Its clear to most politicians that its a problem if criminals use guns acquired from the military or police, and that its partial the fault of those agencies when it happens. We are not there yet with malware.
The primary thing that needs to happen is an accepting of responsibility by those who administer critical systems. Mathematically, what we call a developed "exploit" is really just an existence proof that something is already insecure (hence "PoC or GTFO"). The blame needs to be properly assigned to the developers/integrators of these systems for negligence (currently gross negligence - eg relying on Turing-complete languages) instead of scapegoating those who discover the emperor has no clothes, even despite their underlying motivations and lack of full disclosure.
Nasty exploits have always existed - the worrisome development is the scale of execution brought on by entities with such resources, and the trend of governments becoming overtly adversarial against the people, both their own citizens and foreign individuals.
Even if it were practical (see: China's attitude to imaginary property), having these entities form treaties (ie collude) with one another is not going to resolve this. If anything, treaties will form gentleman's agreements between allies, while enshrining the attacking individuals "of interest" as standard procedure.
We need to get to a point where people in power positions are held responsible for the damages caused by government developed malware that is used in maleware like wannacry. That is hard to do without the issue rising on the political agenda.
> We need to get to a point where people in power positions are held responsible
You're contradicting yourself. If it's possible to hold people in power responsible for what a single agency under them does (not even requiring their knowledge!), then it's certainly possible to hold them responsible for approving public use of insecure voting machines! (especially at a more local political level)
And if it's not possible to hold people in power responsible (which is a reasonable assumption), then the philosophy of distributed defense becomes even more important!
> the damages caused by government developed malware
Attempts to silence messengers never end well. And I don't think that changes, even and especially when the messenger is a well funded government. But normalizing that philosophy certainly sets the stage to silence demonize smaller messengers!
1) Shoddy programming creates exploit that is obvious to manufacturer (let's say Chinese Android TV stick makers)
2) Exploit exists despite manufacturer's efforts otherwise (let's say Microsoft)
Putting exploit risk on software companies solves #1. But, especially in critical industries, balloons the cost of their systems due to #2, because they must now cover a risk they can't even model (unknown unknown). Can you imagine what accountants and actuaries would do with "You may have a nation state targeting the firmware controller in an HDD to compromise your system"?
I think a more optimal situation would be the government mandating liability for known-problematic code standard lapses, but then providing a liability shield provision if the manufacturer can deliver a fix to a critical vulnerability in X days.
Ideally, we'd want any legislation to do two things that solve both of the above problems. Increase adherence to generally accepted secure coding standards (helps #1) and increase ability to deliver a timely fix to customers (aka codebase maintenance and agility; helps #2 and especially important in mass-use IoT devices).
Either you hold someone liable or the effect will just be hiding the risk.
How about just requiring that the use of critical software systems be ensured against malware/failure in general? Seems like we want that anyway, and if we can't find anyone to insure a piece of software, it probably shouldn't be used in a critical system in the first place.
Importantly, it's the users of software in critical systems alone that need to be insured. Neither software vendors nor regular users need insurance. The insurance company, alone, should handle the job of shielding a critical system from the mistakes of software vendors. We need to allow software vendors to be able to make mistakes, or nothing would get made, ever (source: I'm a programmer).
And the insurer would be wise to spend some of the premium on bug bounties for the software they're ensuring (to minimize the cost of failure). In the end, all white hats would end up being employed by an insurance company, helping assess software security.
They act as a party to amortize known risk, in exchange for a monetary premium set based on that known risk.
Without the government stepping in and limiting catastrophic liability to some degree (ideally in exchange for signaling the market to produce a social good), the premiums changed would be so large as to just suck money out of tech. There's no creativity shield if you're paying an onerous amount of your profits in exchange.
Which is why I said any solution has to be two part: (1) require risk liability on a better-defined subset of risk & (2) provide a liability shield on the remaining less-defined risk iff a company demonstrates an ability to handle it (aka prompt patching). This creates a modelable insurance risk market, therefore reasonable premiums, and still does something about nation-state level attacks.
In fact, the current regime seems pretty close to economically optimal - 1. cheap/quick to develop because required diligence is not done 2. incremental cost to keep the zombie going via "patches", lobbying, and legal threats 3. planned obsolescence when the defects can no longer be ignored.
The downsides only show themselves as mortal risk accumulating outside the system, hence the spectre of "nation-state" attackers. But the economic puppeteers will easily move to another country if this one collapses!
This is where "best current practices" and "standards of care" egg get the picture.
Yes, those tasked with network and infrastructure security should be held to rigorous and constantly increasing standards. But there has to be some accountability from the state purveyors of this malware when it gets intercepted and weaponized. Publication of these tools is one way to help in lieu of that, but it becomes a toss-up as to whether the world will harden against published malware before bad actors, state-sponsored or otherwise, weaponized it for their own gain.
First, it is possible to perfectly defend (and conversely, a vulnerability means one is entirely vulnerable. Don't confuse mitigations that affect the probability of being vulnerable with actually being vulnerable. There is no middle ground as to whether something is secure or not, it is a binary proposition!)
Second, attacks are practically free and untraceable. And all the status-quo anonymity-destroying attempts cannot actually change this, as making "network identity" trusted would mean changing every system's attack surface into every other system - eg break a single person's credit card and use Starbucks wifi.
There's no intrinsic reason for why these machines need to be connected to even an internal network other than lazyness prioritizing convenience over security.
> Your diagnosis is at odds with the basis of open security.
> The primary thing that needs to happen is an accepting of responsibility by those who administer critical systems. Mathematically, what we call a developed "exploit" is really just an existence proof that something is already insecure (hence "PoC or GTFO"). The blame needs to be properly assigned to the developers/integrators of these systems for negligence (currently gross negligence - eg relying on Turing-complete languages) instead of scapegoating those who discover the emperor has no clothes, even despite their underlying motivations and lack of full disclosure.
"I assert that I am intelligent by using the word 'diagnosis' and demonstrating that I also know of another word for 'exploit'. Therefore, if I sound arrogant it's because I'm actually just intelligent. Moving on:
When malicious hackers take advantage of an exploit to hurt people, it's not fair to blame the CIA, NSA, or any other agency who knew the exploit existed but chose not to disclose it to the people who wrote the software. They wanted the option of using the exploit themselves--which of course is perfectly fine--so you see, it wouldn't make sense for them to disclose it.
It would be silly to blame these agencies for keeping these secrets from the public and from the people who wrote the software, and equally silly to blame them for being unable to keep these secrets from falling into the hands of malicious hackers. Do not scapegoat these people, for they have done nothing wrong.
No, it's the fault of software developers who write buggy code! We need to properly blame the people who try to write secure code but make mistakes. After all, malicious hackers have to maliciously hack innocent people, since that's what they do. The CIA has to keep secrets because that's what they do. The CIA also has to keep the secrets in the pocket of their coat which they lost at the bar. After all, the CIA is just a bunch of people, and people make mistakes.
People make mistakes, but software developers are not allowed to. Any good developer knows how to write code that has no mistakes in it. One of the easiest ways to write mistake-free code is to program in a language that isn't turing-complete. I've been writing code my entire life and have never introduced a single security flaw into a system, because the only two programming languages I use are english and occasionally arithmetic. Any software developer who makes a mistake or uses a turing-complete language is guilty of gross negligence and should be punished and blamed severely. I see no need to provide any sort of rationale for the things I have stated."
...Imagine a certain model of commercial airliner that's been in widespread use for well over a decade. The planes have their quirks and some parts wear out and have to be replaced, but they are frequently inspected and repaired. One day, the wings completely fall off of every single plane. Anyone unlucky enough to be on one of these planes while they were in the sky dies. The people are shocked and the government pledges to find out what happened.
Some of the best aeronautical engineers in the world had worked for years to design these planes, and the plans had been scrutinized and approved by many people. The manufacturing plants were known for their high standards. Nevertheless, it was discovered that a flaw in the design had indeed been the cause for the wings falling off. The enormous bolts used to attach the wings to the fuselage were incredibly sturdy, but if you blasted them with a specific ultrasonic frequency, they would resonate in a wildly unexpected fashion and quickly explode.
A terrorist group claims responsibility for the attacks, and upon closer inspection of the planes it is discovered that the seat-back TV screens near the wings of every plane had been replaced with ones that contained devices capable of emitting the exact frequency needed to cause the bolts to explode. They were designed with a clock-based system that had been set two years in advance to trigger simultaneously on every single plane on that day. The terrorists had spent years patiently buying flight tickets and performing the replacements en route. Since the devices looked like ordinary tablets, they had no problem getting through security even though it took ages to get everything in place.
The inspection also uncovers a second set of devices, very similar in nature to the screens. These are far more elaborate-- the entire seat base contains a powerful ultrasonic emitter and an antenna tuned to the same communication frequencies used by the plane itself. It's designed in such a way that a special signal from air traffic control could cause the wings to fall off a specifically-chosen plane.
Due to the advanced nature of the second device, it's clear that it had to have been installed by people with far more resources and access to the planes and an intricate understanding of the plane's communication systems. Before the speculation goes any further, the director of the CIA comes forward and admits that they are responsible for the second devices. Having known about the faulty bolts even as the planes were passing final approval for use in commercial flight well over a decade ago, the agency had sent teams to install the systems under the pretense of doing security sweeps. The grim purpose of installing these systems was to give the agency a last-resort method of stopping a hijacked plane from flying into a building or crowded area.
Finally, the director admits that there had been a data breach three years ago, and though they couldn't be sure, it appeared that documents relating to the purpose and design of these devices were among the stolen data.
And now you come along to share your expert opinion.
You say that we shouldn't blame the CIA for knowing about the faulty bolts and installing systems to take advantage of them, instead of reporting the flaw to the company that designed the plane so that the problem could be fixed. After all, they put those systems in place to reduce casualties in a catastrophe.
You agree that terrorists are bad, but hey-- that's what they do, right? They aren't the real cause, just an inevitable outcome. No, there's another party who's really to blame...
Blame the people who designed and built the plane! Simple as that! If they hadn't built a plane with bad bolts, the CIA wouldn't have been forced to take advantage of the mistake and design their secret remote kill system. Those documents wouldn't have existed when the data breach happened, so the terrorists wouldn't have been able to devise their own plan to take advantage of the bad bolts. No bad bolts means no horrific catastrophe, it's as plain as day.
Since you are a world-renowned expert in everything, you are interviewed and asked about how to prevent things like this from happening in the future. Should we put some laws in place to prevent the CIA from keeping such dangerous secrets to themselves? Do they have the right to make their own internal risk analysis of whether it's in the public's interest for them to be able to build a secret system to remotely drop the wings off a plane, even though it means that people have been flying around for a decade in planes where the wings can fall off? Is it worth talking about the bitter irony that the CIA kept the bolt flaw a secret from the public and the plane company, but couldn't keep it secret from the terrorists? Are there legislative steps that might be taken?
You reply, "Nope! Of course not, how silly and stupid of you to say that. Laws don't do anything. The plane company built a bad plane, and they are to blame. Specifically the stupid engineer who picked that dumb bolt. We'll prevent this in the future by building planes where it's impossible for the wings to fall off. Anyone who knows the first thing about plane building knows that it's actually very simple to build planes where the wings don't fall off. In fact, I've been doing it for years, and anyone who doesn't use my method is grossly negligent. You see, I build my planes without any wings! Now just take a moment to look at this excellent proof I've written. You can see that it's impossible for the wings to fall off of a plane that doesn't have any."
By the way, I'm curious: Where do you point your majestic finger of blame in what happened with OpenSSL and Heartbleed?
Your comment seems primarily motivated by anger/frustration at the NSA/CIA/etc - an anger which I greatly share. Politically, I think the entirety of the NSA deserves the firing squad as the bunch of traitors that they are, but alas until the public comes out of the spell of their disinfo games then no action will happen on that front.
Speaking of disinfo games, which do you see as the more likely outcome from this current scare story of the week - these citizen-hostile government agencies are reformed and actually become responsive to the people, OR they court this fear about how bad exploit-finders are to acquire more power, especially the power to go after competing hackers?
That's the crux of the matter - when one chooses the wrong philosophical analysis, one can only go down a path where any "solution" compounds the problem. Responsible disclosure is not the law or even the full extent of ethics - it's a gentleman's agreement as to what is prudent and polite. Regardless of how bugs are fixed, who finds them, or their motivations, the fundamental open-society truth is that responsibility actually rests on buggy software itself, as opposed to the people who point out the bugs. Never mix that up, unless you'd like to get back to the dark ages where even good-faith full disclosure results in draconian legal thuggery!
In the context of your plane example, the company who designed the plane and marketed it for passenger use didn't even bother using a CAE program. When previously informed that the tail easily falls off, they added duct tape and a redundant tail. I've said nothing absolving the CIA/foreign fighters - all bad actors are to blame for their parts. But where that blame is focused matters, and blaming the whole situation on one bad actor (the CIA) will guarantee that the company keeps right on selling the known-defective planes.
This leaves private industry, e.g. Microsoft et al, solely responsible for defending citizens.
As there is no disclosure by the spies, Microsoft cannot patch without knowledge of the vulnerabilities - at least until there is a leak or potential leak that promts a reluctant disclosure.
This leaves one wondering is tax money being spent solely to make us less safe ?
Could Wannacries NHS (UK) devastation have been averted if academic security researchers had responsibly disclosed the potential for this vulnerability ? Surely the UK Health Minister should have been more properly briefed on the dangers to patients that his decision not to patch Windows could have ?
If these agencies come crying for more tax dollars we should seriously enquire if they have any plans to make us safer rather than continuing to backdoor their own citizens.
Surely laws being passed in the UK and USA to curtail security research the danger to the public can only increase.
Without whistleblowers and journalists such as Wikileaks we would far more at risk from cyber-attacks !
I say Wikileaks as we know journalists are being targeted by Nation State actors to hack the identities of their sources. and Wikileaks is a fine exemplar of decent Op-Sec.
In any other sane country, the outrage against such leakers would be far greater than the outrage against the government for doing its job. If a person was as a big traitor as snowden in my country, you'd see his whole family and friends deny him, he would think twice before doing it not only because of the chance of getting caught and going to jail, but from the actual embarassment and shame from all the people close to him.
Yet look at snowden, acting like he's some hero. Look at all the other leakers. They are barely ashamed. Your society hates the government so much you're turning traitors into heroes. Your security screening process is probably failing hard with so many leaks. How can the US allies trust it when everything leaks one way or the other. Leaking should be considered such a horrible treason the only the most psychopathic person would do it, and the screening should screen those out. But when society views leakers as heroes, and even the president freely leaks other countries intelligence to russia, followed by even more leaks than what he actually said, when it's justified as long as 1 in the 1000 documents they leaked shows some government wrongdoing (and statistically this will ALWAYS happen), they aren't traitors they are heroes. Then you don't need be a huge psychopath to betray your country. You just need some nudge in the 'right' direction.
If any of you think the right approach is to have no secrets (a.k.a. no vulnerabilities. Today it's vulnerabilities, tommorow it's CIA agents identities), you're naive. If you think your enemies will be as righteous as you, you are naive. If you think that if you disclose all vulnerabilities, nobody will have them, you are naive because russia and china will find their own different vulnerabilities.
Some leaks are benifical and others are detrimental. Some leakers are heros, some are traitors, and others are somewhere in between. It's not black and white.
I am someone who is clearly in the camp that you criticize (in fact, more than the average of HN commenters) and I think there's a lot to talk about, including
American anti-government and anti-military cultural and political traditions (which are extremely important for American society and history, but also very diverse, and not easy for Americans to find consensus about)
How are those currents different, differently expressed, or absent in other parts of the world?
Civilians and civil society defending themselves against state power on a national level (Americans vs. the U.S. government)
Civilians and civil society defending themselves against state power on an international level (people vs. governments in general)
All of these issues are interesting and can be much more complicated than the simple accounts that we might tend to give of them at first. I don't feel like I have time to do justice to these topics at the moment, but hopefully this thread or a future one will give an opportunity to go further into these things.
1) The majority of what got people riled up about Snowden's revelations was that the US government was spying ON THEIR OWN CITIZENS.
In places like China and Russia nobody batted an eye because the expectation is obviously the government already does that.
Call it naive, but the majority of the US population believed (and still believes) that their government is above that. That regardless of whatever questionable evil the US military conducts abroad in the name of "democracy", domestically people have freedom and liberty. Sure, the post 9/11 world eroded it somewhat, but GENERALLY there is still the concept of privacy.
Snowden shattered this fantasy. Everyone is being watched. All those conspiracy whackjobs, all the hollywood "worst nightmares" turned out to be true.
That the government was doing this, and that it reacted to the leaks with extreme prejudice and desire to treat Snowden like a traitor rather than a patriot is what led to people considering him a hero.
I could go deeper into the other arguments like "I have nothing to hide so why should I care that the government is monitoring what I'm saying", but I'd like to know more about your stance first. Do you think that the domestic surveillance is justified for the greater good of international security? Or do you simply believe that it's obvious and expected of the government to take on this role, and fighting it is ridiculous.
Why do think that is? Governments that have the blind trust and loyalty of their populations are more vulnerable to corruption.
I am not sure how you reach the conclusion that being critical of USG actions is somehow praising or supporting worse international actors such as Russia.
And the bad behavior of other countries does not excuse the bad behavior our of own. I am a US citizen so I will criticize the USG because that is what affects my life most. It is also my right and the only country that I have any sort of voice in the matter (however small).
Also, patriotism as a justification for not exposing a corrupt government is a load of shit.
The guy who actually exfiltrates a DB dump on a USB stick is one guy, and he might be a sociopath. But he (usually) doesn't just post it to the Internet; instead, he gives it to a journalist.
Now, is the journalist also a sociopath? Probably not. Probably he cares about lives that would be lost if actual "actively sensitive" classified information was leaked. So he doesn't publish that information. He just looks for the stuff that works as "news": basically, things that hurt the government (as a bureaucratic entity) without hurting the state (as a body representing the people.) He takes the body-destroying toxin he was sent, and purifies it down until it's a chemotherapy treatment. And then he hands it to his editor, who also cares what happens to the country, and they talk about it with the publisher, who in turn advocates for the positions held by the boards of the companies behind the ads that run in the paper, who might also be patriots...
In short, to the degree that "leaks" are mostly something that happen through the media, not through lone vigilantes, there is a sieve of probabilistic patriotism reducing the "splash damage" of any leak. The media is not a "fifth column."
It's incorrect to equate distrust of government for hatred of a country. The reason this country is loveable is because it was forged by distrust of power.
I actually find your equation of love of government with love of country to be mind-blowing strange. What on earth?
And the myth of the US being better. Pah. China's elite are corrupt as fuck, but I don't think the US can be proud by saying "well we're very fucking corrupt, but China's worse at that!". Military-industrial complex, Halliburton, Citizens United, Wisconsin, Donald Trump and his GOP Congress still plowing through a bill that will strip health protection from millions... But oh no, look at the Chinese.
To quote Brandeis, "Decency, security, and liberty alike demand that government officials shall be subjected to the same rules of conduct that are commands to the citizen. In a government of laws, existence of the government will be imperiled if it fails to observe the law scrupulously. Our government is the potent, the omnipresent teacher. For good or for ill, it teaches the whole people by its example. Crime is contagious. If the government becomes a lawbreaker, it breeds contempt for law; it invites every man to become a law unto himself; it invites anarchy. To declare that in the administration of the criminal law the end justifies the means -- to declare that the government may commit crimes in order to secure the conviction of a private criminal -- would bring terrible retribution."
You are the one inviting everyone to be a law unto himself. If any would-be-leaker feels the government is doing any wrong doing, he's free to take the law unto himself and release that information to the public along with whatever else fits into his usb key. There are proper channels to handle this, which don't involve betraying your country and breaking one of the most fundamental laws in the country, and the fact the government was acting illegaly doesn't justify breaking the law.
As Doge would say, "Much faith, wow.". I see it more of a mafia organization. You try to speak out within the org? You'll sleep with the fishes, metaphorically speaking.
> If any would-be-leaker feels the government is doing any wrong doing, he's free to [...] release that information
So Snowden is justified in doing what he did?
I never did address the leak of the hacking tools, IMO that is less in the public's interest and the leaker's motive is probably to damage the agency, but to re-use the Mafia comparison, someone who can see clearly what that organization does (rather than just gulp propaganda from Fox News or Russia Today) probably doesn't feel that bad if his actions damage the org/that is what motivates him.
Examples which I still hear repeated: The claim that NSA considers TOR users to be extremists (Based purely off XKS DSL code which was used to filter connections), claims that there is a loophole allowing NSA to collect American information via GCHQ (In reality US Person Information protections apply regardless of who collected the data), and claims that companies are willing "partners" of the NSA via PRISM (Whereas PRISM is actually the term used to describe use of the FBI and a FISA warrant+gag to collect non-US Person data from US companies using an assumed-to-be automated process, the companies themselves not actually having a choice in the matter).
NSA seems to have decided to not push back on the untrue claims or assumptions which were conveyed. There were responses along the lines of "the organization does everything within the bounds of US law for national security purposes" which is quite meaningless and only served to make people more upset. With the material already out there, NSA PR probably could have done much better if they responded in an informed and blunt manner, instead of allowing the "blanks" to be filled in by assumptions.
I understand and fully agree with your main point, but it isn't too hard to see why this attitude is prevalent regarding the US IC these days, as most folks have not read the source material and are relying on what the press coverage either stated or implied.
If that attitude has yielded "one of the least corrupt, most democratic country out there", as you called it elsewhere, I don't see that as a bad thing.
That sounds like the result of a polity entirely disconnected from the citizenry. The US is the way it is mostly because the politicians' reactions are an extension of the identity-politics at play in the popular culture itself. If the people of the US left think secrecy-culture is bad, then the politicians of the US left will also condemn secrecy-culture to "score points" with their electorate, no matter how obviously necessary such a paradigm might be for their day-to-day lives. In this way, the US is a lot more of a "democracy" than it seems to be at times—both for better and for worse.
(The "worse" is that it's very hard to enact measurably-good-from-every-angle technocratic policies in the US if they have bad optics from a populist perspective. The politicians are just summaries of the people they represent, rather than technocratic experts derived from them. "The lunatics are running the asylum" and such.)
For many of us, our loyalty is to our country as a whole, and the ideals upon which it was founded, not to any regime that attempts to abuse those ideals without our knowledge.
I spotted two names in the Vault 7 leaks which WL failed to redact. Metadata from Shadow Brokers leaks gave Equation Group member identities, and additionally the Shadow Brokers twitter account directly called out a former Equation Group operator who is a part of the Information Security community (currently private sector / pen-testing).
So this is already starting to happen. Dangerous path, especially considering the indifference you mention.
The United States is a country founded on distrust of power. Nevertheless, it is a state, and its function is to protect its citizens through monopoly of force. That tension is central to our political consciousness.
Sometimes people argue that "secrecy" is required to fulfill the duties of the state. Secrecy is required, sometimes, but secrecy requires trust, and trusting the powerful is not something we do. If we 'must', then we demand checks to prevent its abuse.
In the mythos of the United States, the government (county, state, federal, doesn't matter) is always viewed as a potential threat. America-worshiping morons notwithstanding, there is a deep moral undercurrent in this country that views the state as intrinsically corrupt, simply because it has power.
Many felt that the Snowden leaks showed that whatever mechanisms were supposed to be in place to check overreach by a potential enemy were not functioning. People who view Snowden as a hero believe that he was fulfilling his duty as a citizen to his fellow citizens.
If you wonder why someone might be paranoid about their own government in the 21st century, I think its sufficient to point out that governments killed several orders of magnitude more of their own citizens in the 20th century than they did foreign citizens in wars. I personally believe that a turn to an unchecked security state in the United States is a bigger threat to my children and children's children than a war with China (or wherever), and a vastly larger threat than "terrorism".
I hope that helps clarify why a reasonable citizen of the United States might be at least ambivalent towards leaks.
Also I hope its clear that this is a discussion about what is fundamentally a fiction: the people (myself in particular) have a bullshit narrative about governments and corruptions and heroes, you have some bullshit narrative about spies and the CIA. Both are very thinly connected to reality, because the reality we're describing is vast and overwhelmingly complicated. I'm embarrassed to say that I don't have any well-researched constructive suggestions about what I would do to fix the mechanisms of verification that should be in place to check secrecy in our security apparatus. But this isn't a conversation about mechanisms and policies, it's one about narrative, and one compelling narrative in the United States is that we owe our duty to our compatriots not the government, and government is always the first and most likely place to look for something evil.
But I'm not American and neither are you. Why do we care?
read US constitution so you actually know who is the traitor here
Making a comparison, I’d say air gapping is to networking what galvanic isolation is to circuits: you don’t have direct contact, but there’s information exchange (be it bytes or em fields).
EDIT: I would call a (strictly) isolated computer a tempest-compliant and physically isolated host.
There definitely exist scenarios where the air-gapped machine to not have to both communicate out and in, but where only in is required.
That's the same as being able to send a datagram from B to A over a network.
"Air gapped" is an idiotic term to begin with.
Radio communication such as Wi-Fi is literally air-gapped.
The plates of a capacitor can use air as a dielectric, making them literally air-gapped, yet the cap will pass AC signal, and two adjacent air-gapped inductors can pass signal, as well as power with great efficiency.
It is anachronistic.
Edit: in other words, you would have to 1) plug a USB drive into the "primary" host and then plug the same drive into an air-gapped computer, and 2) take a USB drive that was plugged into the air-gapped computer and plug it back into an internet-connected computer. Plus, all computers in the dataflow above must be running Windows, right?
Linux surely has plenty of 0 days to exploit.
Keep in mind from the article that the user must browse the files in the GUI for the exploit to work. I doubt Windows and the set of the most commonly used Linux GUI file browsers all have "plenty" of 0 days to exploit for this same purpose. Or, if they do, it's going to cost substantially more money to find them, test them, and package them up.
On an unrelated note, I agree-- the Linux kernel probably has plenty of 0 days to exploit.
>According to the (2001 census), the ethnic makeup of Crimea's population consists of the following self-reported groups: Russians:1.18 million (58.3%), Ukrainians: 492,200 (24.3%), Crimean Tatars: 243,400 (12.0%) [...]
>According to the 2001 census, 77% of Crimean inhabitants named Russian as their native language, 11.4% – Crimean Tatar, and 10.1% – Ukrainian.
>Ukrainian was until 2014 the single official state language countrywide, but in Crimea government business was carried out mainly in Russian.
Russia on purpose flooded the area with Russians when they last had it, much like China is doing now with Tibet.
You can’t argue this justifies war from another country. If the people vote for (or otherwise self-select) independence and to join another nation that’s very different than a war where the soldiers hide their identity in order to take a region forcefully.
But is hacking really a "weapon"? I think that hacking is a technical capability or tool, but I wouldn't call it a weapon.
The flip side of this is that we have to realize that as long as vulnerabilities are put in to protocols/products on behalf of Govts, The Govts can exploit them sure, but other people who ahve the ability to read or view code will eventually find out/figure out these weaknesses/exploits also.
Like weakening a protocol that all systems, even your own use. Then not even the govt itself is safe or can defend adequately against them.
I really believe in Security Karma.
Was it a weapon or a very clever hacking job that prevented and held back scientists in Iran from creating an actual weapon?
Either way, it was peace through superior code and vulnerability finding power
It begs the question though, is the text editor mightier than the sword?
When will Russia, China, Israel, Iran, France, North Korea or other countries wares be leaked? Something tells me they wouldn’t even if they got it...
1. Our drone program is garbage, cheap chinese factories are giving $200-1000 solutions that are better than our $60000 solutions (edit: cost of explosives not included, but for lower yields it's way cheaper). Same for our logistics, it's dated and the civilian market has better for 1/100th the cost.
2. Our opsec is broken. Whoever's behind these attacks on the US's intelligence community is winning. For example, we know for a fact that Russia has been using a very similar tool outside embassies, but the fact that we know that is because actors has so much to gain by dumping it into the public sphere, politically. The US increasingly cannot "keep a secret".
3. Our industrial capabilities are falling behind. America's efforts of pursuing ultimate cost efficiency have ultimately outsourced the majority of the US's modern manufacturing capacity. This means at a national level we're at a demonstrably disadvantage to nations with much more of a connection to their private sector, with the classic example being China.
Worrying about America's military-industrial complex is reasonable if you're near a naval deployment because America still has an impressive supply of very powerful explosives. But beyond that... we're sort of getting our asses kicked and our government appears to be rapidly destabilizing. You can suggest this is from outside influence, and I think there's strong reason to believe that there is an ongoing attack. But it can't explain the entire phenomenon.
So I'm not sure what you're afraid of from us. Nothing in the WL page should be surprising. We've seen similar tools disclosed earlier this year. These tools are more sophisticated versions of attacks that have been ongoing for, gosh... I had to write a less awesome version of this tool as a demonstration I was ready to move up in rank in a security challenge forum, it was so easy. It's harder now, for sure, but...
During the Arab Spring there were multiple reports of European surveillence technology being fundamental to the police state in the Middle East/Africa (http://www.bbc.co.uk/news/world-middle-east-40276568). Small arms made by H&K, Beretta, and FN etc are prevalent across the region. Advanced weapons like anti-aircraft systems also flood in from across the globe.
The UK, French, and Germans were also key supporters of Saddam Hussain during the Iran-Iraq War in the 80's and actively supported the WMD program there by supplying technology etc.
Every large power is involved in military manufacturing and seeks markets to sell too. Americans are no less ignorant to this than citizens in Europe, Russia, or Asia.
To many, the implicit assumption that USA strictly equals America and vice versa is just another artifact of the arrogance built into US culture.
To me, the idea that this is somehow a manifestation of our cultural arrogance and not just a mundane example of the malleability of human language is just another artifact of how certain people really, really want to find more reasons to hate us.
Targeted capabilities, not mass surveillance.
All we've seen is specifically targeted capabilities with expiration dates.
Penetrating air-gapped networks is exactly the capability one would expect from the CIA and its exactly the capability it should have under its mandate.
It also levels the playing field.
This may not be good for "Americans", but it is good for "Humans".
Do you think I really want to do business with an American company if I know they are liable to secret, hidden manipulation by their own government, while facilitating a facade of 'freedom'?
Currently you have several secrets you use to confirm your identity.
The idea of the individual would need to be eliminated to remove all secrets.
Even if these are benign and even sometimes silly secrets, even if no one would find them interesting, they are the only thing I have that sets me apart from others.
This is another reason I feel anxious over creeping mass surveillance and the loss of privacy. It's a direct threat to my individuality.
An organisation only knows who an individual is by the secrets they share with each other. It doesn't matter what the secret is, it comprises the identity.
It's why I get angry when I hear talk of backdooring/banning encryption.
It's why the phrase "I have nothing to hide" is a ridiculous fallacy.
Even the credit card in my wallet has multiple secrets to identify itself, and its ties to my account.
Without secrets, you become a non-person, because you are incapable of proving who you are.
Well, this is good when it happens, on occasion, anyway. It's not a static value; sometimes such states as you propose are valuable/valued - other times, not so. This is not absolute, since you mention practicality.
More specifically, since we are discussing governance, we must absolutely remove the individual from the occasion if we are to maintain a stable social construction, while at the same time strengthening the individuals position within either a fluid .. or rigid .. social structure.
I personally believe modern government is holding us back. Lets just get this out of the way now.
In the digital age, we don't need all the hierarchy; we simply need better apps. And I most certainly do not want my apps to have personality, if they are designed to ease the means by which I exchange, equitably, with everyone else using my app^W^W^Wwho is a member of my society...
>The idea of the individual would need to be eliminated to remove all secrets.
I believe this is a call-to-authority fallacy. You have not thought the original statement through; but rather acted as an individual unit of agency reacting to the pressure of the masses.
Of course we will still have individuals; human bodies are made that way, and hopefully will stay that way for a long time yet.
What we won't have is rock-star/evil-genius politicians, nor will we have much reason to keep secrets to each other, over who has rice and who has salt and who is on the way to Mars, and so on ...
Any organisational unit needs to be able to identify the state of any individual it interacts with, to ensure continued interaction, such as resource allocation. Because resources are finite, such allocations need to be fraud resistant in some way. That is achieved by proving identity - an exchange of "secrets".
Some examples from day-to-day life are license numbers, registration IDs, home address and so on. How private such a secret neefs to be is proportional to the ownership of the secret.
My address is usually fine to share, as a stranger may find it difficult to possess my house, though they can intercept things on-property, but its more difficult.
My bank details are not as safe to share, as they tend to be the sum totality of how a bank identifies me. Thus fraudulently removing a primary resource is easy.
> Well, this is good when it happens, on occasion, anyway.
I rarely see secrets being removed at all. In fact, the only time I can see an individual no longer having any secrets, would be when they are made a non-citizen, and can no longer interact within society, or not without an enormous amount of effort.