Business Is Booming In the 'Zero-Day' Game 97
HonorPoncaCityDotCom writes "Nicole Perlroth and David E. Sanger write in the NY Times that all over the world, from South Africa to South Korea, business is booming in zero days. The average attack persists for almost a year before it is detected, according to Symantec, the maker of antivirus software. Until then it can be exploited or 'weaponized' by both criminals and governments to spy on, steal from, or attack their targets. Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google free in exchange for a T-shirt, but increasingly the market for 0-day exploits has begun to migrate into the commercial space (PDF) as the market for information about computer vulnerabilities has turned into a gold rush. Companies like Vupen charge customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale to countries who want to use the flaws in pursuit of the kind of success that the United States and Israel achieved three summers ago when they attacked Iran's nuclear enrichment program with a computer worm that became known as 'Stuxnet.' Israel, Britain, Russia, India and Brazil are some of the biggest spenders but North Korea is also in the market, as are some Middle Eastern intelligence services."
So if 'cyberWar' is actually a thing... (Score:5, Interesting)
....when do we start treating these folks like arms dealers? It's not a stretch, ITAR classified cryptography as munitions....
(* cyber 'war' is a ridiculous term for something we already have words for - espionage and sabotage, both of which have been achieved using only information, for centuries now).
Re:So if 'cyberWar' is actually a thing... (Score:4, Interesting)
We need rules for these articles in the future.
Cyber-war/Cyber-warfare - take a drink
Cyber-weapon - take a drink
Cyber-warrior/Cyber-soldier - chug
Cyber-command - chug
Others?
Anyway, if this is such a big risk (aside from alcohol poisoning) then why aren't other countries switching to Linux and training their own programmers so that they can "harden" it?
If they have to use something that they did not write/audit themselves then that should be completely isolated.
Wouldn't the intelligent thing to do (if this is really a threat) be to develop a 5 year goal of moving off of software written by your potential cyber-emenies (take a shot).