Business Is Booming In the 'Zero-Day' Game 97
HonorPoncaCityDotCom writes "Nicole Perlroth and David E. Sanger write in the NY Times that all over the world, from South Africa to South Korea, business is booming in zero days. The average attack persists for almost a year before it is detected, according to Symantec, the maker of antivirus software. Until then it can be exploited or 'weaponized' by both criminals and governments to spy on, steal from, or attack their targets. Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google free in exchange for a T-shirt, but increasingly the market for 0-day exploits has begun to migrate into the commercial space (PDF) as the market for information about computer vulnerabilities has turned into a gold rush. Companies like Vupen charge customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale to countries who want to use the flaws in pursuit of the kind of success that the United States and Israel achieved three summers ago when they attacked Iran's nuclear enrichment program with a computer worm that became known as 'Stuxnet.' Israel, Britain, Russia, India and Brazil are some of the biggest spenders but North Korea is also in the market, as are some Middle Eastern intelligence services."
Was the Internet a mistake? (Score:4, Insightful)
Sometimes I think that using the Internet for anything other than publicly available static HTML (e.g. Wikipedia) is a mistake. Nice idea, but not every good idea works out well.
Re:So if 'cyberWar' is actually a thing... (Score:4, Insightful)
you can't sell something for profit that will be used in hostile actions, if you've already disclosed the information in public, now can you? The issue is profiteering from things that will /not/ be fixed, and specifically used to the detriment of another.
In a way (Score:2, Insightful)
In a way this is proof that the existing approaches to computer security have gone completely bust. They're big business so there's money in keeping it that way, not so much in actually fixing anything. Besides, patching does not fundamentally improve the software. All it does is wipe away visible blemishes.
This fits well with the blind leading the blind approach to reporting about computer security, where everybody and his dog is a "hacker" even if he's really a rent-a-cop trying to defraud his employer by sticking a usb keylogger stick into some machines*.
There is nothing new going on here. Whether you're styling yourself a "white" or a "black" or even, superfluously, a "green" hat, you're no hacker. Green hats? Yes, they're in it for the money. Get it, green? Only both the white and the black hats are in it for the money too. Have been for a while. So that is a superfluous distinction.
Doesn't matter that there are laws against "hacking", as they are equally vague. I'd say needlessly, but that isn't quite the word for it. Laws need to be precise, and using vague terms like "hacking" in the popularly uninformed "anything potentially bad vaguely involving something computer-y somehow" meaning, implies that the law can be applied inconsistently, at the attorney general's whim. And random justice is not justice. The Aaron Schwarz case is a clear case of AG bullying by piling up the accusations. Now imagine that enshrined in law. It usually doesn't go too spectactularly wrong, but if the law was a car it'd be neither street legal nor safe to drive.
There's irony here. Originally "hacking" had strong connotations of doing new and interesting things. Things that had you go "I didn't know it could do that!?!" -- bonus points if the original creator of the thing made to do new things had that reaction. Thus the first buffer overflow, the first SQL injection, the first remote code injection and succesful execution were "hacks". But the nine thousanth? Not so much.
Yet what we're seeing here is a veritable industry with a thriving market on both sides of the legality fence. Plenty of people doing their often quite specialised thing and making money, somethimes quite a lot of money, out of it. That's not "hacking", and so nobody doing that is a "hacker". Worse, even the white hats are not meaningfully pushing the state of the art of computer security forward. It's all patching holes in the notional swiss cheese. No fundamental research, like research into model checking (which appears to be "strictly harder than NP", quite the intellectual challenge foregone), no nothing, Just churning, grinding, more of the same.
That this is a confused field is clear from the "ethical hacker" term. No, if you need a prefix you're no hacker. Hacking is not inherently unethical, or ethical. If you need a prefix (or a hat) to defend what you're doing, you're doing it wrong.
The black hats are doing us a disservice by exploiting us for their monetary gain. And the white hats? Likewise, plus they're not meaningfully contributing to research thwarting the black hats. Everyone is a green hat now. None are hackers.
Semantics are important, and the semantics of the IT security industry mean that it's a racket dressed up in fancy words it hasn't earned. It's a racket full of FUD, that you can see in most every press release and blog. And until we understand the semantics, until we stop using the wrong words, and start recognising what is really going on, we can't even begin fixing the problem because we can't see it, we can't talk about it, we can't identify just what is bugging us. Semantics are important, and so far we have been doing it wrong.
* Actual tech-rag reporting, indeed using the "hacker" moniker for describing exactly that.
Re:Expensive AV waste of money. (Score:5, Insightful)
Any AV is a waste of money and of CPU cycles, there are no viruses on GNU/Linux.
Then why does rkhunter [sourceforge.net] exist?
Re:0-day exploit = NSA coded backdoor (Score:5, Insightful)
If these developers are so good at consciously creating vulns, you'd think they'd be better at NOT creating them too, now wouldn't you? After all, software shouldn't require /hundreds/ of these backdoors, just a handful that were constructed carefully enough.. They certainly shouldn't be getting discovered by independent researchers without all these necessary criminal and Military Industrial connections you describe.
Reality does not support your hypothesis here I'm afraid, I think your tinfoil hat might have been backdoored...