33 comments

[ 3.5 ms ] story [ 76.4 ms ] thread
Upvoted despite vast disagreement because I (sort of) appreciate someone openly arguing this.
I'll second this. However, what happens if/when we build some automated system that deems anyone who questions this automation a terrorist? Or, what happens if such a system goes off the rails (and/or fails to allow a sea-change event in which this sort of technological oversight is no longer necessary.) If humanity wasn't suddenly rallying for AGI/ASI this might be a less important discussion point but, eh... double-edged swords.
Likewise, I disagree with the author's viewpoint but I think the conversation as a whole is an interesting one.
(comment deleted)
(comment deleted)
So much trouble over creating, funding, and arming “freedom fighters”/“moderate rebels” to (unsuccessfully) take down Assad. I think I concur with Google TAG here. I think exposing and fixing zero days is better than not doing so, simply because other countries can find them also. Which this article openly acknowledges thus defeating its own argument
Yep. 'sploit sellers from original researchers to marketplaces inherently trade greed for the public good, and so are less ethically constrained from not also selling into BRICS/nonaligned markets as well to double or triple their money. It's dirty shit.
Are you suggesting that western exploit sellers are selling bugs to western governments and also BRICS? that sounds not very likely.

All of this stuff is very complicated ethically, but I don't think you can simply say that it is always in the public good to expose bugs (stuxnet is a good example of a bug chain avoiding a far deadlier outcome)..

I've personally worked for vendors of software and done offensive research, and now I do neither.

GP is suggesting that not all exploit researchers are “western” or western aligned. Some of them are even nation state funded, and they’re often quite good.
Yep, I don't think there's any disagreement with that, especially when you look at things like Tianfu cup in general. Any country that can, essentially wants to do offensive cyber.
I personally am thankful to Google for doing the thing that's right for everyone(fixing security vulnerabilities) not just some "Western" countries as the author put it(not sure why the capital w but I am not a native english speaker)
The capital W is conventional - when talking about a place, a language, or a grouping of people, it's grammatically correct to capitalise the inital letter.

"I visited a few of America's major cities, and was especially struck by how many New Yorkers speak English as a second language. "

So it's correct to capitalise "Meanwhile, Western countries might [...]" but not "There's a brisk westerly wind coming in over the sea".

Isn't the confusion from the difference between "Western countries" as the group of countries typically within the euro/anglosphere and "western countries" as the countries in the western part of the world? One refers to a named group (and therefore capitalized, one refers to a geographical location).

I would call New Zealand a "Western country", but not a "western country". Chile is a "western country" but probably not a "Western country" (although the map linked seems to sometimes include it).

https://en.wikipedia.org/wiki/Western_world

Interesting blog post that was long overdue, I think Google should probably disclose all the details (URLs/actors responsible, methodology for catching these exploits ITW and targeting) around the ITW samples when they kill the bugs, so we can have nuanced discussion with actual facts. It would also help the threat intelligence industry ;)
I remain unconvinced that the benefits of secrecy are outweighted by the benefits of transparency. It's unfortunate that the threat actor was caught so hard, but that is the cost of doing business. Couching it as protect the children or punish the terrorists doesn't change the fundamentals. Police work, soldier work, IRS work. They all have to work within and around the "normal" world. They aren't allowed to just demand obeisance because it makes their job easier
maybe it's payback for the time the NSA hacked Google and were siphoning off data after HTTPS decryption
Google at least partially participated/volunteered in that, right?
They were not. (Though IIRC it was unclear from the leak that the IC were successful in targeting their servers; it just indicated that they had a good idea of how they might do that.)
The framing is absurd & fascist to the core.

Someone was cyber attacking Chrome. Unclear if Google had even so much as a guess they knew who from. There were bugs in Chrome. Google fixed the vulnerabilities, making the software obey the contract websites & users have with each other, & detailed why they were changing the open source code in such a fashion.

This is not burning an operation. Google didn't name any operation or country. Google probably didn't know who it even was!

If they had some guesses, & did try to pick up the phone & call say MI6, about this topic of leaving this exploit jeapordizing everyone running - which they may well have done (if they confidently track down the cyber attack) - the first most likely response is "we have no idea what you re talking about" in which case fixing the vulnerability & writing a blog post is basically the only remotely acceptible option. You spent a while trying to find out who the cyber attack is launching from, you've gone crazy far to do due diligence to track down whose attack it is, and they say it's not theirs. Ok your diligence was wrong, the cyber attack is coming from somewhere else or from multiple people, you need to resolve it.

Next option is whichever security agency either fesses up & does the right thing. Google addresses the vulnerabilities, and writes a blog post about them.

Or, stand-in Intelligence Agency [SIIA] declares, no, we're SIIA, and you're leaving the defect in place, because we say so.

It's unclear what the author is really protesting here? Bugs are critical to national security so we should let people exploit them? Oh that's exactly what they're saying.

> However, burning operations, no matter the actor and no matter the reason, demonstrates a grave misunderstanding of the critical role that cyber plays in reducing harm in the world.

'The military's active use of indiscriminate cyberwarfare trump's the right to find and correct defects.' Wow. That is a bold position.

I fully agree. Except I don't even think Google should "call" MI6 before publication. Nobody knows who else knew or used this vulnerability. Patching bugs is the right thing to do period.

>Bugs are critical to national security so we should let people exploit them? Oh that's exactly what they're saying.

The author is just a tiny step from saying that the government should have a right to exploit every device and decrypt every communication. It's a scary and authoritarian position, but sadly quite common for IT people working in law enforcement. From experience they are good people with good intentions, but we know what the road to hell is paved with.

How are Google (and other security researchers) supposed to know that they are about to disturb a counter-terrorism operation?
When you're in the field, you know, especially when you're at Project Zero, which hired a lot of former NSA TAO.
> especially when you're at Project Zero, which hired a lot of former NSA TAO.

Citation needed?

It's not true anymore due to the new generation of hackers that came up, and it's unpolite to dox them if they don't want to be known for it, but for a period, about a third of Google Chrome/Project Zero security all came from ex Western govts (or contractors) - you can find vague mentions on dailydave mailing list about this.
also TAG and other Google security people hired from former Western sigint :)
How is it that these people became so disillusioned with the mission that they're now actively working against it?
I'm a security researcher close to the field of the author. I'm usually very sceptical of what Google is doing.

In this case though, Google really did nothing wrong. They did what they should to protect their users. They didn't know they're interfering with a counter terrorist operation (according to the post), and even if they knew, who knows how many other less commendable operations they disrupted. And who knows who else was using the same vulnerabilities? I'm sure if Google disrupted Chinese or Russian operation the author would be very happy about that.

>However, burning operations, no matter the actor and no matter the reason, demonstrates a grave misunderstanding of the critical role that cyber plays in reducing harm in the world.

I honestly don't understand what the author tries to convey. What about Iranian operations targeting independent journalists? What about Chinese operations against Uyghurs? Is it also not OK to disrupt those? How should Google decide which operations are OK to disrupt? Especially since they don't really have full insight into campaigns.

This is a real "think of the children" style argument the author is making. I'm sure if there are some unsavory operations that have been burnt they will not be trotted out.
TLDR:

USA should be allowed to use 0 days for their "counter" terrorism operations. This is interesting at the time of USA being complicit in a genocide against a community.

In the paraphrasing of Chomsky, nationstate press conference lingo has subtle connotations. "Spreading democracy" means "whatever America wants", which means "whatever American businesses want." Gen. Smedley Butler probably would second it.

As an aside, I'm concurrently and in parallel concerned about the domestic front: cheap IoT, substitute control system products having backdoors, and supply chain vulnerabilities of otherwise reputable products being implanted in an NSA COTTONMOUTH, FIREWALK, or GODSURGE manner by other nation-states or ransomware actors.

Maybe instead of spending taxpayer money on weaponized 'sploits from Zerodium while keeping everyone vulnerable, these three letter agencies should get off their lazy asses and develop HUMINT and use conventional intelligence sources and methods.
firstly, very unlikely that zerodium are supplying bugs they use (could be internally developed, or developed by a more trusted domestic defence contractor).

What about if the targets are like Osama Bin Laden's (* INSERT MORE MODERN TERRORIST) family (I have no idea who they are targeting).

Are you meant to have some dude speak arabic and become close friends with the top terorist leaders? Like how do you propose that even work? Would HUMINT actually work in those cases?

I think it's a nice idea for everyone to work on fixing the vulnerabilities, I don't think that will scale with whatever organisations mandate to stop terrorism or whatever.

Part of the game... With Crowdstrike, Mandiant, Google, Kaspersky, etc, it's hard to remain undetected these days !