[HN Gopher] U.S. tightens export controls on items used in surve...
___________________________________________________________________
U.S. tightens export controls on items used in surveillance of
private citizens
Author : transpute
Score : 170 points
Date : 2021-10-20 18:14 UTC (4 hours ago)
(HTM) web link (www.commerce.gov)
(TXT) w3m dump (www.commerce.gov)
| [deleted]
| aasasd wrote:
| Did a US government site just slap me with a modal popup offering
| to snatch my email address off me? Before I had a chance to see
| anything on the site?
|
| I absentmindedly closed it immediately at first, and had to
| delete the site's cookies to check if I saw that right.
| wyager wrote:
| Those are only for our government to use!
| viro wrote:
| Yea, because NSO group has taught us that we can't trust
| governments to not abuse these tools. for example the Mexico
| and in turn the cartel use of pegasus.
| NotSammyHagar wrote:
| Yes, it's Israel that needs to do this, perhaps much more
| than the US, because it's the Israel company's tools that
| have found their way into the hands of people surveiling
| protesters across the world. I'm sure US companies have
| nefarious technical hacking tools too, but why do all those
| reports list Israel? Let's help stop these kinds of tools
| world wide.
| 908B64B197 wrote:
| I sometime wonder if we should go one step further and help
| getting as many Starlink dishes as possible into
| China/Russia/Iran/Cuba/NK (the worse offenders in term of
| censorship and human rights violation) to finally give their
| population access to real, free information instead of whatever
| heavily censored network the local regime allows.
| mleonhard wrote:
| People in China/Russia/Iran can use proxy services to bypass
| censorship. Such services are much cheaper than Starlink
| connections and far easier to set up and maintain.
|
| Starlink satellites route through ground stations which are
| subject to local controls [0].
|
| Communication between satellites and the earth are governed by
| international treaties [1]. Every country controls radio
| spectrum use in their borders [2]. Starlink must obtain
| spectrum licenses and comply with local laws. If Starlink were
| to route traffic to ground stations outside of the country to
| evade local controls, the country would simply revoke their
| spectrum license. If Starlink decided to operate without a
| license, the US government would be forced to either stop them
| or break numerous international treaties.
|
| I doubt that helping people circumvent censorship will have
| long-term positive impact. Censorship is a symptom of bad
| government, not a cause. For example, both the United States
| and Israel both have low censorship. Yet, according to [3, 4, 5
| + 6], the United States and Israel would be included in a list
| of "the worst offenders in terms of censorship and human rights
| violations". Also, UK and Singapore have strong censorship [7,
| 8] and perform few human rights violations nowadays.
|
| [0] https://hackaday.com/2020/02/20/how-does-starlink-work-
| anywa...
|
| [1]
| https://oxfordre.com/planetaryscience/view/10.1093/acrefore/...
|
| [2]
| https://www.itu.int/en/mediacentre/backgrounders/Pages/itu-r...
|
| [3] https://en.wikipedia.org/wiki/Drone_strikes_in_Pakistan
|
| [4] https://en.wikipedia.org/wiki/Iraq_War
|
| [5] https://www.btselem.org/
|
| [6] https://www.jewishvirtuallibrary.org/u-s-vetoes-of-un-
| securi...
|
| [7]
| https://en.wikipedia.org/wiki/Censorship_in_the_United_Kingd...
|
| [8] https://en.wikipedia.org/wiki/Censorship_in_Singapore
| 55873445216111 wrote:
| China could always shoot down some satellites if Starlink
| allowed access in China without approval. Yes, there are 1000's
| of Starlink satellites, but I doubt SpaceX wants to get into
| this kind of a fight.
| bob1029 wrote:
| In my estimation, this is an asymmetric battle that China
| would not be able to win.
|
| How many satellites can china intercept per launch?
|
| How many satellites can SpaceX (currently) put up per launch?
| BatFastard wrote:
| Yes, but one that orbit is full of debris, it becomes
| useless. Effectively disabling all satellites in that orbit
| over time
| mleonhard wrote:
| Starlink satellites use low orbits. Any debris they
| create will quickly de-orbit.
| retzkek wrote:
| > How many satellites can SpaceX (currently) put up per
| launch?
|
| Probably rhetorical, but I'll be that guy: 50-60 on Falcon
| 9, up to 400 planned on Starship.
| elliekelly wrote:
| I've tried to read the (currently unpublished) interim final rule
| to see what's been added but with all of the ECCN, country
| groups, and license exceptions cross-referenced it's practically
| incomprehensible: [PDF] https://public-
| inspection.federalregister.gov/2021-22774.pdf
| averysmallbird wrote:
| The new controls are for "intrusion software" (e.g. malware)
| and "IP network communications surveillance systems or
| equipment."
|
| There are specific definitions for those terms with technical
| specifications. Then there are licenses/exemptions that mean
| you don't have to seek a license if you are selling to
| nongovernment customers in certain (friendlier) countries.
| There's also larger exemptions in export controls related to
| commercial off the shelf equipment and fundamental research
| that would apply as well.
|
| Generally the take away is that if you're selling malware,
| exploits, or network surveillance equipment, you might want to
| talk to an export control lawyer first.
| nixpulvis wrote:
| Are there any nice tools for resolving cross references like
| this in a body of text?
|
| I don't deal with legal documents enough (luckily) to have ever
| really needed this, but it would be a nice thing to know how to
| use if needed, or on creative document sets. Essentially I'm
| asking for something where I can import a set of machine
| readable text (or OCR'd) set a grammar for references in
| context and then easily click through. If it's easy enough to
| extend the grammar I could probably link new things up as I go
| when new kinds of references pop up. Trying to get too smart
| about things like acronyms might be a step too far though, I
| want to be able to trust this tool completely.
| tossaway9000 wrote:
| There are lots of interesting bits in there though, such as:
|
| > List of Items Controlled
|
| > a. Any type of telecommunications equipment having any of the
| following characteristics, functions or features
|
| > a.2. Specially hardened to withstand gamma, neutron or ion
| radiation;
|
| is ECC memory now a controlled item?
| stagger87 wrote:
| > is ECC memory now a controlled item?
|
| What you meant to ask is, "Is telecommunications equipment
| using ECC memory controlled under 5A001?", and the answer is
| no, a.2 refers to rad-hard components.
|
| The key words are "specifically hardened to ..." instead of
| something like "using any technology that might help with
| ...". Generally the CCLs never use vague wording like this.
| duskwuff wrote:
| No. ECC memory isn't "hardened" in the technical sense
| intended here; it's simply error-detecting.
|
| What this primarily refers to is hardware which has been
| fabricated on an exotic semiconductor process (like silicon-
| on-insulator substrates) to resist radiation-induced upsets
| or latchup. This hardware is almost exclusively used in
| military and space applications; it's basically nonexistent
| in the consumer space.
| thereddaikon wrote:
| I wish it were but then again I'm not ready to spend $20k
| on a cellphone with performance from 2005.
| idiotsecant wrote:
| >I wish it were
|
| Why?
| InitialLastName wrote:
| Do you often find your devices facing issues from bit
| flips due to excess radiation?
| speed_spread wrote:
| Wasn't SoI standard in CPU production at some point in the
| last 20 years? AMD I think used it for Athlons.
| hulitu wrote:
| So they will not export Android, iOS, MS Windows, Alexa, Intel,
| AMD, Qualcomm, Adobe and others ?
| [deleted]
| kfprt wrote:
| I read this as surveillance targets everyone. If it hurts US
| billionaires it hurts US national interests and we get a
| law/rule/regulation.
| https://en.wikipedia.org/wiki/Jeff_Bezos_phone_hacking
| sharmin123 wrote:
| Facebook Safety Tips: Take Steps Now and Avoid Hacking:
| https://www.hackerslist.co/facebook-safety-tips-take-steps-n...
| nixpulvis wrote:
| I find it deeply ironic that an authority is using it's powers to
| implement regulation (goodness or badness aside) which claims to
| "help ensure that U.S. companies are not fueling authoritarian
| practices".
|
| Somehow I doubt this will lead to myself being any less
| surveilled... but maybe I'm just being cynical. I want power to
| the people! But we are all just so damn stupid these days.
| [deleted]
| ceejayoz wrote:
| > The United States Government opposes the misuse of technology
| to abuse human rights or conduct other malicious cyber
| activities...
|
| Well, that's news. When did that change?
| [deleted]
| tremon wrote:
| I'm guessing since they built a national data hoovering
| apparatus that can already surveil the entire world, they want
| all their surveillance technology (including Google and
| Facebook) to remain under national control.
| em500 wrote:
| Right. They're certainly not going to ban Google and Facebook
| from operating abroad, as a naive reading might suggest. The
| rules look so vague to me that it looks like just another way
| to justify the ruling US prez banning whatever he dislikes on
| a whim.
| viro wrote:
| You honestly have a silly definition of surveillance. You
| choose to give fb/google that information about you.
| -\\_(tsu)_/-
| orthecreedence wrote:
| Opt-in surveillance can still be surveillance, especially
| if you don't tell people what it really is.
| viro wrote:
| No, it's not. That doesn't follow ANY definition of
| surveillance. Just because you replied to my comment and
| gave me your username doesn't mean I'm performing
| surveillance against you. That's silly and that is
| exactly how ur definition would work.
| em500 wrote:
| At least Facebook also tracks logged-out users and non-
| users.
| tremon wrote:
| You honestly have a silly definition of choice.
|
| If I want to order from a webshop that relies on
| googleapis.com or uses recaptcha, how much choice do I
| realistically have? How aware of webbugs (Facebook and
| Twitter logo's, for example) do you think the average
| Internet user is?
| viro wrote:
| You have plenty of choice. Your choice might have
| consequences but you still have the choice. Most users
| are fully aware of how tracked the free internet is.
| powersnail wrote:
| That reminds me of some earlier definitions of rape where
| the victim is required to have fought against the rapist.
| Otherwise, they had "chosen" to yield to the perpetrator.
| gumby wrote:
| Says right in the release, emphasis mine:
|
| > _Today's_ rule .... Comments to the rule must be received in
| no later than 45 days from today, and the rule will become
| _effective 90 days from today_.
|
| The notice is dated today, 20 October
| brink wrote:
| Right after the polls fell and didn't bounce.
| BitwiseFool wrote:
| > The United States Government opposes the misuse of technology
| to abuse human rights or conduct other malicious cyber
| activities...
|
| (When _other_ nations do it, and without our permission)
| viro wrote:
| This is funny because people lose their damn minds about
| WHO... NSO sells their products to.
| matheusmoreira wrote:
| I simply don't understand how the US can issue statements
| like these given the existence of CIA, NSA, etc.
| BitwiseFool wrote:
| As a cynical American, I can't help but share this satire:
|
| https://youtu.be/ZsISWO4INTo?t=98
|
| "Think of it, an entire nation founded on saying one thing,
| and then doing another!"
| jackTheMan wrote:
| So apple cannot export the 'pedofil' image search to China?
| fidesomnes wrote:
| what about public citizens?
| m0zg wrote:
| Apple, Google, Facebook and Twitter, the main surveillance tools
| of our kakistocratic regime, are going to get decimated.
| colecut wrote:
| No change in things used to blow them up.
| wolverine876 wrote:
| There are many export controls for those. Often you need
| specific permission.
| markdown wrote:
| Which is granted to terror regimes like Saudi Arabia, Israel,
| etc.
| wolverine876 wrote:
| We may dispute the wisdom of the decisions, but there are
| certainly strict export controls on military equipment. For
| example, exporting nuclear submarines to Australia is big
| news because it's a major exception. F-22 fighter planes
| cannot be exported to anyone, by law.
| jt_thurs_82 wrote:
| I'm trying to dig through this to understand what it means, but I
| am far from an expert on regulations or legalese. I'm looking
| forward to any breakdowns and explanations/annotations of the
| passages in this article and rule. If anyone has any, please let
| me know in the reply?
| elliekelly wrote:
| I'm a regulatory lawyer (but I have no experience with export
| controls) and I can't decipher the rule either. I actually
| wonder how anyone is able to confidently draft and revise such
| a long document with so many complex cross-references:
|
| > License Exception ACE eligibility is added for 5E001.a (for
| 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), or
| 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)). License
| Exception STA conditions is revised to remove eligibility for
| 5E001.a (for 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for
| 5A001.j), or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)) to
| destinations listed in Country Groups A:5 and A:6 (See
| Supplement No. 1 to part 740 of the EAR for Country Groups).
| License Exception TSR is revised to remove eligibility for
| "technology" classified under ECCN 5E001.a for 5A001.j, 5B001.a
| (for 5A001.j), ECCN 5D001.a (for 5A001.j), or 5D001.c (for
| 5A001.j or 5B001.a (for 5A001.j)).
|
| It's like a logic puzzle.
|
| Edit: Looking at this random paragraph again and it seems
| they're missing a few closing parens so maybe the answer to how
| they confidently draft and revise these documents is... they
| don't.
| dharmab wrote:
| I bet it's derived from some big excel sheet.
| mschuster91 wrote:
| You wish. This kind of stuff is all too often manually
| managed and copy-pasted between Word documents.
| codazoda wrote:
| I can't help but wonder if encryption export controls will be
| slipped into this mess. Seems like a good place to hide them
| but I don't have time to drudge through this at the moment.
| kfprt wrote:
| We're way past that, the horse has bolted.
| codazoda wrote:
| Are you saying we're way past the point where encryption
| could be restricted from export in the U.S.? Because
| encryption exports are controlled and when I first started
| programming they were completely illegal. Every once in a
| while new legislation is proposed to make these exports
| illegal again, usually to "save the children".
|
| https://en.wikipedia.org/wiki/Export_of_cryptography_from_t
| h...
|
| Based on other comments here, I'll assume there is no
| hidden agenda on encryption here but a document this messy
| is probably hiding "stuff" (on purpose or not).
| zorked wrote:
| Encryption is restricted from export in the US. I've had
| to submit forms to do things as trivial as buying
| microcontrollers from TI which happened to have AES
| instructions.
|
| No idea why I can go into a store and buy an infinitely
| more powerful Intel laptop without a form, though.
| joconde wrote:
| With AES widely available in free code, adding export
| controls today wouldn't seem to do much damage to
| symmetric crypto at least.
|
| Maybe post-quantum schemes could be affected, but it's
| only a question of time until people agree on a standard,
| and if that one gets exported and doesn't get broken,
| controlling crypto exports won't prevent anyone from
| using secure ciphers.
| johnwalkr wrote:
| I doubt it. The link says it's consistent with Wassenaar
| Agreement (WA) negotiations, which is the international
| export control agreement that is quite well harmonized across
| many nations. WA has a lot of restrictions on encryption, but
| a huge carve out for most items that says encryption on
| commercially available devices is exempt.
| averysmallbird wrote:
| There's already export controls on encryption. Have been for
| decades.
| encryptluks2 wrote:
| Yet they will allow Chinese routers that require an app on your
| phone to use and where you can't turn off the cloud
| functionality. Looking at you TP-Link.
| edge17 wrote:
| Is it illegal in the US to sell zero-day exploits, or to package
| up zero-day exploits into nice usable tools? My understanding is
| that it is not illegal, but something like this perhaps give the
| US a tool to pursue and/or prosecute individuals that engage in
| these types of sales when they are selling to the 'wrong'
| customer (the 'right' customer being NSA or other US intelligence
| gathering operations).
| wil421 wrote:
| Read the book _This Is How They Tell Me the World Ends: The
| Cyberweapons Arms Race_ by Nicole Perlroth
|
| There's a few chapters in the beginning about the history of
| the exploit market. Haven't finished it yet.
|
| To my knowledge it's not illegal to sell vulnerabilities. If
| you're not a government contractor selling/contracting to the
| US government it would be illegal to sell exploit chains or
| working software that uses the exploits/malware what have you.
| The book touches on how they sold multiple of the same zero
| days to multiple agencies. It got to the point where one of the
| guys was like you (3 letter agencies) need to talk to each
| other and stop wasting taxpayer money.
| OminousWeapons wrote:
| To my knowledge, it is illegal to sell exploit kits to actors
| that you know are going to use the kits to commit crimes (e.g.
| if someone sends you an email saying "I'm looking for an
| exploit kit so that I can attack company X and steal their IP",
| you cannot legally sell to them). It is otherwise legal to
| sell, rent, or give away exploits to the general public or to
| resellers like Zerodium as long as they are not marketed as
| criminal tools.
| edge17 wrote:
| For sure, but in practical terms these types of dealings
| often have middle men and the end buyer is often not known
| (by design). Everything I know is from podcasts and books, so
| I'm not an authority on the subject - though I would point
| out that the enormous amount of red tape in the west tends to
| be something that westerners seem to project onto the rest of
| the world. In much of the world, things are just far more
| loose.
| eggbrain wrote:
| For those of you (like me) who weren't sure exactly how to
| interpret the rule based on the link above or the original PDF, I
| believe this Washington Post article from today also summarizes
| it:
|
| https://www.washingtonpost.com/national-security/commerce-de...
| axiosgunnar wrote:
| So facebook will not be accessible from abroad? Great!
| godelski wrote:
| One thing I've never understood is why Blue teams don't get as
| much funding. Cyber defense is much harder than cyber offense. I
| know there is a lot you can do by tracking citizens and a lot of
| information you can get, but if you're not blue teaming your
| country then an adversarial country can use exactly all those
| same tools you're excited about using on your adversaries. I feel
| the red teams get all the money and the blue teams get pushed off
| to the side. I do want to keep red teams, but I want to see NSA
| also doing bug bounties, increasing security in Android and iOS,
| strengthening the internet, etc. Why is this not happening? Why
| are we also not outraged about this?
| michael1999 wrote:
| Publicly, Poindexter and the rest of the criminals under Bush
| Jr. went all-offence and launched the Information Awareness
| Office [0] to pursue a strategy of Total Information Awareness
| [1]. They wanted to ramp up ECHELON to hoover the whole world,
| started hoarding 0-days, and eventually created a whole
| industry to shop exploits. Now that is a business, nobody is
| going to make director leading the blue team.
|
| Privately, I speculate that they also assessed the state of
| play and just gave up. Microsoft back then still believed that
| code-signing would fix their bug-of-the-week run. Industry
| security practices were so weak as to be non-existent. Hell -
| telnet was still common.
|
| The only nice thing I can say about it was they had an
| amazingly honest logo [2]. That is, until congress freaked out
| and made them hide it all behind a bit SECRET sign. And so we
| heard little more about except via a steady drip of
| whistleblowers like Mark Klein, Thomas Drake, William Binney,
| and Snowdon.
|
| [0] -
| https://en.wikipedia.org/wiki/Information_Awareness_Office [1]
| - https://en.wikipedia.org/wiki/Total_Information_Awareness [2]
| -
| https://en.wikipedia.org/wiki/Information_Awareness_Office#/...
| aemreunal wrote:
| Also, recently, FBI "hacked" in to Exchange servers that were
| vulnerable (with court authorization) to patch them [1], so it
| does happen. But I agree with your sentiment that it doesn't
| happen as often as it should.
|
| The public perception seems to be that the US doesn't spend
| enough resources to harden its and its people's defenses than
| it does to surveil people.
|
| [1]: https://techcrunch.com/2021/04/13/fbi-launches-operation-
| to-...
| nonameiguess wrote:
| The NSA does perform that function for the government. They
| protect DoD and IC assets and critical civilian computing
| infrastructure. They created SELinux and sponsored many of the
| major cryptographic standards out there. They don't actively
| provide defense for iOS and Android because those are product
| owned by trillion dollar private companies who can pay for
| their own security, not expected publicly-funded agencies to do
| it for them.
|
| The Internet is an interesting case. Nobody owns it. It isn't
| even American. The fact that it was originally created by and
| for universities that all implicitly trusted each other has led
| to a whole lot of security flaws baked into the core
| assumptions of the most basic protocols. But the NSA does
| protect the hell out of military networks. Military and IC
| networks are absolutely nothing like the Internet. There is an
| inherent difficulty in bringing the same assurance to public
| networks, though, because nobody on a military network expects
| to be anonymous or to have any privacy. Users implicitly trust
| the network's central authority. They have to because they work
| for it. Security is a lot easier with a trusted central
| authority.
| spydum wrote:
| I think the root of this is you cannot buy "security". It has
| to be part of the engineering ethos at all levels. This gets
| really hard to do at scale. Pouring money u to Blue teams is
| too late in the process.
| FpUser wrote:
| This. If you want something secure everything has to be
| created from scratch. The OS, languages, tooling, every
| software etc. etc. Nobody will ever do that. And even if they
| did something will fuck it up on higher level.
| LogonType10 wrote:
| It seems like you think that red teaming and blue teaming works
| much like an RPG game where you can spend skill points on
| perks, but blue team perks (like tier 1 endpoint defense) cost
| more skill points than red team perks. I don't think this is an
| accurate mental model, and I'd rather frame it like this:
| exploits are secrets, and when you learn the secret, you can
| share it with others as well as develop the countermeasure to
| the exploit. If you spend a lot of money discovering a useful
| exploit it is by definition something nontrivial that is
| unlikely to be discovered by regular hackers unless it is
| leaked or discovered after careless usage. If you discover an
| exploit that an enemy will soon discover, it is to your
| advantage to publish the countermeasures to the exploit before
| your opponent discovers and weaponizes it.
| Veserv wrote:
| Blue teams do get lots of funding (edit: I am speaking in
| general, not on government spending). It is just that their
| strategies are so so unbelievably bad no amount of money can
| produce an adequate system.
|
| Blue teams with a $1 Billion/year budget can not prevent total
| compromise by red teams with a $1 Million/year budget. If you
| must outspend you attackers by 1000x you are doomed.
|
| For instance, in 2015 Microsoft committed to spending $1
| Billion/year in security research and development to securing
| their cloud, the second largest cloud in the world [1]. What is
| the result of such spending? A little over a month ago the
| default management agent they ship for managing Linux on Azure
| had a security defect that allowed local privilege escalation
| by sending an empty password [2]. Their processes are so bad
| that despite spending $1 Billion/year they can not detect and
| prevent themselves from releasing security 101 defects in
| default installs of widely deployed products. This is
| indicative of a grossly inadequate process in much the same way
| that a car factory delivering cars with no brake lines would
| indicate that factory and manufacturing process needs to be
| completely redesigned from the ground up and the entire team
| overseeing it replaced.
|
| The outrageous part is not that security is not being funded,
| it is that organizations and systems displaying such
| fundamental errors continue to get vast sums of money poured
| into them.
|
| [1] https://blogs.microsoft.com/blog/2015/11/17/enterprise-
| secur...
|
| [2] https://www.wiz.io/blog/secret-agent-exposes-azure-
| customers...
| umvi wrote:
| Which is harder: sneaking across the US border anywhere or
| preventing anyone from sneaking across the US border
| everywhere?
|
| Sure seems like a 1000:1 problem to me.
| johnny53169 wrote:
| > What is the result of such spending?
|
| Did they actually spend $1 billion? Or they did and spent on
| overpriced services? Without knowing what they did the amount
| is meaningless
| nixpulvis wrote:
| So what do we do? Just admit that it's all doomed forever?
| Perhaps the only question left at that point would be exactly
| what even needs to be blue and red team'd. In other words
| what is worth using at the risk of being abused. If you also
| assume infinite extent, then nothing is worth it because
| everything can cause harm.
|
| Otherwise, we actually do learn ways to converge towards more
| generally secure systems. Safer programming languages and
| safer hardware will lead the way, but it seems much slower
| this round than the stories we hear about the origins of
| everything.
| Veserv wrote:
| No, we just need systems 100-1000x better than prevailing
| commercial IT systems. Systems that do not quake in their
| boots at the thought of a single dedicated hacker, but are
| designed and expected to resist competent teams of tens or
| hundreds working full time for years since that is what is
| needed to reach basic parity.
|
| However, we will not find those techniques by following the
| standard commercial IT methodologies which were not
| designed for such a task. Just ask any architect of these
| systems if they could stop a team of 10 people working full
| time for 3 years. If even the people making it think it is
| absurd to defend against such a minimal effort there is no
| chance it is actually adequate.
|
| In fact, there is little reason to assume that the
| methodologies that can only get 0.1% of the way to solving
| the problem despite decades of work and tens of billions of
| dollars will ever converge to an adequate solution. It
| could be like trying to use the knowledge of horse buggy
| makers to determine how to make a machine faster than the
| speed of sound. And even if it could eventually get there
| it would require 100% improvements year over year for an
| entire decade to get there from existing commercial
| methodologies.
|
| No, it is far more reasonable to use systems that were
| actually designed for these environments and have actually
| demonstrated success, such as systems certified to Orange
| Book A1, and make them more practical since, as everybody
| knows, it is far easier to make a cheap, working design by
| starting with something that works and making it cheap than
| starting with cheap components and figuring out how to make
| something that works.
|
| As for how you can identify proven success you can just
| start with a $1 million red team exercise. If they are able
| to find _any_ material defects that means that there are
| likely many such defects and your processes can not prevent
| the occurrence of such trivial flaws and needs to be
| rethought. Only when there are _zero_ material defects are
| you at the starting line. Note that this is not an
| exhaustive test, rather it should be treated like the
| fizzbuzz of security design, a trivial softball to weed out
| the the people that know nothing and the systems that do
| not work.
| nixpulvis wrote:
| Wait, so you're telling me all I have to do to get at
| that juicy $1B blue team is hire the $1M red team?
| Where's the catch!? /s
| ddingus wrote:
| An Apollo program for information systems? This isn't a
| bad idea.
| kibwen wrote:
| _> Just admit that it 's all doomed forever?_
|
| No, because ultimately security isn't binary. If you can
| increase the cost to the attacker, that raises the bar for
| attacking you and reduces the number of potential
| attackers. And over time security practices _do_ get
| generally better, raising the tide for all boats; the
| problems right now are that we 're still wrestling with the
| legacy of foundational systems designed in a pre-internet
| world where constant adversarial networking was not the
| norm, and more generally we keep increasing the attack
| surface by adding new things to the network. But once we
| have software/hardware stacks that have all been designed
| in a post-internet world (yeah, it'll take a while) and
| once we've finished networking everything that could
| reasonably be networked, there's hope enough to suspect
| that it will be possible to close the security gap to all
| but the most determined adversaries.
| nixpulvis wrote:
| > once we've finished networking everything that could
| reasonably be networked
|
| I highly doubt we'll come to terms on this one.
| bbarnett wrote:
| The real problem is, security needs to be inherent to how
| developers, managers, work. Instead, security is often a bolt
| on, after thought, or put off until "thing $x is done".
|
| One example, many popular frameworks. How do you audit every
| single piece of code brought in by, say, laravel? And how do
| you do it, if developers want to be able to reuse code?
|
| Answer? You cannot. At all. You can't even reliably handle
| license compliance.
|
| Yet, we use such frameworks, because security is not first,
| or even last sometimes. It's not part of the process, it's a
| thing to think about when a dev, a department has free time.
|
| Many companies have a security team, an audit team. What?!
| You don't get secure by having people look at security after
| development, and then spend time fighting over fiscal
| concerns, to get a code re-write.
|
| I think none of this will ever be fixed, until the CTO
| position becomes like the CFO position. Mandatory
| requirements, jailtime for CTOs if they breach certain
| regulations, and the authority for a CTO to tell everyone
| from board to CEO "no, thing X will be done".
|
| Yet no one wants that, because of cost, and a desire to get
| to market first.
| alisonkisk wrote:
| Why hire a red team if you can't afford to fix the problems
| they find?
| hn8788 wrote:
| They are doing stuff like that, but it doesn't make for sexy
| clickbait, so nobody posts it. For example, last week Microsoft
| released a patch for an exchange server exploit that NSA
| discovered and reported.
| rtkwe wrote:
| There's also the issue that there's no mechanism to force
| companies to keep servers up to date or face consequences so
| it's only possible to really do half the work. Blue teams
| could find every vulnerability out there but you'd still have
| companies running old versions or refusing to put out patches
| to their customers (and customers not updating devices
| deployed in their home).
| nixpulvis wrote:
| Wait, blue team gets to take credit for fixing the reports of
| red team?!
|
| This seems like normal old grey programming to me.
| Kalium wrote:
| It's also worth bearing in mind that the Departments of
| Commerce, Energy, Homeland Security, and Treasury all have
| efforts to this effect. And as you say, nobody writes
| articles about how the Department of Energy helped a solar
| operator figure out a patching strategy. It's boring.
|
| Energy effort here: https://www.energy.gov/national-security-
| safety/cybersecurit...
| godelski wrote:
| I mean it's HN, I'm happy to read and hear about that stuff.
| That is the kind of thing I want on the front page here.
|
| Also it does mean bad PR on their part. Which that is part of
| cultural warfare.
| corndoge wrote:
| I agree with you but please, no more outrage. We have enough
| outrage. Be a proponent of something without being outraged
| about it. It's not doing any good to be outraged and it's
| exhausting.
| yuuu wrote:
| Thanks for protecting us, outrage police!
| 1121redblackgo wrote:
| And does that make you the outrage police police?
| yuuu wrote:
| I'm just your regular outrage citizen thanking our local
| outrage police, no sarcasm whatsoever! They have an
| important duty to protect us from outraged people on the
| internet, and they put their lives on the line every day.
| [deleted]
| FpUser wrote:
| >"We have enough outrage"
|
| We who? I definitely do not feel that we have enough. If we
| did it would've percolated to some noticeable action.
| dane-pgp wrote:
| The government's strategy is probably a result of it being
| easier to maintain an advantage by keeping weapons secret than
| by distributing defences to only the good guys.
|
| It would be interesting to speculate how close we are to
| replacing all networked services with provably secure
| implementations (like the work of Project Everest[0]). Of
| course there's no such thing as perfect security (or perfect
| proofs), but I think we are close to reaching the point where
| attacking implementation flaws is less fruitful than attacking
| the software supply chain.
|
| In fact, we may already have reached that point, so I think
| that efforts to secure the supply chain (like sigstore[1]) and
| potential government efforts to attack it (like recent changes
| to iOS and Android[2]) deserve more focus.
|
| [0] https://project-everest.github.io/
|
| [1] https://security.googleblog.com/2021/03/introducing-
| sigstore...
|
| [2] https://news.ycombinator.com/item?id=27176690
| alisonkisk wrote:
| How is a Blue Team different from regular IT and Compliance
| work?
___________________________________________________________________
(page generated 2021-10-20 23:00 UTC)