[HN Gopher] Bombs vs. Bugs
___________________________________________________________________
Bombs vs. Bugs
Author : carlotasoto
Score : 130 points
Date : 2021-08-03 14:55 UTC (8 hours ago)
(HTM) web link (edwardsnowden.substack.com)
(TXT) w3m dump (edwardsnowden.substack.com)
| SavantIdiot wrote:
| > However, we also have to recognize that until your neighbors
| are lining up to storm the Bastille
|
| Too soon, man, too soon.
| flerovium wrote:
| > Another little-understood property that make exploits more
| dangerous than bombs--and they definitely are--is that, as with
| the viral strain of a biological weapon, as soon as an adversary
| catches a sample of an exploit, they can perfectly reproduce
| it... and then use it themselves against anyone they want.
|
| On the other hand, once an exploit is used against a _good_
| actor, they can neutralize the use of that kind of "bomb" against
| anyone.
|
| I'm searching for a good comparison about mutating codes and
| innoculations against them...
| irq-1 wrote:
| > a prohibition on the _commercial trade_ -- that is to say,
| specifically the for-profit exploitation of society at large,
| which is the raison d'etre of the insecurity industry--rather
| than the mere development, production, or use of exploit code.
|
| If the "use of exploit code" is protected then why bother? The
| law would have to prove an unauthorized use or "for-profit
| exploitation" of code, and at that point it doesn't matter if
| it's exploit code; any code could be used for unauthorized use.
|
| Worse this would put corporations at the center of what's an
| exploit. Every time a company makes software there could be
| someone arguing that its an exploit or makes unauthorized use (of
| info or computing). Companies already avoid the GPL when they can
| because of legal FUD and this would extend those fears to all
| software they release. The Sony CD rootkit [0] was clearly over
| the line but what of iTunes encrypting local music files? Apple
| locked you out of _your files_ by encrypting them and then
| offered to sell you the key -- sound familiar?
|
| [0]
| https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...
|
| Commercial trade isn't the right definition. Exploit code is:
| using or bypassing an API in an unintended manner (for the
| benefit?, or to the detriment?, of the owner.)
| jokoon wrote:
| A little game theory:
|
| I really believe that it's not in the US government interest to
| increase computer security.
|
| I think the NSA is at least 5 or 6 steps ahead of the security
| game, so for now the NSA dominates cyber warfare, which is why
| they don't want more security in software, so they will
| constantly make everything possible so that software is insecure.
|
| But at some point, it is going to sting because China, Russia and
| others are catching up.
|
| I always found it weird that there are a lot of security
| standards for other industries, OSHA, etc, but for software,
| there is nothing, no companies are required to comply to software
| security standards. No software is being inspected at all. Isn't
| it weird?
| lstodd wrote:
| > I think the NSA is at least 5 or 6 steps ahead of the
| security game
|
| NSA isn't.
|
| There is no lead, and the barrier for entry is at a historical
| low.
|
| Many people just don't bother because it's boring, not because
| it's hard.
|
| Breaking into stuff became so simple that it just doesn't
| attract talent any more.
| TheCapn wrote:
| >I always found it weird that there are a lot of security
| standards for other industries, OSHA, etc
|
| Can't speak for all, but look into things like the CISA[1]. I
| don't think they have much of legal authority over industries,
| perhaps in some deemed critical but not others, but to say
| there's no "standards" is a _bit_ wrong.
|
| [1]: https://www.cisa.gov/
| toomanyducks wrote:
| It might not be fair to assume that OSHA, etc, and the NSA,
| etc, operate under the same agenda. Some industries _do_ have
| standards for tech. HIPAA, for instance, sets some minimum
| expectations for cyber security with regard to private health
| information (PHI). And there are HIPAA inspections, right along
| with OSHA ones. Of course, it 's a fairly clunky solution given
| that government is slow and tech is fast, but it's certainly
| there, and it's certainly helpful.
| m12k wrote:
| If the NSA is ahead on discovering exploits shouldn't they want
| a ban on selling exploits, so others have a harder time
| catching up, and it's less likely that any of the exploits that
| they've discovered in-house get "burned" by being used by
| someone else?
| xmprt wrote:
| Not if they're also a big purchaser of exploits.
| m12k wrote:
| It's quite possible for the government to outlaw selling
| things to anyone other than them. Cf. a lot of military
| hardware.
| legrande wrote:
| > I really believe that it's not in the US government interest
| to increase computer security
|
| Agreed. It's just doublespeak[0]. We all know it's the National
| Insecurity Agency, and that the NSA hoards & stockpiles 0day.
| They very rarely release tools and research papers designed to
| strengthen our IT infra, since they sit on so much 0day.
| There's no balance.
|
| I don't buy that they're 50% red team, and 50% blue team. More
| like 99% red team and 1% blue team.
|
| [0] https://en.wikipedia.org/wiki/Doublespeak
| HideousKojima wrote:
| Hell the NIST does more to fulfill the NSA's mission of
| domestic IT security than the NSA does. Ghidra is the only
| good thing out of the NSA is a long time.
| AutumnCurtain wrote:
| Interesting that his most common feedback is to use simpler
| language and write shorter pieces; personally I've felt he does
| very well at using accessible language but is handcuffed by the
| intrinsic inaccessibility of the topic to people without
| knowledge in the cybersecurity/privacy domain. This article, I
| think, is a good illustration of his abilities there.
| hyper_reality wrote:
| Here's an example of purple prose that has nothing to do with
| the complexity of cybersecurity, from his first post on
| Substack (https://edwardsnowden.substack.com/p/lifting-the-
| mask):
|
| > Though my relationship to time fluctuates, the gravamen of my
| disclosures remains constant. In the past eight years, the
| depredations of surveillance have merely become more
| entrenched, with the capabilities that used to be the province
| of governments now in the hands of private companies, too,
| which employ them to track and tether us and attenuate our
| freedoms.
| anon_cow1111 wrote:
| I don't know, this is exactly how I would talk if I wanted to
| poison the data of anyone trying to run word-use analysis
| against my public posts. On anonymous channels I'd probably
| type like an 8-year-old.
| legrande wrote:
| As long as someone is coherent and concise, I don't care how
| they write / talk. Also if they cut out superfluous language
| and try not to use esoteric phrases & words, that's a bonus.
| flerovium wrote:
| It's difficult to find good resources to learn how to do this.
|
| Strunk and White sounds "old" to many modern ears.
|
| Williams': "Style" is hands-down the best modern guide.
| https://sites.duke.edu/niou/files/2014/07/WilliamsJosephM199...
| saalweachter wrote:
| Here's where the dearth of editors on the internet is felt.
|
| There's nothing wrong with an individual style to writing and
| speech, but editors can help push authors towards a more
| uniform standard.
| soared wrote:
| I wonder if that feedback was about technical knowledge, or
| just the style he writes in. I would 100% characterize his
| style as "someone who thinks he's smart". I don't mean that to
| be totally offensive, only a little bit.
|
| > One of the interesting things for me about this shared space
| of ours is to be able to see what it is that you most enjoy
|
| This is pretty clearly a backwards way of writing a normal
| American English sentence.
| xdennis wrote:
| I'm not blaming him, but he could use simpler words.
|
| > ... to witness indicia of that ...
|
| > ... the ultima ratio regum of a state that has exhausted ...
|
| > ... which is the raison d'etre of the insecurity industry ...
| AutumnCurtain wrote:
| That's fair, especially since in my opinion the first two
| examples are definitely unnecessarily flowery language for
| the topic.
| eplanit wrote:
| His gratuitous use of "25 cent words" is the most singular
| annoying and off-putting aspect of Snowden. It's extreme with
| him, which to me indicates a hugely inflated ego -- many more
| would listen to him if he would not try to sound so damn
| professorial.
| Joeri wrote:
| It may just be an attempt to use precise language in an
| (unsuccessful) attempt to not be misunderstood.
| sssilver wrote:
| Fascinating--part of the reason I thoroughly enjoy reading
| him is the language he employs.
| auslegung wrote:
| I've primarily listened to him interviewed and while he uses
| big words there, it doesn't seem as much as in his writing.
| And he seems to me, in these interviews, as surprisingly
| normal considering everything.
| pow_pp_-1_v wrote:
| Whatever you may think about Snowden, the stuff he does and
| writes is pretty thought provoking.
| alexfromapex wrote:
| What's to stop defense departments from buying and selling
| exploits behind closed doors? I think the point raised about lack
| of accountability in government compartments is a huge huge
| problem. The new way to skirt the law seems to be go from
| government-run to private contractors or vice versa.
| theptip wrote:
| Like many aspects of security, it's not about stopping every
| possible instance of a bad thing from happening, it's about
| making bad things less likely to occur.
|
| If Saudi Arabia has to develop their own 0-day spying toolkit
| instead of buying one off the shelf, then at the margin they
| will be able to do less spying.
|
| There's nothing stopping Saudi Arabia from setting up their own
| team to build such hacks, but it would cost them more. Further
| down the road, there's nothing stopping a bunch of smaller
| countries from teaming up to get the economies of scale that
| NSO brings by selling to multiple countries -- but these
| toolkits seem to be the sort of closely guarded secrets that
| even allies don't share (if the NSA is anything to go by they
| are more likely to use these techniques to spy on their
| allies), so I doubt that is very likely; could be wrong on that
| point though.
| hans1729 wrote:
| > _That's the crucial caveat that I think many missed regarding
| my call for a global moratorium: it is a prohibition on the
| commercial trade--that is to say, specifically the for-profit
| exploitation of society at large, which is the raison d'etre of
| the insecurity industry--rather than the mere development,
| production, or use of exploit code._
|
| I don't see how prohibition would solve the problem here, people
| would just sell it in [insert rogue market].
|
| Raison d'etre is not _trade_ , it's _demand_ , and demand doesn't
| care about the DOJ.
|
| Also, exploits aren't just an arbitrary good, but a tool of power
| themselves, so effective prohibition seems even more absurd.
|
| What am I missing?
| whimsicalism wrote:
| There's a difference between underground criminal gangs
| discovering exploits and selling them on black markets and
| being able to raise capital, have legal protection, etc. while
| you hire experienced developers to find exploits that you sell
| to despotic regimes like Saudi Arabia.
|
| I suspect that distinction is what you are missing.
| anthony_r wrote:
| Exactly, it wouldn't necessarily change the demand, but would
| hopefully reduce the supply (by raising costs). Being a legal
| entity has much lower cost of funding and much lower cost of
| operations than being an illegal entity. Otherwise most
| entities/corporations would not bother to be legal, which is
| clearly not the case.
| lstodd wrote:
| Look how magnificently such a strategy worked for drugs.
| upofadown wrote:
| Illegal recreational drugs are usually used by the buyer
| in a way that will only affect themselves. So they can't
| complain to the police if things go bad and they
| certainly won't if things go good. Enforcement is a huge
| problem.
|
| NSO style products are used by one entity against another
| entity. As a result enforcement is a fundamentally
| different sort of problem. There is a complainant.
| pvarangot wrote:
| It works for nuclear weapons.
| stickfigure wrote:
| It's a crude comparison, but software is a lot more like
| drugs than it is like nuclear weapons.
| oscardssmith wrote:
| Is it? The fundamental reason the war on drugs failed is
| that drugs have relatively inelastic demand. Someone
| addicted to meth will find a way to get meth if it costs
| $10 or $500. Software exploits aren't like that at all.
| They are a tool used by gangs and governments that are
| only useful if they cost less than they're worth.
| missedthecue wrote:
| Software takes no less than a crappy laptop and a brain
| to create.
|
| The Manhattan project consumed 10% of the total US energy
| output in the mid 1940s. And obviously uranium is hard to
| come across.
| TeMPOraL wrote:
| That's only because they're weapons of mass destruction.
| Nuclear capacity is essentially a step function - you
| either have it or you don't. Those who have it get to
| push around those who don't. There are some _very strong_
| incentives for the haves to prevent the list of nuclear
| powers from growing.
|
| Also, unlike software vulnerabilities, nuclear weapons
| don't have a half-life counted in weeks.
| praptak wrote:
| > people would just sell it in [insert]
|
| This is a specific form of a general argument against _any_ law
| - "people would just break the law by [insert a way to break
| the law]".
|
| These arguments are obviously generally true (any law can be
| broken) but you usually don't need an absolute victory, just a
| legal weapon against the bad guys, which hopefully is hard to
| use against the good guys.
| typon wrote:
| When /r/jailbait was the most popular subreddit on reddit, it
| was generating millions of pageviews in traffic. Sure, you can
| download Tor and see similar content on the deep web, but you
| have to know the .onion links and be tech savvy. The added
| friction goes a long way in removing access - and dissuades
| people who are on the fence.
| pvarangot wrote:
| That's not a good analogy. I don't agree with OP but the
| potential "customer" for /r/jailbait comes from a way bigger
| pool than the potential 0-day buyer. OPs point is that the
| people looking to buy this things will not mind jumping
| through hoops.
| pvarangot wrote:
| Snowden is specifically talking about how this prohibition will
| deter security researchers from working for this "companies".
| Having been in the field a while back, I agree with him. Most
| people won't jump the extra hoop you need to jump to work for
| an illegal industry if they can make bank without breaking bad.
| michael1999 wrote:
| You may underestimate how much government funding has widened
| and deepened the production side of the exploit world. Once
| TLAs outsourced and started buying exploits on the open market,
| the whole thing professionalized and became much more liquid.
| That kind of intellectual capital formation really changes
| things.
|
| Mind you, the genie is out of the bottle. A half-hearted
| moratorium is unlikely to undo what Pointexter wrought.
| paxys wrote:
| Why have any law if bad guys will just break them?
| varajelle wrote:
| There are different kind of things one law can forbid
|
| - things that are in itself bad. (E.g. killing, stealing,
| ...)
|
| - things that are neutral, but could be used to do other
| illegal things (encrypted message, selling weapons, ...)
|
| The second category of things doesn't need to be illegal
| since the perpetrators would only be doing something bad if
| they violate a law for the first category and therefore can
| be prosecuted for that. But making it illegal prevent the
| potentially good use of it.
| ramesh31 wrote:
| Count me as a Snowden skeptic. The guy is completely full of
| himself, and rarely if ever has anything truly insightful to say.
| I have a friend in the Navy who worked with him at the NSA
| facility on Oahu when he made the leaks, and we've talked about
| this extensively. It's not like he was some lone wolf who
| happened to get ahold of some unique information. They were all
| dealing with it, and they all took an oath to protect the United
| States and defend its' secrets.
|
| He's a traitor, plain and simple. But he parlayed that treachery
| into a highly lucrative position, where he occasionally comments
| and gets paid to speak on some obvious points about whatever is
| in the news, and is now seen as some kind of guru when he never
| really did anything of note. He's not a computer scientist. He's
| not a security expert. He's a cause celebre for certain factions
| of people who would like to see the US knocked down a peg.
| SavantIdiot wrote:
| I wasn't going to downvote you because I strongly disagree with
| your dismissive smearing of someone who had the guts to call
| out his government for doing illegal things, but then you said
| this:
|
| > He's not a security expert.
|
| Which is such an incredibly vacuous statement that you deserve
| a downvote for saying provably incorrect things.
| [deleted]
| HideousKojima wrote:
| Regardless of Snowden's personal character, the simple facts of
| the matter are:
|
| 1) The NSA was illegally and unconstitutionally spying on US
| citizens without warrants.
|
| 2) The NSA and other intelligence agencies explicitly lied
| about this to congress and other elected/appointed bodies
| responsible for overseeing the activities of these agencies.
| See, in particular, James Clapper perjuring himself before
| congress.
|
| 3) Without Snowden or someone similar leaking this information
| to the public, we never would have found out about these
| blatant illegal and unconstitional acts, since everyone with
| the power to do anything about it was either complicit or
| ignorant (see point 2).
___________________________________________________________________
(page generated 2021-08-03 23:01 UTC)