Back in my early days in security, we had some geniuses
learning specific hacks against systems so they could attack them, then apply
for a job to fix the problems they identified.
It was a mild form of extortion. One
of them was a company that identified a new thing, a virus that affected UNIX,
once considered to be like Apple, more secure than anything else out
there. That virus was invented in a lab,
along with an “antidote” which the company was going to sell. We all thought that was a dangerous thing to
do. It is almost like inventing a new
disease that might kill everyone on the planet, but developing a drug that can
kill off the infection. What surprised
us all in government was our white knight turned out to be the National
Security Agency (NSA).
NSA sent lawyers around to talk to these folks and tell them
that if this particular virus were to appear in the wild, they were going to be
sued. I think I nearly fell on the floor
when that happened.
I see similarities in that situation and the one Kim Zetter
identifies in a Wired article earlier this month [ Researchers Create First
Firmware Worm that Attacks Macs, 3 August 2015, link ] Zetter says “The Mac firmware research was
conducted by Kovah, owner of LegbaCore, a firmware security consultancy, and
Trammell Hudson, a security engineer with Two Sigma Investments. They’ll be
discussing their findings on August 6 at the Black Hat security conference in
Las Vegas.” They have identified a
problem, built a lab worm to exploit it, and are now going to tell hackers everywhere
what the problem is, no doubt making a market for themselves in the
process. This is equally dangerous
territory. There are lots of arguments
for identifying vulnerabilities and developing cures for them, but this one is
really on the edge of creating a problem and fixing it for profit. The government needs to take an interest in
what they are doing and a stance on whether or not it should be allowed to go
on.
This entry was approved for public release and does not reflect the opinions of the Intelligence Community or the Federal Government.
No comments:
Post a Comment