

U.S. firm helped the spyware industry build a digital weapon for sale overseas - rpupkin
http://www.washingtonpost.com/world/national-security/spyware-tools-allow-buyers-to-slip-malicious-code-into-youtube-videos-microsoft-pages/2014/08/15/31c5696c-249c-11e4-8593-da634b334390_story.html

======
tshile
Well this certainly sheds some light on Google's decision to try to force SSL
encryption by factoring that into their page ranking algorithm(s). Among the
speculation was the idea that it was a way of flipping off the NSA, and like-
agencies, by making their job harder by encouraging others to encrypt their
traffic. In my opinion, this speculation now has more sturdy ground to stand
on.

It's a shame that we're reduced to posting our outrage on the internet and
left with no real actionable moves on the issue. We can fight it by working
towards encrypting our data/traffic, but we can't force a public conversation
on the issue that would result in stopping the all-out effort to collect an
analyze the actual data. We'll forever be in a cat-and-mouse game over the
issue. With the people involved in this having a significant leg up over the
global community and always being one step ahead.

I get that this sort of thing can, and likely is, used to protect the general
public from nefarious actors. What's a shame is that at this point we assume
it's also used against the general public, an assumption that comes with good
reason.

------
mike_hearn
_Until then CloudShield had sold its CS-2000 device, a multipurpose network
and content processing product, primarily to the Air Force and other Pentagon
customers, who used it to manage and defend their networks, not to attack
others_

Given that the NSA must get the hardware for QUANTUM somewhere, this statement
seems remarkably strong/naive.

------
e12e
So, does anyone have any inside knowledge (or good references) to what Google
ended up doing when they recently started switching their networks to use
encrypted transports? Do they run over ip4 or ip6, and are they using
traditional vpn or ipsec? I've previously been rather sceptical to the "new
improved support for encryption and authentication" ipv6 brings -- I mean
we're already late rolling out ipv6 -- is complicating it with key management
really what we need? But given the late revelations that even the paranoid
have been naively optimistic -- and given that it appears ipv6 is still in
need of planning and new projects for a decent percentage roll-out -- perhaps
advocating ipv6 with ipsec is a good idea after all?

Thoughts?

~~~
Intermernet
I think advocating ipv6 is a good idea in general. IPSec was originally
developed as part of the ipv6 stack. It's theoretically built in, and should
be used whenever possible.

[http://en.wikipedia.org/wiki/IPv6#Network-
layer_security](http://en.wikipedia.org/wiki/IPv6#Network-layer_security)

------
samcrawford
This may be part of the reason that Google started testing forced SSL
redirects on youtube.com in the past couple of weeks. Run a few curl requests
to youtube.com; about 50% of the time I'm redirect to the SSL site.

------
metaobject
Naming your company "Hacking Team" when your job is to hack other machines is
slightly refreshing. If only all companies would do this, we'd know what these
folks were up to behind the scenes.

------
snarfy
There was a time when exporting strong encryption was a crime. Now anybody can
export network intrusion malware.

~~~
tedunangst
"Coding is not a crime." \-- ye olde eff of yore

------
aptwebapps
76 points and no comments?

What I came here to ask is, what is the Youtube vulnerability?

~~~
scoot
_What I came here to ask is, what is the Youtube vulnerability?_

"The user sees the “cute animal videos” he expects, according to Citizen Lab,
but the malicious code exploits a flaw in Adobe’s Flash video player to take
control of the computer."

~~~
aptwebapps
Man, I skimmed that way too fast. Basically just MITM for non-SSL connections.

