Why did anyone need this challenge in the first place? Couldn't someone have justed ASKED a good exploit developer what they would do and what the impact is? No, I guess we're all up for wasting people's time and creating potential false negatives.
Because good idea in theory != good idea in practice. Showing that this actually works in practice (albeit on an isolated incident) shows that the bug is dangerous in practice, not just theory. Look at all the research in timing attacks etc on TLS, some of which are theoretically feasible, until you consider real world possibilities of remote servers, such as "Their ISP is fiddling with routing so I have varying latency", or "They're using different server configurations and I don't get connected to the same one every time". This has been PROVEN to steal someones private key, which is worse than giving someone the keys to your house, It's like giving them a blank passport with your name on it, letting them put their photo on it, and with that taking your car keys and hosue keys, and everything that identifies you.
Luckily, the fix is easy, just upgrade, revoke, and force password changes for everyone.
Ask any random person what they think of when you say "hacker." PROTIP: it's not your typical employee of some random consumer web startup, working 12 hour days and pounding redbull. It's someone who bypasses technical security controls through mastery of the underlying technology.
Does anyone think the former should be considered a good description of a hacker? To me it is someone using their intelligence, to do something clever (or at least in a clever way) to disrupt or destroy something, make someone uncomfortable or piss someone off, or challenge something, for some result that satisfies them or someone else in some way. And the essence really lies in that first bit. A random programmer isn't a hacker unless that first bit is there, the unorthodox, challenging or subversive bit.
So in your mind this site is about news concerning disrupting, destroying and irritating things and people? "Hacker" is entirely combative and offensive in your view. That seems weird to me.
Yes, I think it should be. I think most things on the site qualify, but not all. However your second statement is a mischaracterization. It is not "entirely" combative or offensive. I just think that is the essential ingredient before the word hacker is appropriate. If you are modifying a device meant for one purpose to use it in another purpose that is hacking because you are subversively defying the intentions of the devices creators. If you are merely using an Arduino or a 3d printer to make something, that is not hacking. If you are founding a startup to disrupt an existing business model, and put a dinosaur out of business you are hacking. If you are just churning out another iPhone game, that is probably not hacking.
Using an (as an example) LCD projector to make a 3D printer is hacking. But it's not necessarily subversive. It's not what it was designed for, and not what it was intended for, but it's not necessarily in opposition to the will of the original creators/designers. And that opposition is the key ingredient to subversiveness.
> To me it is someone using their intelligence, to do something clever (or at least in a clever way) to disrupt or destroy something, make someone uncomfortable or piss someone off, or challenge something, for some result that satisfies them or someone else in some way.
All of those (destroy, disrupt, make uncomfortable, piss off, now subvert) except for "challenge" are combative things, especially if, as you keep doing, you relate it as being opposed to other people or entities. Hackers don't have to have the intention of undermining anything to be hackers. Making an HTTP server entirely in forth written entirely in assembly is a hacker thing to do, but it's not undermining anyone's authority, the closest it gets to your categorization (but not your apparent meaning) is as a challenge.
NSA collects intelligence from people so that US policymakers make informed decisions (like about Russia invading Crimea or how badly Malaysia is lying to the world), same as every other intel agency does for their home country. Big difference is that NSA won't give their analysis to private companies. In many countries, things like State-Owned Enterprises blur the things and economic espionage is widespread.
Why anyone would voluntarily MITM their own data and hand ALL of it over to a single company (and a single point of failure) is totally beyond me. It's a market failure that services like these continue to exist.
A single point of failure...such as sending unencrypted traffic to an ISP?
The difference is I can buy a VPN with BTC, not be required to provide details of my identity, and make 99% of the traffic out of my machine encrypted (which prevents significant amount of local MITM attacks, for ex at coffeeshops).
“When they deploy malware on systems,” Hypponen says, “they potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.”
Really, how does that work Mikko? You don't even have a copy of any malware to make that statement.
All the hyperbole about how this is somehow unique is really getting old. Exploit kit authors have had shitty PHP web applications that accomplish the same task for ages: manage thousands of bots by grouping them together with a point and click management interface. It sounds like, prior to TURBINE, NSA had a single person tasked to oversee every action taken by hand, which is kind of inefficient if you ask me, so it stands to reason they would try to manage that process with technology.
How do you cool yourself First Look when you're reporting on this in 2014? Jeez.
Hypponen said "potentially" and it is an absolutely defensible statement. You go around poking holes in a system, don't be surprised if other people find the holes. You gonna trust the guy who hacked your machine to lock the door behind him on the way out?
>All the hyperbole about how this is somehow unique is really getting old.
The issue isn't that the spooks have developed some superweapon. The issue is that they've signaled intent and means to do mass espionage on citizens, not just at the network level, but at the machine level. This is as if your local law enforcement handed out burglars tools to all their officers so they could get into everyone's homes "to check for drugs". "Eh, burglars tools are nothing special" totally misses the point.
> All the hyperbole about how this is somehow unique is really getting old.
The big news is that the most powerful people on the planet are now using the same script-kiddie techniques against the rest of the world, in secret, without oversight, on an industrial scale.
EDIT: Judging from your github account, you appear to be a developer working on a open-source whistleblower platform. Given that the NSA's efforts would likely be focused on the users applications such as yours, do you not find these revelations to be directly relevant to your goals in developing this software?
Botnets require remote management. This means adding hidden backdoors, with the assumption that they will remain hidden. If such a backdoor becomes known to bad actors, they will exploit it.
Unless you're asserting that adding back doors makes a system more secure.
> Really, how does that work Mikko? You don't even have a copy of any malware to make that statement.
Simple: every process running on a system is a process that can be exploited, especially those processes that involve network communication. The NSA's exploits are processes running on the system they are attacking. They utilize network communications. These processes are open to exploitation by third parties, just like all the other legitimate processes.
Definition of the word 'potential' cited in the Oxford Dictionary.
"Having or showing the capacity to develop into something in the future"
Or alternatively
"Having possibility, capability, or power."
Or in Merrium-Webster:
"expressing possibility ; specifically : of, relating to, or constituting a verb phrase expressing possibility, liberty, or power by the use of an auxiliary with the infinitive of the verb (as in “it may rain”)"
I can see no difficulty in the authors expression of the idea of possibility.
Playing devil's advocate here. What harm was done by this? Was it really deserving of a news article and, further, a post on Hacker News? Now, maybe if there is a company out there working to replace or revolutionize passwords... otherwise I just don't see the point of this story.
Plenty. Anybody with ill intentions could set up a similar wifi network or tamper with the existing one and suddenly thousands of people's traffic/passwords are all being sent via MITM.
"Physicists and computer scientists have long speculated about whether the NSA’s efforts are more advanced than those of the best civilian labs. Although the full extent of the agency’s research remains unknown, ___the documents provided by Snowden suggest that the NSA is no closer to success than others in the scientific community.___"
Nothing to see here but false outrage and surprise, move along.
Kaepora is so full of himself, I'm not sure how anyone takes what he says or the apps he writes seriously. Glad that people are putting stock in more consistent developers these days (http://tobtu.com/decryptocat.php).
