4. Profit! Err, I mean, government support goes up.
Well, maybe North Korea did it, maybe it didn't, but the current state of South Korean politics created a perverse incentive structure. The more severely the government is hacked (or otherwise attacked by North Korea), the more it is politically rewarded.
Sounds like someone running around with the Cisco IOS exploit from the ShadowBrokers dump. Best Korea has obvious motive, but it could also be random hackers running around hacking everything on shodan.
No one will be safe until governments stop hoarding 0-days. Until we all realize we live in a glass house, the hacks will continue. The best solution is to split the NSA and similar agencies into two. One for developing new tools that produces safer code and finding flaws and reporting them to companies so they get patched. The second for offense.
I'm not sure how splitting up the NSA fixes anything. Wouldn't the new offensive organization still be compelled to seek out zero-day exploits as well for their mission? What happens when they find one that the defensive organization hasn't found yet?
Better than the current setup. The defensive side sole responsibility is to find critical flaws and report them. This would also include investigating breaches in US infra and making sure things get patched. Right now, you don't even have the defensive side.
Splitting IAD off from SIGINT wouldn't reduce the number of zero-days the government collected, but it would:
* Ensure that the advice IAD was generating was untainted by SIGINT influence
* Enable IAD to independently collect vulnerability intelligence and disseminate it (most importantly, to vendors) without having to endure a bogus equities process to ensure they weren't blowing a SIGINT operation.
Of course, this only works if IAD is stripped completely out of the NSA, and perhaps out of the DoD entirely. IAD probably belongs under DHS.
When a government researcher (or government-funded researcher) discovers a new Flash vulnerability, the government hasn't created the vulnerability, nor have they prevented anyone else from discovering that same vulnerability.
Lobbying against SIGINT vulnerability collection doesn't actually make us materially safer --- even if things like the "Shadow Brokers" became routine (rather than the unprecedented shitstorm it actually was), the number and caliber of the vulnerabilities we're talking about are a tiny fraction of the threat we face.
Thankfully those who shutdown biological weapons development in the DoD didn't follow the same logic. Purely from a strategic perspective: defense costs much more than offense, it doesn't make sense for a superpower to spend more on offense than defense when their potential adversaries can't afford to defend themselves against low cost attacks.
As regards software security vulnerabilities, defensive spending in the USG utterly and completely dwarfs offensive spending.
The median venture capitalist in the valley could outspend the US --- actually, probably the world --- on vulnerability acquisition. But there probably isn't an investor and there may not be a single tech company that outspends the USG on defensive security acquisitions.
I'd really love to know how you know this. I can think of a handful of very public DARPA, NIST, USN and NSA programs that are dedicated to hardening (most are little more than academic curiosities, measured in millions) - whereas the NSA's black budget (measured in billions) easily dwarfs those. Are you saying that the NSA is secretly spending large sums of money on hardening software outside of their black cube?
I don't disagree on the lack of private hardening spending, which is really beside the point, because obviously there is very little incentive for a company when all they have to do is budget for useless CYA lifelock service.
And? What do you think they're spending those billions on? Giant computing centers in Utah and all the signals intelligence the entire country does --- all the satellites, all the underseas cable taps, all the deployments of hardware implants on Chinese military computers.
Exploit development is a rounding error in that budget.
Satellites and undersea cable taps fall to the NRO and the USN, though I'm sure the NSA pays for some of it. That is beside the point though, the issue is exploit to hardening ratio - not exploit to everything-else ratio.
Yes, and the USG (and DOD) spend vastly more on hardening than on offensive security. By orders of magnitude; note plural. Both in opex and (particularly) capex.
Is the money being spent wisely? Different question. But: nobody really knows how to effectively spend 100MM on hardening (a nice round number I picked at random).
Nothing would make me happier than to be able to take your word for it, but I think your definition of "hardening" might be incredibly broad. DoD funding Ada development, SELinux, rainbow series, cyber grand challenge - hardening. DoD buying firewalls and maintaining Oracle licenses isn't hardening.
No, it isn't - it is basic network administration, and it does nothing to advance the state of the art. That is a bad faith interpretation, especially when considered in the context of offensive development. You're putting license maintenance in the same category as TCSEC, which broadens "hardening" to the point of losing all meaning - hell, throw in the cost of electricity to power the firewalls.
Why do you think it matters if NSA stops hoarding 0-days? Let's put that into perspective - iPhone jailbreaking community hacks every new release in days/weeks. And that's just a few people doing it for fun and not getting paid. Companies like Cellebrite have more people paid good money to do the same thing, so they're likely to have an even bigger stash of working exploits. And that's for a locked down device which has all the incentives of being a closed platform.
There's nothing special about NSA or 0-days here. We're using very generic platforms. Lots of organisations have exploits. We're still in a situation where you can point a fuzzer for a few hours at any popular app and get yourself a new 0-day. The only thing that will help you is getting rid of the possibility of exploitation, and limiting the scope when it happens.
It is special because it is government. We have tax payer money going to support thousands of people finding 0-days. What I am proposing is to move some of those funds to be defensive and since it is government, the intention and motivation is to make more secure software. It also forces companies and the industry in general to pay more attention to this stuff.
Right now, government doesn't care. Right now, it is cheaper to get hacked, spew all your information, and then say, "sorry". Not right.
We don't make every building a blast shelter and everyone wear body armor. People who walk through the steps of attacking the US physically are going to succeed.
Our security strategy is to:
A) surveil, infiltrate, and block conspiracies to do so before they happen, and
B) identify, track, and punish our attackers after the fact.
I don't think (and "cyber" policy makers don't seem to think) that making every piece of software free of vulnerabilities is realistic. Sabotaging hacking groups, and building sufficiently scary capabilities for retaliation against nation-states that might attack us, seems much more attainable.
Being secure and having privacy is for the privileged. To actually have the same amount of security and privacy before the internet and device boom is prohibitively expensive for over 90% of the citizens.
I wonder what kinds of fail-safes these sentries have if they're hacked? It says that there's a human operator. Do they have a kill switch to shut it down if it turns the wrong way so it can't be used against them?
I wonder if it is time for a reboot. If the castles we have built so far turn out to be made of gauze instead of stone, maybe we need to rethink it all, in the same way we need to rethink energy policy
Every Intel motherboard since 2008 has had a "spy" on board, almost every home router is working for someone's botnet and will never be patched, medical devices and factory automation systems ship with default passwords because no one assumed they would ever connect to the Internet and don't get me started on browsers and JavaScript.
It was a multi-decade long fight to get the seat belt adopted, so I suspect that we aren't going to fix this the old way - surely at some point we stop?
RiscV, TCP+crypto offload, hardware switchports with luajit or nf rules. Reactive UI with hardware rendering and compositing.
Hardware keystore with physical switch to generate and enroll keys, user/owner controlled secrets, one-time programmable as an option, hardwired SAK and OS personality switching key.
Real-time security isolation kernel, hardware-enforced containerization with MMU-protected GPU passthrough.
It will take a while to google-walk through all that, but thank you. Do you feel this is a comprehensive recipie to move to a (enterprise wide) computing platform where the attacker has the paying field tipped against them (it seems the other way round today)
I was thinking the same thing. What I was describing is about using the disadvantages of a platform like RiscV yo our advantage. Rather than running network stacks, compositing and other things on the main processor which will likely trail intel processors in performance for a time, we design the hardware to do what hardware does best.
As much as the US Media wants to you think North Korea is cut off from the rest of the world, it's not. They have a space program and nuclear program, which is more than what a lot of other countries can say.
It's not a bunch of people living under thatch houses.
If the government wants to make strides in something, they will. They can send their students overseas and get their education there. They can collaborate with other countries.
It's not something every citizen can achieve, but you only need a subset to be effective in cyber warfare.
As much as the US Media wants to you think North Korea is cut off from the rest of the world, it's not.
The US media doesn't say that. The average N. Korean is very much cut off from the rest of the world....somewhat changing with smuggled in phone and DVDs, but still.
> The average N. Korean is very much cut off from the rest of the world.
We aren't talking about the average N. Korean. Their best and brightest are sent offshore to study in STEM fields (with their family held hostage against their eventual return of course).
I imagine that they can select the most promising students, enroll them in the military, and give them, under scrutiny, access to all the information they need.
Dangerous for their family. I'm sure the young people have their entire family on the verge of hard labor camp, or death, if they do something against the government.
If the smart ones who work for the government wants can feed their entire family, why would they do something different? To strive for a democracy like ours where a racist, bigot and xenophobe like Trump is a vote away from being president?
All NK needs to do is air some of Trump's speeches to prove dear leader was right all along.
As other commenters have noted, they're not completely primitive. And while yes, their technical know-how is far behind South Korea's, with the state of modern cybersecurity its equivalently harder to keep people out than it is to get in.
For what it's worth, that problem works both ways; I'd imagine South Korea (and the CIA and whoever else is interested) has all sorts of access to North Korean systems.
I seem to recall that the Sony hack was attributed to North Korean hackers and while many people laughed it off, serious investigations pointed that it was really the case. (Just on top of my head, I'll let you dig for sources.)
serious analysis pointed to iran (malware shared traits with that used in saudi aramco hack a year or two prior), probably because nk and iran have some kind of offensive sharing arrangement on cyber, but the nuclear deal was in the works and the last thing the obama admin wanted to deal with was a perceived provocation.
If after decades, they are only now developing nukes barely as powerful as the earliest nuclear weapons (although still dangerous), one would wonder if their decades delayed IT know-how really can pull off such an attack.
The situation is a bit more complex than that. We don't know the yield of NK's weapons based on the tests, because it's likely the tests have been sized to minimize material usage and just confirm the physics. Given that they're expanding their uranium mining it seems likely they have centrifuges operating and they're building hybrid bombs. This is the same path China went down when they were material limited.
So anyhow, it's not like a footrace where the major nuclear powers are at the finish line and NK is trying to catch up. They're following their own path appropriate for the situation they're in.
- I don't think the chronological order in which we've developed technologies matches up with the difficulties of cloning/repurposing/using them. I wouldn't expect NK to be able to put a man on the moon prior to, say, being able to make a Facebook clone.
- not everything is being invented from scratch. If individuals can smuggle data and devices in, do you doubt the military acting with the full resources of the country couldn't manage the same?
From the context, my first thought was something like a centralized server providing anti-virus software and/or updates hosts on the internal portion of the network.
Considering the timeline (within the last month or two) and the recently discovered issues in antivirus products from multiple vendors, I think that this scenario (or something similar) is, at the least, plausible.
A compromised UTM firewall would not be unheard of either.
2. Government blames North Korea
3. ???
4. Profit! Err, I mean, government support goes up.
Well, maybe North Korea did it, maybe it didn't, but the current state of South Korean politics created a perverse incentive structure. The more severely the government is hacked (or otherwise attacked by North Korea), the more it is politically rewarded.
So, expect nothing to change any time soon.