[HN Gopher] U.S. tightens export controls on items used in surve... ___________________________________________________________________ U.S. tightens export controls on items used in surveillance of private citizens Author : transpute Score : 170 points Date : 2021-10-20 18:14 UTC (4 hours ago) (HTM) web link (www.commerce.gov) (TXT) w3m dump (www.commerce.gov) | [deleted] | aasasd wrote: | Did a US government site just slap me with a modal popup offering | to snatch my email address off me? Before I had a chance to see | anything on the site? | | I absentmindedly closed it immediately at first, and had to | delete the site's cookies to check if I saw that right. | wyager wrote: | Those are only for our government to use! | viro wrote: | Yea, because NSO group has taught us that we can't trust | governments to not abuse these tools. for example the Mexico | and in turn the cartel use of pegasus. | NotSammyHagar wrote: | Yes, it's Israel that needs to do this, perhaps much more | than the US, because it's the Israel company's tools that | have found their way into the hands of people surveiling | protesters across the world. I'm sure US companies have | nefarious technical hacking tools too, but why do all those | reports list Israel? Let's help stop these kinds of tools | world wide. | 908B64B197 wrote: | I sometime wonder if we should go one step further and help | getting as many Starlink dishes as possible into | China/Russia/Iran/Cuba/NK (the worse offenders in term of | censorship and human rights violation) to finally give their | population access to real, free information instead of whatever | heavily censored network the local regime allows. | mleonhard wrote: | People in China/Russia/Iran can use proxy services to bypass | censorship. Such services are much cheaper than Starlink | connections and far easier to set up and maintain. | | Starlink satellites route through ground stations which are | subject to local controls [0]. | | Communication between satellites and the earth are governed by | international treaties [1]. Every country controls radio | spectrum use in their borders [2]. Starlink must obtain | spectrum licenses and comply with local laws. If Starlink were | to route traffic to ground stations outside of the country to | evade local controls, the country would simply revoke their | spectrum license. If Starlink decided to operate without a | license, the US government would be forced to either stop them | or break numerous international treaties. | | I doubt that helping people circumvent censorship will have | long-term positive impact. Censorship is a symptom of bad | government, not a cause. For example, both the United States | and Israel both have low censorship. Yet, according to [3, 4, 5 | + 6], the United States and Israel would be included in a list | of "the worst offenders in terms of censorship and human rights | violations". Also, UK and Singapore have strong censorship [7, | 8] and perform few human rights violations nowadays. | | [0] https://hackaday.com/2020/02/20/how-does-starlink-work- | anywa... | | [1] | https://oxfordre.com/planetaryscience/view/10.1093/acrefore/... | | [2] | https://www.itu.int/en/mediacentre/backgrounders/Pages/itu-r... | | [3] https://en.wikipedia.org/wiki/Drone_strikes_in_Pakistan | | [4] https://en.wikipedia.org/wiki/Iraq_War | | [5] https://www.btselem.org/ | | [6] https://www.jewishvirtuallibrary.org/u-s-vetoes-of-un- | securi... | | [7] | https://en.wikipedia.org/wiki/Censorship_in_the_United_Kingd... | | [8] https://en.wikipedia.org/wiki/Censorship_in_Singapore | 55873445216111 wrote: | China could always shoot down some satellites if Starlink | allowed access in China without approval. Yes, there are 1000's | of Starlink satellites, but I doubt SpaceX wants to get into | this kind of a fight. | bob1029 wrote: | In my estimation, this is an asymmetric battle that China | would not be able to win. | | How many satellites can china intercept per launch? | | How many satellites can SpaceX (currently) put up per launch? | BatFastard wrote: | Yes, but one that orbit is full of debris, it becomes | useless. Effectively disabling all satellites in that orbit | over time | mleonhard wrote: | Starlink satellites use low orbits. Any debris they | create will quickly de-orbit. | retzkek wrote: | > How many satellites can SpaceX (currently) put up per | launch? | | Probably rhetorical, but I'll be that guy: 50-60 on Falcon | 9, up to 400 planned on Starship. | elliekelly wrote: | I've tried to read the (currently unpublished) interim final rule | to see what's been added but with all of the ECCN, country | groups, and license exceptions cross-referenced it's practically | incomprehensible: [PDF] https://public- | inspection.federalregister.gov/2021-22774.pdf | averysmallbird wrote: | The new controls are for "intrusion software" (e.g. malware) | and "IP network communications surveillance systems or | equipment." | | There are specific definitions for those terms with technical | specifications. Then there are licenses/exemptions that mean | you don't have to seek a license if you are selling to | nongovernment customers in certain (friendlier) countries. | There's also larger exemptions in export controls related to | commercial off the shelf equipment and fundamental research | that would apply as well. | | Generally the take away is that if you're selling malware, | exploits, or network surveillance equipment, you might want to | talk to an export control lawyer first. | nixpulvis wrote: | Are there any nice tools for resolving cross references like | this in a body of text? | | I don't deal with legal documents enough (luckily) to have ever | really needed this, but it would be a nice thing to know how to | use if needed, or on creative document sets. Essentially I'm | asking for something where I can import a set of machine | readable text (or OCR'd) set a grammar for references in | context and then easily click through. If it's easy enough to | extend the grammar I could probably link new things up as I go | when new kinds of references pop up. Trying to get too smart | about things like acronyms might be a step too far though, I | want to be able to trust this tool completely. | tossaway9000 wrote: | There are lots of interesting bits in there though, such as: | | > List of Items Controlled | | > a. Any type of telecommunications equipment having any of the | following characteristics, functions or features | | > a.2. Specially hardened to withstand gamma, neutron or ion | radiation; | | is ECC memory now a controlled item? | stagger87 wrote: | > is ECC memory now a controlled item? | | What you meant to ask is, "Is telecommunications equipment | using ECC memory controlled under 5A001?", and the answer is | no, a.2 refers to rad-hard components. | | The key words are "specifically hardened to ..." instead of | something like "using any technology that might help with | ...". Generally the CCLs never use vague wording like this. | duskwuff wrote: | No. ECC memory isn't "hardened" in the technical sense | intended here; it's simply error-detecting. | | What this primarily refers to is hardware which has been | fabricated on an exotic semiconductor process (like silicon- | on-insulator substrates) to resist radiation-induced upsets | or latchup. This hardware is almost exclusively used in | military and space applications; it's basically nonexistent | in the consumer space. | thereddaikon wrote: | I wish it were but then again I'm not ready to spend $20k | on a cellphone with performance from 2005. | idiotsecant wrote: | >I wish it were | | Why? | InitialLastName wrote: | Do you often find your devices facing issues from bit | flips due to excess radiation? | speed_spread wrote: | Wasn't SoI standard in CPU production at some point in the | last 20 years? AMD I think used it for Athlons. | hulitu wrote: | So they will not export Android, iOS, MS Windows, Alexa, Intel, | AMD, Qualcomm, Adobe and others ? | [deleted] | kfprt wrote: | I read this as surveillance targets everyone. If it hurts US | billionaires it hurts US national interests and we get a | law/rule/regulation. | https://en.wikipedia.org/wiki/Jeff_Bezos_phone_hacking | sharmin123 wrote: | Facebook Safety Tips: Take Steps Now and Avoid Hacking: | https://www.hackerslist.co/facebook-safety-tips-take-steps-n... | nixpulvis wrote: | I find it deeply ironic that an authority is using it's powers to | implement regulation (goodness or badness aside) which claims to | "help ensure that U.S. companies are not fueling authoritarian | practices". | | Somehow I doubt this will lead to myself being any less | surveilled... but maybe I'm just being cynical. I want power to | the people! But we are all just so damn stupid these days. | [deleted] | ceejayoz wrote: | > The United States Government opposes the misuse of technology | to abuse human rights or conduct other malicious cyber | activities... | | Well, that's news. When did that change? | [deleted] | tremon wrote: | I'm guessing since they built a national data hoovering | apparatus that can already surveil the entire world, they want | all their surveillance technology (including Google and | Facebook) to remain under national control. | em500 wrote: | Right. They're certainly not going to ban Google and Facebook | from operating abroad, as a naive reading might suggest. The | rules look so vague to me that it looks like just another way | to justify the ruling US prez banning whatever he dislikes on | a whim. | viro wrote: | You honestly have a silly definition of surveillance. You | choose to give fb/google that information about you. | -\\_(tsu)_/- | orthecreedence wrote: | Opt-in surveillance can still be surveillance, especially | if you don't tell people what it really is. | viro wrote: | No, it's not. That doesn't follow ANY definition of | surveillance. Just because you replied to my comment and | gave me your username doesn't mean I'm performing | surveillance against you. That's silly and that is | exactly how ur definition would work. | em500 wrote: | At least Facebook also tracks logged-out users and non- | users. | tremon wrote: | You honestly have a silly definition of choice. | | If I want to order from a webshop that relies on | googleapis.com or uses recaptcha, how much choice do I | realistically have? How aware of webbugs (Facebook and | Twitter logo's, for example) do you think the average | Internet user is? | viro wrote: | You have plenty of choice. Your choice might have | consequences but you still have the choice. Most users | are fully aware of how tracked the free internet is. | powersnail wrote: | That reminds me of some earlier definitions of rape where | the victim is required to have fought against the rapist. | Otherwise, they had "chosen" to yield to the perpetrator. | gumby wrote: | Says right in the release, emphasis mine: | | > _Today's_ rule .... Comments to the rule must be received in | no later than 45 days from today, and the rule will become | _effective 90 days from today_. | | The notice is dated today, 20 October | brink wrote: | Right after the polls fell and didn't bounce. | BitwiseFool wrote: | > The United States Government opposes the misuse of technology | to abuse human rights or conduct other malicious cyber | activities... | | (When _other_ nations do it, and without our permission) | viro wrote: | This is funny because people lose their damn minds about | WHO... NSO sells their products to. | matheusmoreira wrote: | I simply don't understand how the US can issue statements | like these given the existence of CIA, NSA, etc. | BitwiseFool wrote: | As a cynical American, I can't help but share this satire: | | https://youtu.be/ZsISWO4INTo?t=98 | | "Think of it, an entire nation founded on saying one thing, | and then doing another!" | jackTheMan wrote: | So apple cannot export the 'pedofil' image search to China? | fidesomnes wrote: | what about public citizens? | m0zg wrote: | Apple, Google, Facebook and Twitter, the main surveillance tools | of our kakistocratic regime, are going to get decimated. | colecut wrote: | No change in things used to blow them up. | wolverine876 wrote: | There are many export controls for those. Often you need | specific permission. | markdown wrote: | Which is granted to terror regimes like Saudi Arabia, Israel, | etc. | wolverine876 wrote: | We may dispute the wisdom of the decisions, but there are | certainly strict export controls on military equipment. For | example, exporting nuclear submarines to Australia is big | news because it's a major exception. F-22 fighter planes | cannot be exported to anyone, by law. | jt_thurs_82 wrote: | I'm trying to dig through this to understand what it means, but I | am far from an expert on regulations or legalese. I'm looking | forward to any breakdowns and explanations/annotations of the | passages in this article and rule. If anyone has any, please let | me know in the reply? | elliekelly wrote: | I'm a regulatory lawyer (but I have no experience with export | controls) and I can't decipher the rule either. I actually | wonder how anyone is able to confidently draft and revise such | a long document with so many complex cross-references: | | > License Exception ACE eligibility is added for 5E001.a (for | 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), or | 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)). License | Exception STA conditions is revised to remove eligibility for | 5E001.a (for 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for | 5A001.j), or 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)) to | destinations listed in Country Groups A:5 and A:6 (See | Supplement No. 1 to part 740 of the EAR for Country Groups). | License Exception TSR is revised to remove eligibility for | "technology" classified under ECCN 5E001.a for 5A001.j, 5B001.a | (for 5A001.j), ECCN 5D001.a (for 5A001.j), or 5D001.c (for | 5A001.j or 5B001.a (for 5A001.j)). | | It's like a logic puzzle. | | Edit: Looking at this random paragraph again and it seems | they're missing a few closing parens so maybe the answer to how | they confidently draft and revise these documents is... they | don't. | dharmab wrote: | I bet it's derived from some big excel sheet. | mschuster91 wrote: | You wish. This kind of stuff is all too often manually | managed and copy-pasted between Word documents. | codazoda wrote: | I can't help but wonder if encryption export controls will be | slipped into this mess. Seems like a good place to hide them | but I don't have time to drudge through this at the moment. | kfprt wrote: | We're way past that, the horse has bolted. | codazoda wrote: | Are you saying we're way past the point where encryption | could be restricted from export in the U.S.? Because | encryption exports are controlled and when I first started | programming they were completely illegal. Every once in a | while new legislation is proposed to make these exports | illegal again, usually to "save the children". | | https://en.wikipedia.org/wiki/Export_of_cryptography_from_t | h... | | Based on other comments here, I'll assume there is no | hidden agenda on encryption here but a document this messy | is probably hiding "stuff" (on purpose or not). | zorked wrote: | Encryption is restricted from export in the US. I've had | to submit forms to do things as trivial as buying | microcontrollers from TI which happened to have AES | instructions. | | No idea why I can go into a store and buy an infinitely | more powerful Intel laptop without a form, though. | joconde wrote: | With AES widely available in free code, adding export | controls today wouldn't seem to do much damage to | symmetric crypto at least. | | Maybe post-quantum schemes could be affected, but it's | only a question of time until people agree on a standard, | and if that one gets exported and doesn't get broken, | controlling crypto exports won't prevent anyone from | using secure ciphers. | johnwalkr wrote: | I doubt it. The link says it's consistent with Wassenaar | Agreement (WA) negotiations, which is the international | export control agreement that is quite well harmonized across | many nations. WA has a lot of restrictions on encryption, but | a huge carve out for most items that says encryption on | commercially available devices is exempt. | averysmallbird wrote: | There's already export controls on encryption. Have been for | decades. | encryptluks2 wrote: | Yet they will allow Chinese routers that require an app on your | phone to use and where you can't turn off the cloud | functionality. Looking at you TP-Link. | edge17 wrote: | Is it illegal in the US to sell zero-day exploits, or to package | up zero-day exploits into nice usable tools? My understanding is | that it is not illegal, but something like this perhaps give the | US a tool to pursue and/or prosecute individuals that engage in | these types of sales when they are selling to the 'wrong' | customer (the 'right' customer being NSA or other US intelligence | gathering operations). | wil421 wrote: | Read the book _This Is How They Tell Me the World Ends: The | Cyberweapons Arms Race_ by Nicole Perlroth | | There's a few chapters in the beginning about the history of | the exploit market. Haven't finished it yet. | | To my knowledge it's not illegal to sell vulnerabilities. If | you're not a government contractor selling/contracting to the | US government it would be illegal to sell exploit chains or | working software that uses the exploits/malware what have you. | The book touches on how they sold multiple of the same zero | days to multiple agencies. It got to the point where one of the | guys was like you (3 letter agencies) need to talk to each | other and stop wasting taxpayer money. | OminousWeapons wrote: | To my knowledge, it is illegal to sell exploit kits to actors | that you know are going to use the kits to commit crimes (e.g. | if someone sends you an email saying "I'm looking for an | exploit kit so that I can attack company X and steal their IP", | you cannot legally sell to them). It is otherwise legal to | sell, rent, or give away exploits to the general public or to | resellers like Zerodium as long as they are not marketed as | criminal tools. | edge17 wrote: | For sure, but in practical terms these types of dealings | often have middle men and the end buyer is often not known | (by design). Everything I know is from podcasts and books, so | I'm not an authority on the subject - though I would point | out that the enormous amount of red tape in the west tends to | be something that westerners seem to project onto the rest of | the world. In much of the world, things are just far more | loose. | eggbrain wrote: | For those of you (like me) who weren't sure exactly how to | interpret the rule based on the link above or the original PDF, I | believe this Washington Post article from today also summarizes | it: | | https://www.washingtonpost.com/national-security/commerce-de... | axiosgunnar wrote: | So facebook will not be accessible from abroad? Great! | godelski wrote: | One thing I've never understood is why Blue teams don't get as | much funding. Cyber defense is much harder than cyber offense. I | know there is a lot you can do by tracking citizens and a lot of | information you can get, but if you're not blue teaming your | country then an adversarial country can use exactly all those | same tools you're excited about using on your adversaries. I feel | the red teams get all the money and the blue teams get pushed off | to the side. I do want to keep red teams, but I want to see NSA | also doing bug bounties, increasing security in Android and iOS, | strengthening the internet, etc. Why is this not happening? Why | are we also not outraged about this? | michael1999 wrote: | Publicly, Poindexter and the rest of the criminals under Bush | Jr. went all-offence and launched the Information Awareness | Office [0] to pursue a strategy of Total Information Awareness | [1]. They wanted to ramp up ECHELON to hoover the whole world, | started hoarding 0-days, and eventually created a whole | industry to shop exploits. Now that is a business, nobody is | going to make director leading the blue team. | | Privately, I speculate that they also assessed the state of | play and just gave up. Microsoft back then still believed that | code-signing would fix their bug-of-the-week run. Industry | security practices were so weak as to be non-existent. Hell - | telnet was still common. | | The only nice thing I can say about it was they had an | amazingly honest logo [2]. That is, until congress freaked out | and made them hide it all behind a bit SECRET sign. And so we | heard little more about except via a steady drip of | whistleblowers like Mark Klein, Thomas Drake, William Binney, | and Snowdon. | | [0] - | https://en.wikipedia.org/wiki/Information_Awareness_Office [1] | - https://en.wikipedia.org/wiki/Total_Information_Awareness [2] | - | https://en.wikipedia.org/wiki/Information_Awareness_Office#/... | aemreunal wrote: | Also, recently, FBI "hacked" in to Exchange servers that were | vulnerable (with court authorization) to patch them [1], so it | does happen. But I agree with your sentiment that it doesn't | happen as often as it should. | | The public perception seems to be that the US doesn't spend | enough resources to harden its and its people's defenses than | it does to surveil people. | | [1]: https://techcrunch.com/2021/04/13/fbi-launches-operation- | to-... | nonameiguess wrote: | The NSA does perform that function for the government. They | protect DoD and IC assets and critical civilian computing | infrastructure. They created SELinux and sponsored many of the | major cryptographic standards out there. They don't actively | provide defense for iOS and Android because those are product | owned by trillion dollar private companies who can pay for | their own security, not expected publicly-funded agencies to do | it for them. | | The Internet is an interesting case. Nobody owns it. It isn't | even American. The fact that it was originally created by and | for universities that all implicitly trusted each other has led | to a whole lot of security flaws baked into the core | assumptions of the most basic protocols. But the NSA does | protect the hell out of military networks. Military and IC | networks are absolutely nothing like the Internet. There is an | inherent difficulty in bringing the same assurance to public | networks, though, because nobody on a military network expects | to be anonymous or to have any privacy. Users implicitly trust | the network's central authority. They have to because they work | for it. Security is a lot easier with a trusted central | authority. | spydum wrote: | I think the root of this is you cannot buy "security". It has | to be part of the engineering ethos at all levels. This gets | really hard to do at scale. Pouring money u to Blue teams is | too late in the process. | FpUser wrote: | This. If you want something secure everything has to be | created from scratch. The OS, languages, tooling, every | software etc. etc. Nobody will ever do that. And even if they | did something will fuck it up on higher level. | LogonType10 wrote: | It seems like you think that red teaming and blue teaming works | much like an RPG game where you can spend skill points on | perks, but blue team perks (like tier 1 endpoint defense) cost | more skill points than red team perks. I don't think this is an | accurate mental model, and I'd rather frame it like this: | exploits are secrets, and when you learn the secret, you can | share it with others as well as develop the countermeasure to | the exploit. If you spend a lot of money discovering a useful | exploit it is by definition something nontrivial that is | unlikely to be discovered by regular hackers unless it is | leaked or discovered after careless usage. If you discover an | exploit that an enemy will soon discover, it is to your | advantage to publish the countermeasures to the exploit before | your opponent discovers and weaponizes it. | Veserv wrote: | Blue teams do get lots of funding (edit: I am speaking in | general, not on government spending). It is just that their | strategies are so so unbelievably bad no amount of money can | produce an adequate system. | | Blue teams with a $1 Billion/year budget can not prevent total | compromise by red teams with a $1 Million/year budget. If you | must outspend you attackers by 1000x you are doomed. | | For instance, in 2015 Microsoft committed to spending $1 | Billion/year in security research and development to securing | their cloud, the second largest cloud in the world [1]. What is | the result of such spending? A little over a month ago the | default management agent they ship for managing Linux on Azure | had a security defect that allowed local privilege escalation | by sending an empty password [2]. Their processes are so bad | that despite spending $1 Billion/year they can not detect and | prevent themselves from releasing security 101 defects in | default installs of widely deployed products. This is | indicative of a grossly inadequate process in much the same way | that a car factory delivering cars with no brake lines would | indicate that factory and manufacturing process needs to be | completely redesigned from the ground up and the entire team | overseeing it replaced. | | The outrageous part is not that security is not being funded, | it is that organizations and systems displaying such | fundamental errors continue to get vast sums of money poured | into them. | | [1] https://blogs.microsoft.com/blog/2015/11/17/enterprise- | secur... | | [2] https://www.wiz.io/blog/secret-agent-exposes-azure- | customers... | umvi wrote: | Which is harder: sneaking across the US border anywhere or | preventing anyone from sneaking across the US border | everywhere? | | Sure seems like a 1000:1 problem to me. | johnny53169 wrote: | > What is the result of such spending? | | Did they actually spend $1 billion? Or they did and spent on | overpriced services? Without knowing what they did the amount | is meaningless | nixpulvis wrote: | So what do we do? Just admit that it's all doomed forever? | Perhaps the only question left at that point would be exactly | what even needs to be blue and red team'd. In other words | what is worth using at the risk of being abused. If you also | assume infinite extent, then nothing is worth it because | everything can cause harm. | | Otherwise, we actually do learn ways to converge towards more | generally secure systems. Safer programming languages and | safer hardware will lead the way, but it seems much slower | this round than the stories we hear about the origins of | everything. | Veserv wrote: | No, we just need systems 100-1000x better than prevailing | commercial IT systems. Systems that do not quake in their | boots at the thought of a single dedicated hacker, but are | designed and expected to resist competent teams of tens or | hundreds working full time for years since that is what is | needed to reach basic parity. | | However, we will not find those techniques by following the | standard commercial IT methodologies which were not | designed for such a task. Just ask any architect of these | systems if they could stop a team of 10 people working full | time for 3 years. If even the people making it think it is | absurd to defend against such a minimal effort there is no | chance it is actually adequate. | | In fact, there is little reason to assume that the | methodologies that can only get 0.1% of the way to solving | the problem despite decades of work and tens of billions of | dollars will ever converge to an adequate solution. It | could be like trying to use the knowledge of horse buggy | makers to determine how to make a machine faster than the | speed of sound. And even if it could eventually get there | it would require 100% improvements year over year for an | entire decade to get there from existing commercial | methodologies. | | No, it is far more reasonable to use systems that were | actually designed for these environments and have actually | demonstrated success, such as systems certified to Orange | Book A1, and make them more practical since, as everybody | knows, it is far easier to make a cheap, working design by | starting with something that works and making it cheap than | starting with cheap components and figuring out how to make | something that works. | | As for how you can identify proven success you can just | start with a $1 million red team exercise. If they are able | to find _any_ material defects that means that there are | likely many such defects and your processes can not prevent | the occurrence of such trivial flaws and needs to be | rethought. Only when there are _zero_ material defects are | you at the starting line. Note that this is not an | exhaustive test, rather it should be treated like the | fizzbuzz of security design, a trivial softball to weed out | the the people that know nothing and the systems that do | not work. | nixpulvis wrote: | Wait, so you're telling me all I have to do to get at | that juicy $1B blue team is hire the $1M red team? | Where's the catch!? /s | ddingus wrote: | An Apollo program for information systems? This isn't a | bad idea. | kibwen wrote: | _> Just admit that it 's all doomed forever?_ | | No, because ultimately security isn't binary. If you can | increase the cost to the attacker, that raises the bar for | attacking you and reduces the number of potential | attackers. And over time security practices _do_ get | generally better, raising the tide for all boats; the | problems right now are that we 're still wrestling with the | legacy of foundational systems designed in a pre-internet | world where constant adversarial networking was not the | norm, and more generally we keep increasing the attack | surface by adding new things to the network. But once we | have software/hardware stacks that have all been designed | in a post-internet world (yeah, it'll take a while) and | once we've finished networking everything that could | reasonably be networked, there's hope enough to suspect | that it will be possible to close the security gap to all | but the most determined adversaries. | nixpulvis wrote: | > once we've finished networking everything that could | reasonably be networked | | I highly doubt we'll come to terms on this one. | bbarnett wrote: | The real problem is, security needs to be inherent to how | developers, managers, work. Instead, security is often a bolt | on, after thought, or put off until "thing $x is done". | | One example, many popular frameworks. How do you audit every | single piece of code brought in by, say, laravel? And how do | you do it, if developers want to be able to reuse code? | | Answer? You cannot. At all. You can't even reliably handle | license compliance. | | Yet, we use such frameworks, because security is not first, | or even last sometimes. It's not part of the process, it's a | thing to think about when a dev, a department has free time. | | Many companies have a security team, an audit team. What?! | You don't get secure by having people look at security after | development, and then spend time fighting over fiscal | concerns, to get a code re-write. | | I think none of this will ever be fixed, until the CTO | position becomes like the CFO position. Mandatory | requirements, jailtime for CTOs if they breach certain | regulations, and the authority for a CTO to tell everyone | from board to CEO "no, thing X will be done". | | Yet no one wants that, because of cost, and a desire to get | to market first. | alisonkisk wrote: | Why hire a red team if you can't afford to fix the problems | they find? | hn8788 wrote: | They are doing stuff like that, but it doesn't make for sexy | clickbait, so nobody posts it. For example, last week Microsoft | released a patch for an exchange server exploit that NSA | discovered and reported. | rtkwe wrote: | There's also the issue that there's no mechanism to force | companies to keep servers up to date or face consequences so | it's only possible to really do half the work. Blue teams | could find every vulnerability out there but you'd still have | companies running old versions or refusing to put out patches | to their customers (and customers not updating devices | deployed in their home). | nixpulvis wrote: | Wait, blue team gets to take credit for fixing the reports of | red team?! | | This seems like normal old grey programming to me. | Kalium wrote: | It's also worth bearing in mind that the Departments of | Commerce, Energy, Homeland Security, and Treasury all have | efforts to this effect. And as you say, nobody writes | articles about how the Department of Energy helped a solar | operator figure out a patching strategy. It's boring. | | Energy effort here: https://www.energy.gov/national-security- | safety/cybersecurit... | godelski wrote: | I mean it's HN, I'm happy to read and hear about that stuff. | That is the kind of thing I want on the front page here. | | Also it does mean bad PR on their part. Which that is part of | cultural warfare. | corndoge wrote: | I agree with you but please, no more outrage. We have enough | outrage. Be a proponent of something without being outraged | about it. It's not doing any good to be outraged and it's | exhausting. | yuuu wrote: | Thanks for protecting us, outrage police! | 1121redblackgo wrote: | And does that make you the outrage police police? | yuuu wrote: | I'm just your regular outrage citizen thanking our local | outrage police, no sarcasm whatsoever! They have an | important duty to protect us from outraged people on the | internet, and they put their lives on the line every day. | [deleted] | FpUser wrote: | >"We have enough outrage" | | We who? I definitely do not feel that we have enough. If we | did it would've percolated to some noticeable action. | dane-pgp wrote: | The government's strategy is probably a result of it being | easier to maintain an advantage by keeping weapons secret than | by distributing defences to only the good guys. | | It would be interesting to speculate how close we are to | replacing all networked services with provably secure | implementations (like the work of Project Everest[0]). Of | course there's no such thing as perfect security (or perfect | proofs), but I think we are close to reaching the point where | attacking implementation flaws is less fruitful than attacking | the software supply chain. | | In fact, we may already have reached that point, so I think | that efforts to secure the supply chain (like sigstore[1]) and | potential government efforts to attack it (like recent changes | to iOS and Android[2]) deserve more focus. | | [0] https://project-everest.github.io/ | | [1] https://security.googleblog.com/2021/03/introducing- | sigstore... | | [2] https://news.ycombinator.com/item?id=27176690 | alisonkisk wrote: | How is a Blue Team different from regular IT and Compliance | work? ___________________________________________________________________ (page generated 2021-10-20 23:00 UTC)