One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 8234 |
| Date de publication | 2016-08-20 17:50:17 (vue: 2016-08-20 17:50:17) |
| Titre | Bugs don\'t come from the Zero-Day Faerie |
| Texte | This WIRED "article" (aka. thinly veiled yellow journalism) demonstrates the essential thing wrong with the 0day debate. Those arguing for NSA disclosure of 0days believe the Zero-Day Faerie brings them, that sometimes when the NSA wakes up in the morning, it finds a new 0day under its pillow.The article starts with the sentences:WHEN THE NSA discovers a new method of hacking into a piece of software or hardware, it faces a dilemma. Report the security flaw it exploits to the product's manufacturer so it gets fixed, or keep that vulnerability secret-what's known in the security industry as a “zero dayâ€-and use it to hack its targets, gathering valuable intelligence.But the NSA doesn't accidentally "discover" 0days -- it hunts for them, for the purpose of hacking. The NSA first decides it needs a Cisco 0day to hack terrorists, then spends hundreds of thousands of dollars either researching or buying the 0day. The WIRED article imagines that at this point, late in the decision cycle, that suddenly this dilemma emerges. It doesn't.The "dilemma" starts earlier in the decision chain. Is it worth it for the government to spend $100,000 to find and disclose a Cisco 0day? Or is it worth $100,000 for the government to find a Cisco 0day and use it to hack terrorists.The answers are obviously "no" and "yes". There is little value of the national interest in spending $100,000 to find a Cisco 0day. There are so many more undiscovered vulnerabilities that this will make little dent in the total number of bugs. Sure, in the long run, "vuln disclosure" makes computers more secure, but a large government investment in vuln disclosure (and bug bounties) will only be a small increase on the total vuln disclosure that happens without government involvement.Conversely, if it allows the NSA to hack into a terrorist network, a $100,000 is cheap, and an obvious benefit.My point is this. There are legitimate policy questions about government hacking and use of 0days. At the bare minimum, there should be more transparency. But the premises of activists like Andy Greenburg are insane. NSA 0days aren't accidentally "discovered", they don't come a magic Zero-Day Faerie. The NSA instead hunts for them, after they've come up with a clearly articulated need that exceeds mere disclosure. Credit: @dinodaizovi, among others, has recently tweeted that "discover" is a flawed term that derails the 0day debate, as those like Greenberg assume it means as he describes it in his opening paragraph, that the NSA comes across them accidentally. Dino suggested the word "hunt" instead. |
| Envoyé | Oui |
| Condensat | $100 000 0day 0days @dinodaizovi about accidentally across activists after allows among andy answers are aren arguing article articulated assume bare believe benefit bounties brings bug bugs but buying chain cheap cisco clearly come comes computers conversely credit: cycle day day†debate decides decision demonstrates dent derails describes dilemma dino disclose disclosure discover discovered discovers doesn dollars don earlier either emerges essential exceeds exploits faces faerie find finds first fixed flaw flawed from gathering gets government greenberg greenburg hack hacking happens hardware has his hundreds hunt hunts imagines increase industry insane instead intelligence interest investment involvement its journalism keep known large late legitimate like little long magic make makes manufacturer many means mere method minimum more morning national need needs network new nsa number obvious obviously only opening others paragraph piece pillow point policy premises product purpose questions recently report researching run secret secure security sentences:when should small software sometimes spend spending spends starts suddenly suggested sure targets term terrorist terrorists them then they thing thinly those thousands total transparency tweeted under undiscovered use valuable value veiled vuln vulnerabilities vulnerability wakes what when will wired without word worth wrong yellow zero “zero |
| Tags | |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.