
The FBI is working hard to keep you unsafe - colincarter41
http://techcrunch.com/2016/04/23/the-fbi-is-working-hard-to-keep-you-unsafe/
======
tptacek
We don't accept this argument when it's turned on independent researchers.
Researching vulnerabilities doesn't create vulnerabilities --- bad software
engineering does.

~~~
kabdib
Independent researchers usually disclose, yes? Hopefully responsibly.

There are no silver bullets. We're always going to have bugs, and bad ones
that affect security.

Stockpiling of zero-days blurs the line between law enforcement and adversary.
The greater good is probably served by disclosure, rather than surveillance,
break-ins or advancement of the careers of prosecutors.

~~~
tptacek
No, many researchers do not disclose. Every time Hacker News (incorrectly)
takes the line that Facebook or Google isn't paying enough for a bug bounty,
they're acknowledging that.

~~~
diafygi
Then they're not researchers, right? I feel like "researchers" should be
synonymous with white hats, and disclose to the company when they find
something. People who find something and don't disclose are black hats, or at
least grey hats, but definitely shouldn't be considered researchers.

~~~
kenperkins
People who find vulnerabilities purely for the bounty seem to fit the
classical definition of Bounty Hunters or Mercenaries. Certainly not
researches. They're not in it for the academic benefit or advancing the state
of the art. They're in it for the cash.

~~~
2trill2spill
So your saying someone who does security research but does not get paid is a
researcher, but if someone else does the same research but they get paid their
not a researcher?

So what if a security researcher is paid for their work? We don't say Lawyers
are not Lawyers because their being paid and not doing work pro bono.

Remember security research takes lot's of time, skill and hardware they should
be paid to do their work.

~~~
sqeaky
A person can do research on a salary. Demanding money because you found a
0-day in their software is scarily similar to blackmail.

There is plenty of room between blackmail and research. A professional
researcher can draw a paycheck and release exploits as found.

~~~
tptacek
Doing work on your own time, with your own materials, and expecting to be paid
for your work product is "scarily similar to blackmail"? Could you go into
that a little bit more?

Exactly how are these "professional researchers" generating their paychecks?

(NB: I was one of those "professional researchers".)

~~~
sqeaky
Once a researcher has found an issue, demanding money after the is similar to
blackmail.

Agreeing on money up front seems like a reasonable way, I also see no problem
with bounty programs or even asking for more from bounty programs. Withholding
a bug until a bounty is raised is were I would draw the line at blackmail.

~~~
tptacek
You haven't explained how it's anything at all like blackmail. Say I'm the
researcher and you're the vendor. I'm offering to sell the product of my own
work. You're free not to buy it from me. But you are in no way _entitled_ to
my work product!

~~~
statictype
The sole value of your "product" is to actively harm the vendor's product. It
doesn't provide any other value (unless you want to claim that it can be sold
for educational purpose).

~~~
zpharer
Couldn't that be compared to, say, selling protective sportswear. That is also
selling protection from harm. Now if the researcher threatens to auction off
the exploit...

~~~
sqeaky
This is like the exact opposite. It would be more selling "not punches" as
long as you buy I will show you all the places I could have punched you. You
can guess what I do if you don't pay the known hacker/puncher.

~~~
tptacek
Guess away! What then, if you don't buy? Enough innuendo.

------
chatmasta
As long as software exists, by definition, zero-days will exist. A zero-day is
simply a bug in its most nascent state; one person has found it, and nobody
else knows about it. Whether the finder is a "security researcher," a
"blackhat," or a "nation-state" has no impact on whether the bug exists or
not. In fact, the bug exists even if nobody finds it! The distinction of who
found it, and what they do with it, is purely political. Anyone can still
exploit the bug.

Sure, maybe the "friendlier" bug finders will responsibly disclose any bugs
they find. But there will _never_ be a way to guarantee that all bugs found
will be responsibly disclosed. Even if we convince the FBI/NSA to "responsibly
disclose" every bug they find (will never happen), what about every other
country? The hundreds of security firms? The thousands of independent hackers
and "researchers?"

Zero-days will ALWAYS exist. Software will ALWAYS be exploitable. Worrying
about how people react when they find those exploits is the similar to arguing
about gun control. Sure, maybe we can convince _some_ actors to responsibly
disclose, but the bad actors will always keep the exploits for themselves and
use them "irresponsibly." And there will always be bad actors.

So instead of fretting about what happens when someone finds a bug, why don't
we prepare for the eventuality that all bugs will be found and exploited,
often times without anyone's knowledge? Why don't we build security systems to
be _tolerant_ of exploits, instead of resistant to them? There is no security
panacea, just as there is no reliability panacea.

We build distributed systems with the assumption that nodes will fail, and we
call that "fault tolerance." We don't say a system is broken because a node
fails. We say it's broken if it cannot handle a node failing.

Why can't we do the same for our security systems? Exploits are as inevitable
as any type of system failure. We need to design for _exploit tolerance_ with
the same enthusiasm we design for _fault tolerance._

~~~
sqeaky
Exploits being inevitable does not exonerate our elected and appointed
officials from their responsibilities and obligation of running the government
the people who put them in power want.

Do we want a government that collects threats that are more likely to be used
against its own people than anyone else? The USA produces and use more
software than any other country, not sharing exploit information fundamentally
hurts the USA and the Economy of the USA more than other countries.

~~~
tptacek
It's a pretty big leap you've taken here, between your disagreement with the
USG's policy regarding vulnerabilities and their "obligation to run the
government people want". Clearly, they're not running the government that
_message boards_ want. But that's not the same thing!

~~~
sqeaky
I remember some old document or preseident saying saying something about a
"government for the people, by the people".

I suspect Google, Microsoft and most businesses involving the Internet and
Money at the same time care. They probably want to know about flaws so they
don't wind up losing their pants like the Bangladesh bank did recently.

There is huge money and real lives on the line here, this is not about
appeasing message board hackers. Imagine if some big hack was learned to be
known about in a 0-day the FBI withheld? I am fairly certain it was Target's
mismanagement, but imagine if the a document was leaked and it showed the
government knew about a 0-day that allowed the Target hack. That is small
compared to what might actually happened when talking about browser or OS
attack surface.

~~~
tptacek
Just because you personally disagree with something the government is doing
doesn't mean they aren't doing it "for the people". You have to compose a real
argument.

------
busterarm
Let's not forget that Sabu, while an informant for the FBI, supplied Jeremy
Hammond with the 0day that he used to hack Stratfor et al.

No 0day, no Stratfor hack. No FBI, no Stratfor hack.

Sometimes I wonder if penetrating other agencies and corporations was part of
their gameplan. The FBI were entirely behind the formation of antisec.

Aside: Other interesting observation... The FBI and Apple seem to have an odd
antagonistic relationship with one another. One of the Antisec hacks was
against an FBI laptop that caused the release of millions of Apple users'
data. The FBI was recording and debriefing Sabu every day. How did they allow
that to happen?

~~~
ryanlol
AFAIK that's not true, Hammond received the "0day" (mysql server with auth
turned off) directly from hyrriiya on crytonet.

~~~
busterarm
And there's a chatlog where Sabu asked hyrrilya to give him (and I'm assuming
by extension then Hammond, which he claimed in his defense) access to
Stratfor.

Good correction though. I care a lot less about the technical details with
this case than the social/sociopolitical ones.

------
rm_-rf_slash
Let's all accept a depressing fact: effective cyber-security places all of us
in a state of perpetual war. You cannot learn from your enemy without invasive
action, and you cannot test your capabilities without constantly attacking
your adversaries, whether they know it or not. We cannot simply fork their
nation's Github repo and try out zero-days in a safe and isolated environment.

We shouldn't be so quick to rail against government zero-day stockpiling. It
is likely that other branches of government are using these flaws for their
own means to monitor foreign states and other entities. If we give up that
power we risk crippling our offensive capabilities more than we might stand to
gain by having a stronger defense.

I cannot vouch for one side or the other. I am not a senior intelligence
official and I do not have all the facts.

~~~
busterarm
[http://www.alternet.org/news-amp-politics/why-idea-big-
cyber...](http://www.alternet.org/news-amp-politics/why-idea-big-cyber-attack-
could-create-huge-tech-armageddon-pure-bs)

[http://dickdestiny.com/blog1/?p=913](http://dickdestiny.com/blog1/?p=913)

~~~
rm_-rf_slash
If you re-read my comment you will find nothing that suggests catastrophic
cyber warfare is a major threat.

The real threat is a death of a thousand cuts. Trade secrets, troop movements,
active spies, little snippets of information that can cause a lot of trouble
if put in the wrong hands.

~~~
busterarm
And our government shares a ton of information with contractors who are not
'in the know' about these vulnerabilities.

If they truly cared about this, they would push vendors to plug the leaks that
they know about.

------
guard-of-terra
"Terrorists hurt you, so we have to hurt you to compensate".

------
lasermike026
"Power tends to corrupt, and absolute power corrupts absolutely." \- John
Emerich Edward Dalberg-Acton

