Recent Posts
Categories
Software vulnerability secrets kept hidden, are you really safer?
The reason for keeping hidden of known software vulnerabilities and work of CIA, NSA and FBI of breaking encryption is bad, not good for security of all of us.
Recently there have been reports about the government big three and breaches that have been leaked to WikiLeaks and other media news origination’s. This in itself can be problematic when wanting to keep the country safe as so many will say. This entry will not go into if it is bad or not but into what is leaked and a view into tools and technology that the agencies say keep you safe but really make you less safe.
As of this date, WikiLeaks has published a batch of leaked documents from the CIA that show some of the ways that they use to gather data on people and groups. They say that if they have these tools and attack ways to get in to “the bad guys” systems we are all safer. This is wrong thinking, but considering the philosophy of the agencies it is not all that surprising. At the core it is based on them knowing something you as an outsider do not. Their belief is that they are the only ones that know about this security vulnerability and so by having it they can use it to as they believe “to protect” the home land and in so doing will be one step ahead of the evil people. This is very short sighted as any security expert will tell you.
There are many people in other companies, agencies or countries that are just as smart or maybe smarter than the people that work at the government agencies. The mind set of thinking they are the only smart people that can find this issue is the key problem. They may have it now but tomorrow or the next day another smart attacker or researcher may find the information and either sell or use it for their own money making prospects.
Even if the agencies are the only ones that have the attack knowledge as is, there is no way to know for sure if they can keep it safe and secure within their walls. Many time you will get a response from the agencies that if they need the software hole to catch the bad guy, this is a lie on one part and even pointing to laziness of the work on the other. The agencies have many other ways, yes they may take a bit longer, but still will work and do not put a large number of people at risk from other groups knowing the possible attacks. They just need to do the general police work that was done for years before the smart-phones, or laptop were used by the general public.
What needs to be done to make us all safer is to let the software developers know the moment they find the vulnerability and work with the companies to fix it quickly so it does not become a hazard for all. This can be done and will not cause security issues between the government and the businesses that the problems will effect. The following are two solutions that can be used, there are more but for space considerations, I chose these:
Option one – have each agency contact the software or hardware maker directly and let them know about the vulnerability and if they have a solution to patch is give them that as well. There will need to be given a time line so that the problem does not just get stuck on the sideline like many software bugs have been done because the software and hardware staff think it cost too much to fix it. There are some issues with this option, things like how will the agency know the patch is getting fixed or is it just put on the back burner because the device or software is not the hottest item so there is no incentive to put out the money to keep it updated. Another issues is the view by the public that government is meddling in the software creative process. Also, will the agency even know who to contact and say “hey we found a problem and here it is” so they can give it to the correct person in a timely manner.
Option two – Have a department created that entire purpose is to be the “middle man” so to speak between the governmental agencies and the businesses that are effected by the security holes. This way the one department is the only face the business sees and as well the only face the government agencies see. This will keep a separation so there should not be an issue of possible over stepping or back-door dealing between government and business that would scare many people. The department would be audited at a regular basis by outside non-government controlled groups to check for wrong doings. They would also be a type of overseer to make sure the issues do get patched in a timely basis. This department would be made up of security and business people that know the working of the issues being found.
If we do nothing and keep the vulnerabilities known only to only a select few, we are destined to never be truly safe or secure. The next attack on the grid, or your smart-phones could have been prevented. The sad thing about this leak of information is that it does seem few really care or are in an uproar about it. Maybe we have been beaten down so much and have come to expect to be spied on.
Believing we are better off, if so we deserve what we get or do not get with it.
Recent Comments