- The Deputy National Security Advisor, Sh. Nehchal Sandhu gave a largely statistics & routine talk with the notable exception of a superb pronouncement:
"We will not go down that road"
He was referring to the recent events surrounding NSA's surveillance and its fallout in the US (civil rights outrage) and in the rest of the world (Brazil, anyone?), including India (such as new guidelines on email usage, etc.). This statement was made to convey that the Indian Government would not indulge in the kind of tactics that NSA and FBI are being accused of.
Why is this important? It portrays a commitment from the Government to act with a level of wisdom and maturity that has been hard to find recently not just here, but in most parts of the world.
- A few speakers talked about the Government's collaboration with the hacker community. One of the talks included an unapologetic response to the criticism of this year's takedown of a malware's C&C Server at this year's nullcon -- announcing a new era of Government - Community partnership.
On the sidelines of this talk was a much more sinister discussion. That some parts of the Government might be willing to take hackers for hire -- for ostensibly National Security engagements.
On the face of it, it should not cause any concern, right? Not until you understand the implications, subtle and otherwise. How will this relationship begin, what pitstops will it make and how far will it go?
An example: LulzSec (ex-)leader cooperating with the FBI.
Another: Desi hackers join Indian Cyber Army. In this, there is even a mention of a lawyer wanting to change the IT Act to provide protection for "patriotic stealth operations". Of course, they might be talking about "usual" hiring of infosec professionals in cyber-defense positions... but there is enough to indicate otherwise too.
There are enough rumours and murmurs on whole truckloads of East European hackers being allowed to flourish in the fond hope that they will provide the necessary "air" cover (and perhaps, tactical support) to their governments when push comes to shove in cyberwars. Are we talking about going down that route?
National Security as a justification to do things that you wouldn't otherwise do is a very slippery slope. Once you start the journey, you have no control on the speed, direction or the destination. This is a route that argues that the means justify the ends. No doubt there will be people who argue that when our adversaries do it, we must do it too.
However, I hope that saner voices such as Sh. Sandhu's will prevail.
Showing posts with label surveillance. Show all posts
Showing posts with label surveillance. Show all posts
Sunday, October 6, 2013
On a Slippery Road in the Name of National Security
Two very important things happened at the recently concluded Cocon 2013. Not surprisingly, the media missed these, in favor of more "mainstream" news focusing on the celebrities and visible initiatives.
Friday, March 8, 2013
The dark side of Vulnerability Research and Sale
[edit: Altered the title & reworded "Exploit Research" to "Vulnerability Research" to align with common use of the words]
Imagine this:
This is what is building up in the InfoSec world under the garb of Vulnerability Research. I am sure we all understand the logic of "we need to make a living", "we have a right to market our skills" and even "we have a right to get rich".
That "We tried until 2010 to convince vendors to decently pay researchers without success" almost sounds noble.
But to say "L is for Liberties, and exploit sale is a liberty" as VUPEN (@VUPEN) CEO Chaouki Bekrar (@cbekrar) shamelessly tweeted is a bit too much for me.
Where is this going?
Vulnerability Research (as in the scenario above) is turning into a thriving market. Though some players are spouting KYC and self-regulation to support their activities,
Of course, other players are simply discrete about what they do -- and don't promise any such restraint. That is surely no less of an issue.
Statements like
We are witnessing the birth a thriving market of Vulnerability Research where anyone more skilled than you are is free to poke around and blackmail you.
As the market expands, people have more incentives to turn into Vulnerability Researchers (not to be befuddled by the more innocuous term "Security Research") -- and there is little or no reason to exercise any restraint.
I'm sure it has occurred to many that:
I don't think we can afford to look the other way or merely smile and indulgently admire the admittedly considerable skills of these open market "Vulnerability Researchers".
In all this, let us also not forget that Governments are paying our (taxpayer) money to actively grow this market. Oh yes, I forget. The Governments are only doing this to protect us. Strangely, I don't feel particularly safe on this account.
Imagine this:
Is there anything wrong with this scenario? You bet there is.
- You have two neighbors, both are highly skilled in surveillance & breaking in.
- Both of them thoroughly scan of your home (from far, of course) voluntarily.
- They finds a few flaws that you wouldn't know -- but would allow a thief to bankrupt you.
- One of them wants to sell this information and make money that befits his expertise. To you, to your builder, or to the government. (interesting question: what happens when none of the three agree to buy?)
- The other never mentioned any of this to you, but directly put up the "exploit" for sale to the highest bidder in an "open market" meant for highly specialized buyers (of the type that you aren't).
This is what is building up in the InfoSec world under the garb of Vulnerability Research. I am sure we all understand the logic of "we need to make a living", "we have a right to market our skills" and even "we have a right to get rich".
That "We tried until 2010 to convince vendors to decently pay researchers without success" almost sounds noble.
But to say "L is for Liberties, and exploit sale is a liberty" as VUPEN (@VUPEN) CEO Chaouki Bekrar (@cbekrar) shamelessly tweeted is a bit too much for me.
Where is this going?
Vulnerability Research (as in the scenario above) is turning into a thriving market. Though some players are spouting KYC and self-regulation to support their activities,
"... ask your favorite vendor to pay researchers $100K per 0D ..." andit rings hollow.
"... I confirm we don't sell to repressive regimes ..."
Of course, other players are simply discrete about what they do -- and don't promise any such restraint. That is surely no less of an issue.
Statements like
"... You are not a judge, and we are not in a court ..." andjust about sum up the attitude and any shatter any pretense of ethics. It appears that "there is no law against it, so we'll do what we please as long as we can get away with it" is lurking right underneath this "business model". At this rate, sooner than later, we could see specialized "Vulnerability Research" markets come up in the fields of ATMs, Credit Card terminals, and more. They would of course, begin by selling the exploits "at a decent price", "only to non-repressive governments" and with "thorough Know-Your-Customer norms".
"... we really don't care nor give a shit about your thoughts on exploit sales ..."
We are witnessing the birth a thriving market of Vulnerability Research where anyone more skilled than you are is free to poke around and blackmail you.
As the market expands, people have more incentives to turn into Vulnerability Researchers (not to be befuddled by the more innocuous term "Security Research") -- and there is little or no reason to exercise any restraint.
I'm sure it has occurred to many that:
- there is no reason to cap the price at $100K per 0D
- there is no reason (yet) to commit to self-regulate
I don't think we can afford to look the other way or merely smile and indulgently admire the admittedly considerable skills of these open market "Vulnerability Researchers".
In all this, let us also not forget that Governments are paying our (taxpayer) money to actively grow this market. Oh yes, I forget. The Governments are only doing this to protect us. Strangely, I don't feel particularly safe on this account.
Subscribe to:
Posts (Atom)