Skip to main content

View Diary: An even bigger potential intelligence leak: Microsoft (73 comments)

Comment Preferences

  •  reality (2+ / 0-)
    Recommended by:
    llywrch, mhanch

    For the most part, unless software has a built in back door, these exploits are not engineered.  They are mistakes in process or artifacts of the complexity of software engineering.  These exploits, often if not nearly always, are discovered by people who are professional hunters.  So of them are 'white hat' researches who profit of the exposure or products defending against cyber attacks, some of them are 'black hat' firms who hope to directly profit off the exploits, either by using them in attacks or selling kits so that other may use them in attacks.

    There are many myths associated with this.  One is that a release of an exploit somehow will cause it become popular and make our computers less secure.  The fact is that our computers are less secure because the exploit exists, not because someone has released the technique to the government or the general public.  The race is between the likes of MS, Apple, Google, etc and those that develop the tool kits that commercialize the exploit, not the people who discover the exploit.  Thinking otherwise is like thinking your house is secure because no one knows you keep a key under the flower pot.

    Another myth is that only the white hat people are going to discover the exploit.  The Black Hat researchers likely far outnumber the white hat researchers because the profit available to the former will be so much greater.  A kiddie in the Balkans, or North Dakota, can make a decent income if she or he is cleaver enough.  Such a person can discover an exploit, sell it the mob or give it to the script kiddies, and gain profit or fame.  The question is not the transfer of information from legitimate software firms, but if there transfer of tax payer money to these black hat exploit hunter so that the US government can learn of the exploits prior to public.

    Which is a real concern.  Because our government is neither as incompetent or as powerful as many believe.  The US must have a team who hunts for these exploits, and there would be no incentive to inform the software companies.  The US must monitor the Black Hat sites and have agents embedded in the major groups to learn of exploits as well.  When the US is told of these exploits by the software firms, many of details are probably not news, but merely a warning that patches will come out soon and the useful lifetime of the exploits are going to be limited.

    Really what we are talking about here is PR thing.  When an exploit is made public, it has likely already been used in an attack.  People like MS would really like the white hat researches to keep these exploits secret so that they do no have to deal with PR problems.  OTOH, all large customers are probably informed of the issue and told how to prevent it.  Remember, these exploits are not only used to hack into 'other peoples' systems, but also to hack into our systems.  So the if there is a major exploit, and the average US agency does not know about, it will be used to violate security.  

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site