopters conspiracy crap, we can now conclusively know that is exactly what is intended no matter what the ostensible claims are.

You can't trust anything these people are telling you. Don't think its odd that our "potential cyber enemies" that we are warned about by popular media so often our some of our biggest trade partners? Isn't strange that no matter how "strained" our relations supposedly are the trade deals someone always go thru? These guys are all in bed with each other, its the only explanation that makes sense; where China and most of the middle east, excluding Iran is concerned.

The USSR was considered as real threat and despite the size of their economy and the massive natural resource they controlled we never had trade relations with them. Now look at China and the middle east, its evident the PTBs want as to think of them as this threat to be feared but they don't actually take any steps to keep us at a safe distance, quite the opposite, when they do make a show of sanctions or export controls the implementation is always has more holes than a kitchen colander.

Re:So if 'cyberWar' is actually a thing... (0)

Anonymous Coward | about a year ago | (#44279153)

It isn't really a threat, but treating it as one gives them yet more excuses to lock down the internet.

Re:So if 'cyberWar' is actually a thing... (0, Troll)

Billly Gates (198444) | about a year ago | (#44279171)

Because Linux is not more secure than Windows or MacOSX regardless of what hte fanboys here say. Just because it is not from Microsoft doesn't mean it is secure by default. In fact (I maybe modded down for this), Linux is the least secure modern kernel out there. It offers no heap, stack, ASLR, or even DEP (It may offer this as of 3.0?)

Insecure operating systems exist because they are written in C. Not because they are from unpopular corporations. C has no buffer checks so once a data type gets all used it simply exists the next address in memory. OpenBSD is trying to change as is Microsoft as of XP Service Pack 2. Windows 7 and 8 scramble the memory addresses and offer sandboxing support for browsers so you have no clue where each .dll is loaded in ram when you try to do a heap spray after you exploit a system. I believe MacOSX now has this too as of Snow Leopard. It is also how Java applets compromise systems too.

I have seen clients servers turn into russan phising sites in major banks running it.

Sure as a consumer you are more protected as no one bothers with .5% of the market. As a government or major bank it is well worth it to be hacked. The problem with Linux users is the dangerous I am secure by default means another vulnerability where as Windows users kind of know better for the most part and are skeptical of just clicking on shit and know to keep things updated.

Linux offers no heap, stack, ASLR, or even DEP .. (1)

dgharmon (2564621) | about a year ago | (#44279791)

"Linux is the least secure modern kernel out there. It offers no heap, stack, ASLR, or even DEP (It may offer this as of 3.0?)"

That's because only the Windows kernel really needs heap, stack, ASLR and DEP. Putting user-mode application in the kernel (to speed up graphical rendering) was the dumbest thing Microsoft ever did ..

Re:Linux offers no heap, stack, ASLR, or even DEP (1)

Billly Gates (198444) | about a year ago | (#44279887)

MS has not done this since Windows 98/ME. Even IE is in userspace and has been for a long time. The graphical drivers are in kernel space because you can not talk to a highspeed video device without it and expect good performance. Linux too has nvidia and framebuffer drives in the kernel as well. No different.

All modern kernels need the above if they are expected to be on the internet. I think the Android kernels include some of these in patches.

Re:Linux offers no heap, stack, ASLR, or even DEP (1)

The Cat (19816) | about a year ago | (#44282729)

Windows shill. You may stop talking now.

Re:So if 'cyberWar' is actually a thing... (1)

The Cat (19816) | about a year ago | (#44282717)

Because Linux is not more secure than Windows or MacOSX

BULLshit.

Insecure operating systems exist because they are written in C.

Horseshit.

Windows 7 and 8 scramble the memory addresses and offer sandboxing support for browsers so you have no clue where each .dll is loaded in ram when you try to do a heap spray after you exploit a system.

Hereisabigpileoftechnobabblebullshittotryanddazzleyou.

Windows 7 is an unwiped ass.

Re:So if 'cyberWar' is actually a thing... (0)

Anonymous Coward | about a year ago | (#44287501)

Windows 7 and 8 scramble the memory addresses and offer sandboxing support for browsers so you have no clue where each .dll is loaded in ram when you try to do a heap spray after you exploit a system.

Windows 7 is an unwiped ass.

To clarify this angry person's post: Windows 7 is an ass that has been unwiped post-movement, compared to a Windows XP ass that has soiled the bed. It is better, but still undesirable.

Linux eschews the 'ass' design in favor of a colostomy bag, which is more reliable than an ass, but fails more spectacularly.

Re:So if 'cyberWar' is actually a thing... (1)

The Cat (19816) | about a year ago | (#44290513)

That was pretty limp. Get a new writer.

Re:So if 'cyberWar' is actually a thing... (0)

Anonymous Coward | about a year ago | (#44282925)

I agree with your larger point that "I am secure by default" is an unsafe assumption, however I think you're out of date regarding Linux kernel security features. ASLR, for instance, has been in mainline Linux since 2.6.12, released in 2005, and in RHEL since 2004..

Re:So if 'cyberWar' is actually a thing... (2)

cavreader (1903280) | about a year ago | (#44279583)

You really need to appreciate the scale when advocating a company or government to migrate to another OS. Replacing all internal and customer targeted applications is a big job. The time and costs for even a small to medium sized company is a guaranteed budget buster. Re-training the users, re-training the existing IT staff, and hiring the new IT staff needed to support and develop on the new platform is also as huge undertaking. If you do spend the money and time you will soon realize that you are no safer than you were on your old OS. 99% of all malware and similar attack vectors are the result of poor system administration and social engineering to trick users into opening the door for an attack.

Re:So if 'cyberWar' is actually a thing... (1)

gl4ss (559668) | about a year ago | (#44278251)

yeah so bitching about zero day bugs on forums would then be a felony?

Re:So if 'cyberWar' is actually a thing... (3, Insightful)

databeast (19718) | about a year ago | (#44278325)

you can't sell something for profit that will be used in hostile actions, if you've already disclosed the information in public, now can you? The issue is profiteering from things that will /not/ be fixed, and specifically used to the detriment of another.

Re:So if 'cyberWar' is actually a thing... (1)

gl4ss (559668) | about a year ago | (#44278405)

it's exporting/distribution even if you don't charge for it...

Re:So if 'cyberWar' is actually a thing... (1)

databeast (19718) | about a year ago | (#44278449)

good point, I concur that laws are full of gotchas, and I was using ITAR as an example that a precedent has already been set once, not that ITAR is the hammer that should be used this time around...

Re:So if 'cyberWar' is actually a thing... (1)

phantomfive (622387) | about a year ago | (#44279397)

The issue is profiteering from things that will /not/ be fixed, and specifically used to the detriment of another.

At least some of these companies get around that problem (from a legal perspective) by doing checks on customers, like making sure the subscriber is a member of NATO (really, on of them does that). Essentially what it means is, if you want to buy these as a criminal, you're going to need to at least set up a shell company that makes you look legit. Given the high price of the exploits, that shouldn't be a problem for anyone who can afford it.

Re:So if 'cyberWar' is actually a thing... (4, Informative)

v1 (525388) | about a year ago | (#44279279)

....when do we start treating these folks like arms dealers? It's not a stretch, ITAR classified cryptography as munitions....

Zero-day exploits are a bit farther down the road than even munitions. At least I can claim I need a gun for self-defense. There's really no "legal use" for a zero-day. It's only immediate purpose is to bypass computer security, which is illegal in almost every corner of the globe. (the biggest three applications being theft, corporate espionage, and spying)

The interesting twist here I think though is that entire governments are doing business with these guys, because they want it just as bad as the more traditional criminals. Normally when you're a government, you simply spend money to get your way. Things you want to have but not let your people have you just make illegal for civilian use.

But this is different. Money doesn't directly GET you a zero day, any more than money can get you nuclear weapons. They require specialized knowledge and skills. So you either spend a huge amount of money to R&D it, or you just go out and buy it. Buying nuclear isn't easy because currently only big governments have it, and they don't want to water down their exclusivity, so they won't sell it at any price. But right now the black market has better R&D on zero-days than any government, and they're completely fine with selling it to anyone, for a high price of course. Also unlike nukes, it's not a matter of needing specialized materials and resources, anyone can R&D it, all they need is a lot of bored skilled nerds ;)

So it just makes sense that the black market is playing both sides. Everyone wants it, and they are by far the cheapest source. It's a supplier's dream come true.

Re:So if 'cyberWar' is actually a thing... (1)

pantaril (1624521) | about a year ago | (#44282241)

There's really no "legal use" for a zero-day.

There are certainly few legit uses of 0-day exploits. Anti-virus creators to name one.

....when do we start treating these folks like arms dealers? It's not a stretch, ITAR classified cryptography as munitions....

Maybe part of the responsibility for current situation lies on the corporations and government agencies which often treat white-hat hackers, who try to inform them about their vulnerabilities, like criminals and throw legal actions on them. It's no wonder that some of the hackers turn their exploits to black market for money.

Re:So if 'cyberWar' is actually a thing... (0)

Anonymous Coward | about a year ago | (#44281555)

Didn't slashdotters always claimed (in face of hacking or trespass charges) that if I send you some bits, and then you send me some bits back, or you decide to self-destruct, then that's your problem?

Then why should person A be anyway responsible for telling person B some information, and then person B send some bits to person C and person C decide to self-destruct, or send all his secrets to person B, or whatever happens?

FRIZOSTY (-1)

Anonymous Coward | about a year ago | (#44278031)

FIRST
POST
BITCHES

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Re:FRIZOSTY (0)

Anonymous Coward | about a year ago | (#44278159)

you're 4th looZer BITCH :D

VUPON says they have standards. (1)

Anonymous Coward | about a year ago | (#44278037)

Only Available for trusted organizations

Because of the sensitive nature of the information provided through this service, VUPEN Security has defined strict eligibility criteria for participants. VUPEN Security solely reserves the right to determine whether an organization or corporation meets the criteria.

Eligible organizations are:

- Trusted Security Vendors Providing Defensive Software or Hardware (Antivirus, IPS, IDS)
- Governments, Law Enforcement, and CERTs (countries members of NATO, ANZUS, ASEAN)
- Worldwide Corporations and MSSPs (Fortune 1000, Finance, Technology, Research)

Source [vupen.com]

So all I have to do is register a corp called "Highly Trusted Security Vendor", subscribe, and profit?!

Maybe the technical community (0)

Anonymous Coward | about a year ago | (#44278045)

should have some kind of discussion about what the protocols for vulnerability disclosures should be, and what kind of legislation, if any, should be in place to back it up. Because if there is no discussion from the tech community, Congress will eventually do it themselves.

Of course, there will always be a black hat marketplace for vulnerabilities, but there could be laws with criminal and/or civil penalties.

Re:Maybe the technical community (2)

databeast (19718) | about a year ago | (#44278343)

There is no disclosure to these vulns, disclosing them would remove the value in them. These orgs aren't paying big money for vulns to have them /fixed/ people...the exact opposite.

WTF? (1)

mike555 (2843511) | about a year ago | (#44278071)

This "if a government does it, it is not a crime" notion needs to stop!

Re:WTF? (1)

databeast (19718) | about a year ago | (#44278995)

certainly, if a government does it, it's not unlawful... and there's the rub. If interference and espionage with another nation's information systems are acts of aggression, will be ever see some updating of geneva/hague convention notions towards this? They both mention spies, but largely in the protection and treatment of them in habeus corpus situations... Do we even need such an updating? there is plenty of material on the legality of peacetime espionage, yet the sabotage issue remains murky as ever.

Re:WTF? (1)

tibman (623933) | about a year ago | (#44286113)

Also, when can there be a physical response to a non-physical attack?

Expensive AV waste of money. (0)

Anonymous Coward | about a year ago | (#44278081)

The big AV providers are as bad. The quality of their software is not even any good. It just gives people a false sense of security. (And costs an obscene amount of money.) Just because something is upx packed doesn't make at a virus. None of the 0 days are ever stopped by AV.
Putin had the best idea just use typewriters and have good physical secuirty and a very real threat of death well known.

Re:Expensive AV waste of money. (0)

Anonymous Coward | about a year ago | (#44278117)

Any AV is a waste of money and of CPU cycles, there are no viruses on GNU/Linux.

Re:Expensive AV waste of money. (1)

kcmastrpc (2818817) | about a year ago | (#44278219)

Snakso-A
42
Arches
Alaeda - Virus.Linux.Alaeda
Bad Bunny - Perl.Badbunny
Binom - Linux/Binom
Brundle
Bukowski
... shall I go on?

Re:Expensive AV waste of money. (1)

Anonymous Coward | about a year ago | (#44278797)

Oh yes, please do continue cherry-picking from a Wikipedia article you clearly don't understand. Did you see the disclaimer immediately before that list?
[qoute]The following is a partial list of known Linux malware. However, few if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat.[/quote]

Yeah, the definition and implications of the term "virus" has evolved over the last couple of decades, but nothing you listed is actually an initial attack vector. At best, they're trojans. They all require a previously compromised system, generally by an admin installing shady packages to begin with. You might have looked a little smarter if you had listed some of the worms further down, but even those were patched over a DECADE ago.

Seriously, fuck off. There's no comparison.

Re:Expensive AV waste of money. (0)

Anonymous Coward | about a year ago | (#44278277)

Any AV is a waste of money and of CPU cycles, there are no viruses on GNU/Linux.

There could be, though.

Lots of things help prevent this. Distributions like Debian having just about anything anybody could possibly want to run as packaged software available from a single trusted source. Auditing tools like debsums that can tell you if any files installed from those trusted sources have been modified, etc. These things make virus type malware less likely to ever end up on a Debian host. But, it is not impossible. And, many distributions are far less complete in selection of software than Debian (e.g., Redhat was about 7% of the number of packages in Debian official repos last time I checked), so users do install software from random sources, and many of these distributions do not include built-in auditing tools, so are even more vulnerable.

Some distributions like Redhat, run SELinux out of the box, and do kernel module signing to help protect against attacks.

Lots of technical and infrastructure features to help prevent malware on Linux-- but, I think the number one reason, is that even with the influx of noobs to Linux over the last 10 years, the level of technical competence of the average linux user is still orders of magnitude greater than the level of competence of the average windows user. If those demographics change, I think you will see a commensurate rise in malware incidents with linux.

Re:Expensive AV waste of money. (1)

edman007 (1097925) | about a year ago | (#44280569)

Android, it is linux by many standards, loads of incompetent users, loads of malware.

Re:Expensive AV waste of money. (4, Insightful)

ulatekh (775985) | about a year ago | (#44278435)

Any AV is a waste of money and of CPU cycles, there are no viruses on GNU/Linux.

Then why does rkhunter [sourceforge.net] exist?

Re:Expensive AV waste of money. (1)

Billly Gates (198444) | about a year ago | (#44279183)

Such ignorant posts like the grandparents truly scare me.

I would mod you higher if I had points.

I have seen Linux servers compromised and admins throwing a fit saying it is impossible because they run Linux! No such as a rootkit could possible exist. This was a major bank too.

Re:Expensive AV waste of money. (1)

tibman (623933) | about a year ago | (#44286881)

geez, i updated this thing last year! how much maintenance does this thing need?!

Re:Expensive AV waste of money. (0)

Anonymous Coward | about a year ago | (#44279839)

Then why does rkhunter [sourceforge.net] exist?

A rootkit is not the same as a virus, so that doesn't prove anything.

I'm not saying GNU/Linux doesn't have any viruses, but you need to find a better argument.

ANDROID = Linux based (0)

Anonymous Coward | about a year ago | (#44289829)

Infested faster than Win3.x-9x were - Most used = most attacked on any given computing platform: Proven over time fact. As far as rootkit not being same as a virus? Please: Quit the bullshit word games. Malware in general suit you better?? You fail, and so does your nitpicking bullshit vs. that argument. Made me laugh for many years here while the Penguins spouted their bullshit of "Viruses can't touch Linux". Funny how ANDROID changed ALL that crap, eh? Not.

Re:Expensive AV waste of money. (0)

Anonymous Coward | about a year ago | (#44278155)

Putin had the best idea just use typewriters and have good physical secuirty

Now, that's a practical idea for today's global businesses.

Agreed (especially on .exe compression) (0)

Anonymous Coward | about a year ago | (#44278271)

"Been there/done that" http://it.slashdot.org/comments.pl?sid=3958509&cid=44241949 [slashdot.org] & also saw "rules" in "heuristics" like if an app uses a WinRar SFX as a distro carrier/installer, then "it is a virus" (WTF?). Worse ones too, like if an app has networking code in it, and uses the "lowest common denominator" like NetScape 3.0 as its user-agent string, it too will be marked falsely as a "virus" - again, WTF!

The hilarious part? The app's been vetted as not a "virus/spyware" etc. free by folks in the security community itself, & they host it for me in fact (malwarebytes is 1 of them):

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

If you see the list of enumerated points it has there yielding better online speed, security, reliability & even anonymity to an extent? It'll truly make you wonder where they hell they were coming from classifying it as a "malware"... in the end? They all ended up removing it from their lists of malware. Bottom-line: When the people creating these programs can't even do their job correctly? "Houston, we have a problem!" & especially regarding my program, which works on a very simple principle: "What you can't touch, can't harm you"

APK

P.S.=> I got "the last laugh" & they "ate their words" (heuristics rules) vs. myself! No, & that's not a 1st either! I went thru the same with Computer Associates who hid they did the same to another app of mine years ago, not even letting me know about it (had to find it out myself). I took their removal test passed all 21 questions & on the advice of an attorney I do so! So I did - what'd they do? Lowered it to "zero threat levels". I passed all removal questions. So why was it not removed then? They don't follow their own rules! CA was caught in accounting scandals afterwards ... apk

Business as usual (1)

gmuslera (3436) | about a year ago | (#44278165)

They would trade mutated virus strains (specially the successful ones) without worrying about an incoming pandemy.

Best strategy : (0)

Anonymous Coward | about a year ago | (#44278203)

Best strategy is not to play. Unplug from the realm of machines.
There is no way to secure ANYTHING plugged on any network owned by telcos and third parties.None.
So .. where does that leave us ? Get out the old phone modem and use it directly connected to your peer.
There is good use for modems for those who need secure communications and must do it with their computers.
Do not throw away those old computers. They may be your key to the security you seek.
 

Re:Best strategy : (0)

Anonymous Coward | about a year ago | (#44278939)

Uhm, and then what's to stop them from tapping your phone line and logging all your modem activity? It's not like normal modems from back in the day did encryption or anything.

Re:Best strategy : (1)

ultrasawblade (2105922) | about a year ago | (#44279841)

SSH over PPP.

Because I like transmitting and receiving at .56kbits/sec.

Re:Best strategy : (1)

Soporific (595477) | about a year ago | (#44290625)

I only use one time pads, flown by camouflaged carrier pigeons. Might be slow, but it's secure dammit!

~S

sEp?! (-1)

Anonymous Coward | about a year ago | (#44278213)

legitimise doIng [goat.cx]

i have a question (0)

Anonymous Coward | about a year ago | (#44278229)

are all those links mentioned safe?

Why not subscribe yourself? (0)

Anonymous Coward | about a year ago | (#44278241)

It would seem like a trivial cost of doing business for the big software firms to subscribe to these lists themselves through some sort of proxy. In fact, it would seem insane not to have an entire team/division dedicated to crawling around on the underbelly of this stuff rooting out the worst exploits and feeding them back to be corrected.

The best! (0)

Anonymous Coward | about a year ago | (#44278311)

South Korea is the best South.

Yeah, that sounds dumb even to me.

Was the Internet a mistake? (3, Insightful)

ebno-10db (1459097) | about a year ago | (#44278315)

Sometimes I think that using the Internet for anything other than publicly available static HTML (e.g. Wikipedia) is a mistake. Nice idea, but not every good idea works out well.

Re:Was the Internet a mistake? (0)

Anonymous Coward | about a year ago | (#44279293)

Except wikipedia isn't static HTML. If it was it would barely be usable, never mind convenience features like mathml rendering and things of that nature. But pretty fundamental things like URL dispatching and searches. The mistake was not designing it to be dynamic in the first place which leads us to the stupid hacks and feature creep we are seeing in HTML5.

Re:Was the Internet a mistake? (1)

Spykk (823586) | about a year ago | (#44279485)

Wikipedia is one of the interactive internet's biggest success stories. You do realize how content gets into Wikipedia?

I think PC architecture was a mistake (2)

Burz (138833) | about a year ago | (#44281153)

Or at least the sort of computer design that deliberately walked away from having security built into all levels.

With that said, the Web acquired some customs that are hostile to security: Routine execution of automatically retrieved code, coding pages as composites from many third party sites, and the ad industry's negligent attitude toward malware are a few.

Also, neither PC nor Web architecture attempted to make certificates and keys into palpable first-class entities that users could more easily understand and manipulate, so the potential for verification and privacy were not realized.

Right now, some of the best stopgaps against this miserable history are projects like Qubes, Tor and I2P. Qubes lets me handle each thing I do in separate hardware-and-GUI enforced domains. Tor enables privacy for web and is familiar to many people. I2P gives me more than web connectivity, and the expectation that sites I connect to won't need Javascript (hardly ever) and is more future-proof than Tor.

Re:I think PC architecture was a mistake (1)

Eccentric-Dude (2910375) | about a year ago | (#44282117)

Or at least the sort of computer design that deliberately walked away from having security built into all levels.

That was exactly that happened when people moved away from central mainframes to local PCs.

Also, neither PC nor Web architecture attempted to make certificates and keys into palpable first-class entities that users could more easily understand and manipulate, so the potential for verification and privacy were not realized.

There is a link missing in the chain. It is the list of which web sites are signed by which CA. Without that list, checking certificates is Russion Roulette. You get lucky most of the times.

Right now, some of the best stopgaps against this miserable history are projects like Qubes, Tor and I2P. Qubes lets me handle each thing I do in separate hardware-and-GUI enforced domains. Tor enables privacy for web and is familiar to many people. I2P gives me more than web connectivity, and the expectation that sites I connect to won't need Javascript (hardly ever) and is more future-proof than Tor.

I've come up with a way to get out this mess. It uses all the standard cryptography components but in a different way; and it is very easy to integrate into the current Internet structure.

I call it Eccentric-Authentication. See http://eccentric-authentication.org/ [eccentric-...cation.org]

Re:I think PC architecture was a mistake (1)

Burz (138833) | about a year ago | (#44284403)

Thanks, that looks interesting. And you're absolutely right about CA Roulette, though using I2P addresses that issue because every I2P address is a verifiable identity.

Re:Was the Internet a mistake? (1)

Hentes (2461350) | about a year ago | (#44287533)

No, it wasn't. Whether you get hacked or not is entirely up to you. Why would I care if other people using unsecure systems get hacked?

Responsible Disclosure is Dead (0)

Anonymous Coward | about a year ago | (#44278369)

Now that we know that Microsoft and other American companies will arm the NSA with vulnerabilities that are reported to them, anyone finding a vulnerability might as well realize the commercial value themselves. Why would anyone not publish or sell?

Re:Responsible Disclosure is Dead (1)

databeast (19718) | about a year ago | (#44279037)

Welcome to the self-hatred that is working in the infosec business - any illusions we held about trying to improve the state of things for the greater good fell away many years ago when people started realizing that there was no profit in working towards making ourselves obsolete - casualties be damned. When it comes to computers, you're either responsible for your own OPSEC 24/7, or you accept that your systems will be interfered with in perpetuity. Nobody is looking out for you, least of all the infosec business.

Re:Responsible Disclosure is Dead (0)

Anonymous Coward | about a year ago | (#44279407)

What I tried to point out to a former employer, lo, these many years ago. All it earned me was suspicion. Youngsters be wise, do not let the company's outside IT vendor know that you know one end of a compiler or a shell script from another. And do not antagonize the president's bonehead outside accountant. Or you could throw love aside and marry the boss's daughter, for a little job security. She was cute enough.

Re:Responsible Disclosure is Dead (0)

Anonymous Coward | about a year ago | (#44279991)

Almost forgot. Do not piss off or unwittingly threaten your cow-orkers with your awesomeness. You know, the ones with all the cop buddies with GCIC and NCIC terminal access. You never know what they might be hiding, or for who. And from who.

Put it this way, they may seem to be all "pro patria et dei", but boy scouts ain't really what they're looking for. That's just flag-waving, to baffle 'em with bullshit. You know, for when you can't dazzle them with brilliance..?

Re:Responsible Disclosure is Dead (0)

Anonymous Coward | about a year ago | (#44283351)

If this goes on long enough, can we call ourselves "Doctors" then?
Dr. Sec.
Dr. Ingsoc.
Etc.

Damn the world. Only electronic money profits matter!
And if we fail, we can always print more!!

In a way (2, Insightful)

Anonymous Coward | about a year ago | (#44278413)

In a way this is proof that the existing approaches to computer security have gone completely bust. They're big business so there's money in keeping it that way, not so much in actually fixing anything. Besides, patching does not fundamentally improve the software. All it does is wipe away visible blemishes.

This fits well with the blind leading the blind approach to reporting about computer security, where everybody and his dog is a "hacker" even if he's really a rent-a-cop trying to defraud his employer by sticking a usb keylogger stick into some machines*.

There is nothing new going on here. Whether you're styling yourself a "white" or a "black" or even, superfluously, a "green" hat, you're no hacker. Green hats? Yes, they're in it for the money. Get it, green? Only both the white and the black hats are in it for the money too. Have been for a while. So that is a superfluous distinction.

Doesn't matter that there are laws against "hacking", as they are equally vague. I'd say needlessly, but that isn't quite the word for it. Laws need to be precise, and using vague terms like "hacking" in the popularly uninformed "anything potentially bad vaguely involving something computer-y somehow" meaning, implies that the law can be applied inconsistently, at the attorney general's whim. And random justice is not justice. The Aaron Schwarz case is a clear case of AG bullying by piling up the accusations. Now imagine that enshrined in law. It usually doesn't go too spectactularly wrong, but if the law was a car it'd be neither street legal nor safe to drive.

There's irony here. Originally "hacking" had strong connotations of doing new and interesting things. Things that had you go "I didn't know it could do that!?!" -- bonus points if the original creator of the thing made to do new things had that reaction. Thus the first buffer overflow, the first SQL injection, the first remote code injection and succesful execution were "hacks". But the nine thousanth? Not so much.

Yet what we're seeing here is a veritable industry with a thriving market on both sides of the legality fence. Plenty of people doing their often quite specialised thing and making money, somethimes quite a lot of money, out of it. That's not "hacking", and so nobody doing that is a "hacker". Worse, even the white hats are not meaningfully pushing the state of the art of computer security forward. It's all patching holes in the notional swiss cheese. No fundamental research, like research into model checking (which appears to be "strictly harder than NP", quite the intellectual challenge foregone), no nothing, Just churning, grinding, more of the same.

That this is a confused field is clear from the "ethical hacker" term. No, if you need a prefix you're no hacker. Hacking is not inherently unethical, or ethical. If you need a prefix (or a hat) to defend what you're doing, you're doing it wrong.

The black hats are doing us a disservice by exploiting us for their monetary gain. And the white hats? Likewise, plus they're not meaningfully contributing to research thwarting the black hats. Everyone is a green hat now. None are hackers.

Semantics are important, and the semantics of the IT security industry mean that it's a racket dressed up in fancy words it hasn't earned. It's a racket full of FUD, that you can see in most every press release and blog. And until we understand the semantics, until we stop using the wrong words, and start recognising what is really going on, we can't even begin fixing the problem because we can't see it, we can't talk about it, we can't identify just what is bugging us. Semantics are important, and so far we have been doing it wrong.

* Actual tech-rag reporting, indeed using the "hacker" moniker for describing exactly that.

Re:In a way (1)

databeast (19718) | about a year ago | (#44278537)

Sad I blew mod points to comment on this article, but this reply deserves modding up. Your point about the redundancy of the term 'ethical hacker' is something I wrote about on Bloomberg last year (and was promptly libeled by Richard Stiennon in his column a day later)..

Re:In a way (0)

Anonymous Coward | about a year ago | (#44279645)

"Cybersecurity", ie. the war on some cracking, is becoming synonymous with, as well as entwined with, the war on some drugs, and the war on some terror.

Semantics, hmm. Ok. Vocabulary lesson for the day; see if it applies:
From www.thefreedictionary.com/meretricious

>meretricious (mr-trshs)
>adj.
>1.
>a. Attracting attention in a vulgar manner: meretricious ornamentation. See Synonyms at gaudy1.
>b. Plausible but false or insincere; specious: a meretricious argument.
>2. Of or relating to prostitutes or prostitution: meretricious relationships.
>[Latin meretrcius, of prostitutes, from meretrx, meretrc-, prostitute, from merre, to earn money; see (s)mer-2 in Indo-European roots.]
>meretriciously adv.
> meretriciousness n.

Example usage:
1a. "Ebno-10db found anything but publicly-available static HTML meretricious."
1b."Ed thought a press conference at the Moscow airport would show 'em, but Bradley considered that just a bit of a meretricious venue."
2. "To call the snake oil and FUD peddled by the cybersecurity industry meretricious is to insult good honest whores."

Re:In a way (0)

Anonymous Coward | about a year ago | (#44283453)

Good post. Why is it like that?
Two obvious points:
1) The markets are "maturing", thus inefficiencies starts to creep in.
2) Most important, the money system dictates it to be so. If you need to eat and sleep, you need a job, which means you need to support the system, which is a soulless parasite feeding on our privacy, security, health and nature itself.

We have judged our doom "our best system yet". It's not too late to review and change course though.

I am SUCH an idiot. (0)

ulatekh (775985) | about a year ago | (#44278479)

I was a teenage pinheaded computer hacker, back in the day. ("Pinheaded" in the sense that I never stole anything, or caused any damage...I would break into a system and then do the computer equivalent of bouncing around like Daffy Duck — "Woo hoo! Woo hoo! Woo hoo!" The owners of the system would quickly realize that someone had broken in, and then work to close the hole.)

But my 18th birthday rolled around, and I decided to clean up my ethics, and only program for legitimate purposes.

WHAT AN IDIOT I WAS!

If I had kept up with it, upgraded my hacking skills to the Internet era, and worked to find security flaws created by lazy/stupid programmers, I would not only be working for the government, but I'd be hella rich.

Instead, I have to work with those lazy/stupid programmers on a daily basis, and have to deal with their sullen vitriol when I happen to point out that the code they squeezed out of their ass isn't the crown of creation.

I am so dumb. For this reason alone, I deserve my lousy career.

Re:I am SUCH an idiot. (2)

ebno-10db (1459097) | about a year ago | (#44278501)

But my 18th birthday rolled around, and I decided to clean up my ethics, and only program for legitimate purposes.

You turned down the job offer from the NSA?

I shall definitely remain AC on this one: (0)

Anonymous Coward | about a year ago | (#44279243)

You jest, but he is not the only one...

Good Will Hunting 1997 (0)

Anonymous Coward | about a year ago | (#44279585)

You ALL need to see this scene http://www.youtube.com/watch?v=UrOZllbNarw [youtube.com] and that film character had it right as far back as 1997.

Attitude reflecting leadership (0)

Anonymous Coward | about a year ago | (#44278977)

You're now adopting your "masters" viewpoint of the ends justify the means (as long as we the 1%'ers who sold our soul come out on top. Yea, great. On top of a heap of shit is no major accomplishment). Only WE the 1%'ers are 'smart enough' (despite our shitty results economically, being caught spying on you, being caught abusing the powers of the IRS to target opponents, making wars you pay for and we 1%'er controllers profit by, etc.) to run things. Run 'em right into the ground, who the hell cares, we got ours! You must not be part of the masonic order secret handshake billionaire boys club or a "religious cult" doing the same on the other side of the fence (starts with j) then. If you were, you'd have long ago adopted the principles (or lack of them, along with a conscience and consideration for others, and no long term thinking for the good either) you speak of.

Re:I am SUCH an idiot. (0)

Anonymous Coward | about a year ago | (#44279421)

To be fair, working as a pentester would probably entail spending half your workday reversing software and the other half writing reports?

0-day exploit = NSA coded backdoor (-1)

Anonymous Coward | about a year ago | (#44278533)

Every major software firm inserts NSA back-doors into their applications. These are not mistakes, programming errors or poor understanding of safe coding methods. These are carefully crafted holes that are designed to stay obscure to all but the NSA for as long as possible.

Sooner or later, the NSA back-door is discovered by third parties, often initially by soft intelligence companies with associations to other government departments. These exploirs tend to then be first used by law enforcement and the like, and then after a short period by very well organised gangs of criminals with links to Israel and/or East Europe (especially the psuedo nations created from ex-Ukraine territory).

A little later again, and the given exploit is considered to be in the 'wild', prompting Microsoft or Google or whoever to publicly accept its existence, and offer up a patch to fix the hole (the patch, of course, has brand-new NSA back-doors).

Now shills and idiots will say "but doesn't Google pay actual awards to people finding exploits in its software?" Yes they do, but the explanation is far from innocent. Whereas Microsoft works intimately side-by-side with the NSA, Google is actually an official R+D department of the NSA. Google hardware and software designs are used in so-called shadow-Google installations where the majority of data captured by the intelligence agencies of the West is stored and data-mined.

Google is simply in the business of much higher quality NSA back-doors, and uses its reward scheme as a mechanism of quality control. Google wants the NSA and the like to be relying on Google software in the future, not that from Microsoft. Thee is commercial competition even in the world of illegal surveillance on the general population.

Windows 8.1 has now been revealed to be a major step by Microsoft for simplifying the surveillance of everything a user might do on a Windows PC, down to bugging the message queue mechanism itself, to circumvent any user installed encryption software. This game is not going to end any time soon.

Re:0-day exploit = NSA coded backdoor (4, Insightful)

databeast (19718) | about a year ago | (#44278651)

If these developers are so good at consciously creating vulns, you'd think they'd be better at NOT creating them too, now wouldn't you? After all, software shouldn't require /hundreds/ of these backdoors, just a handful that were constructed carefully enough.. They certainly shouldn't be getting discovered by independent researchers without all these necessary criminal and Military Industrial connections you describe.

Reality does not support your hypothesis here I'm afraid, I think your tinfoil hat might have been backdoored...

FRIST PSOT (-1)

Anonymous Coward | about a year ago | (#44278951)

I don'7 want 7o [goat.cx]

pronounced juarez (0)

Anonymous Coward | about a year ago | (#44279935)

I'm disappointed this ain't about the warez scene. :P

New Programming Languages (2, Informative)

theweatherelectric (2007596) | about a year ago | (#44280367)

All the more reason to consider using new programming languages like Rust [rust-lang.org] which are built with memory safety in mind. Better programming languages are by no means a silver bullet for security problems, but they help.

Re:New Programming Languages (0)

Anonymous Coward | about a year ago | (#44281327)

Good point.

These zero days are going to force IT administrators to work more overtime than ever, so all the more reason to stock up on semi-perishable food [walmart.com] that does not require refrigeration.

Re:New Programming Languages (0)

The Cat (19816) | about a year ago | (#44282743)

Or you could just write good C code with memory safety in mind.

But that would require thinking, so most "programmers" will flock to the hype.

And end up writing more pretentious, trendy shit that does fuck-all that's useful.

Re:New Programming Languages (0)

Anonymous Coward | about a year ago | (#44283483)

C is utter crap concerning security. If security puts food on your table, then go ahead, use C to your hearts content.
If security takes away food from your platter, then you should maybe focus on your core business strategy, and not somethiing that doesn't help you getting food?

Re:New Programming Languages (0)

The Cat (19816) | about a year ago | (#44290499)

Anything is utter crap if you're a bad programmer.

Stop being bad. Then C is fine.

Because there is no legal way (1)

Hentes (2461350) | about a year ago | (#44287565)

When legal hackers get prosecuted it's no wonder they flock to the black markets.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>