Which is exactly what we <i>crazy cookoo conspiracy theorists</i> have been warning about. It's the same slipperly slope we already went through in the 90's crypto wars, but SV gets amnesia when it gets lots of stupid company valuations and forgets all those lessons apparently.<p>Bottom line is this. If you put backdoors in, or exploit 0days for your own, they will get out in the wild eventually, and suddenly you have massively <i>weakened</i> infrastructure, corporate, and government security... basically all the things important to national security in general. So while I don't disagree that triple letters need some cool tools to get shit done, I think this function needs some technocratic oversight specifically for this issue.<p>It's time for a new Church committee.
Tech security has been an afterthought for too long. The core technologies we use are putting us at grave risk in ways we simply cannot imagine. As we now are starting to realize, that all of our digital lives are permanently centrally recorded carries currently unimaginable risks down the road. That we have centralized global social networks carries risks that the majority of people are not able to experience or understand. We're progressing too fast technologically, and there's way too much of a gap between morphing cultural norms and a system of government that will be, by default, always out of date with respect to these evolving norms.<p>That we connect directly to a worldwide network with minimum consideration for security is very troubling. In decades to come, we'll look back in humility and realize that the manners in which we used technology added grave risks to our health.<p>In 2017, we are not in the "wild wild west" age of technology. Rather, we are firmly in the dark ages. We're so far away from having an understanding regarding the lack of social maturity in our technological growth that we fail to properly consider the downside risks.<p>This is a tough nut to crack because technology is simply <i>too good</i> for the majority, even the technically inclined majority. I recall efforts by very very talented folks to build decentralized technologies to help mitigate some of these long term risks, but such efforts will remain firmly at the fringes of intellectual superiority for a long time. Meanwhile, Goliath will simply grow stronger in time, unless there is some major cultural shift. Is there any such shift happening, beyond the fringe?
It would be interesting (although I expect impossible) to figure out how many of those thousands were compromised by the NSA vs those compromised by people who got the tools through the leak. It was nice that Microsoft had already fixed a bunch of them (almost like they were told ahead of time they were coming).<p>It is also interesting to read the outrage about the tools and the presentations on how to use them. If you have ever read the user's manual for a cluster bomb which no doubt tells you in detail how to maximize the number of people it will kill, you get a sense of how destructive and outrageous war can be. Why should cyber war be any different? And how is it any different to use a zero day to compromise a system than it is to use an architectural feature of a building to bring it down on top of its occupants (other than the obvious loss of life). Exploiting defects in the deployed system to maximize the effectiveness of a munition, not a new thing at all. Just the reality of warfare.<p>We're pretty clearly already in a form of warfare and it is having visible effects on things like infrastructure and elections. So how do we make the battles visible to the common folks? How do convince Mom & Dad to patch their router so that they don't inadvertently aid the 'badguys' in their quest for dominance on the digital battlefield?<p>Definitely feels like Phase III of the Internet has begun to me.
> “Shodan has currently indexed more than 2 million IPs running a public SMB service on port 445. ..."<p>OK, I understand SMB on LAN. But SMB on the Internet? Is that likely accidental?
I have heard the NSA mission in this regard characterized as both defensive, and offensive. Defensive in that they protect our infrastructure (a counter-intel role), and offensive in that they attempt to exploit the infrastructure of our adversaries (and others) for sigint. They trick is finding the right balance, and I don't think there's much hope for agreement on that at the moment. I also find the debate a difficult one to engage in because there are large information asymmetries and much of what we're trying to discuss is obscured by secret courts, classified documents, etc. My impression is that even the people who are tasked with oversight don't get the full picture, so what do we hope to know about it. I've had experiences in industry that I can't talk about that maybe you (in the general sense) haven't had that also inform my views.<p>Personally, my view is that we should be putting the focus on the defensive side. Protect infrastructure, IP, etc. I believe the reputation of technology in general is harmed by the offensive mission, and US companies disproportionately so. There is now even greater incentives for our adversaries (and friends) to foster development of technologies that compete directly with US products in their own jurisdictions (where they can get a look under the hood).
I like the idea of the agencies being allowed to use a zero-day with some asterisks.<i></i><p>* The zero-day has to be powerful enough to allow the agency to gain full access & remotely patch the zero day -- i.e. if the zero-day gets out, and the agency didn't warn the manufacturer ahead of time and instead used it for its own purposes, it <i>must</i> have the capability to "immediately" scan the internet for the vulnerability and patch it where accessible.<p>* If the above condition is not satisfied, or if the agency can't/won't dedicate the resources to develop a backup patch, it should be required to alert the manufacturer immediately.<p>Does this cost more? Yes. Does it limit some of the monitoring capabilities they will have? Yes. The second seems like a pro. The first one seems like a worthy compromise for questionable activity with high potential for collateral damage.
"Once installed, DOUBLEPULSAR is a stealthy backdoor that’s difficult to detect and continuously relays new information back to its controller."<p>Seems to contradict itself? If it's continuously relaying information, wouldn't that make it easy to detect?
I am worried about the firmware of Intel processors which I believe have had firmware since the mid-1990s or a bit later. Is this possible and are there tools "in the wild" that are capable of doing this? Does Intel do some sort of checksum to ensure that this cannot happen?
For more details on this and regular updated on the infection numbers check:<a href="https://blog.binaryedge.io/2017/04/21/doublepulsar/" rel="nofollow">https://blog.binaryedge.io/2017/04/21/doublepulsar/</a>
The zero-day NSA Pensionfund congratulates John & Jane Doe to his retirement and wishes him/her a nice golden autumn in his Florida beach villa.