Should U.S. Hackers Fix Cybersecurity Holes or Exploit Them?

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Honestly, how is this even a question? I'd like to think most of you would do the right thing. Wouldn't you?

Unpublished vulnerabilities are called “zero-day” vulnerabilities, and they’re very valuable because no one is protected. Someone with one of those can attack systems world-wide with impunity. When someone discovers one, he can either use it for defense or for offense. Defense means alerting the vendor and getting it patched.
Click to expand...
 
Test it on NSA servers, see if they've patched for it already...
 
The thing is.. vendors tend to not feel it is worth their time to fix a vulnerability until it has been used to compromise a huge number of computers.
 
viscountalpha said:
Depends on how much they are paying to fix their shit.
Click to expand...

Indeed. I think that one of the best things to come out of the big tech companies in security are the bug bounty programs. Make it worth someone's while to report a flaw with reward instead of prosecution.
 
Why bother when people are finding these holes & reporting them to companies only to be arrested for doing the right thing.
 
Exploit them. They should also find the bankers servers and steal their money, like they do to us, the tax payers.


Fuck them all, right in the butt.
 
tikiman2012 said:
Why bother when people are finding these holes & reporting them to companies only to be arrested for doing the right thing.
Click to expand...

had something similar happen to me in high school on the school novell network... I reported an issue of us lowly students being able to map to ANYONE's directory.

(our admin was an idiot... the kind of idiot that said 7 of us playing quake on the network after school was slowing everything down)

Anyways -- they pitched a bitch and got angry for me showing them just how messed up things were.

So what lesson did I learn? Fuck em' Doing the right thing then and now more often leads to you getting punished/fined/thrown in jail..

What's the point of trying to help a person or a business when it might cost you your freedom?
 
The NSA can play either defense or offense. It can either alert the vendor and get a still-secret vulnerability fixed, or it can hold on to it and use it as to eavesdrop on foreign computer systems.
Click to expand...

It is not so black and white.

Example A;
A software developer overseas produced a popular app and NSA identifies a zero-day vulnerability in the code. The NSA is a DoD organization and is responsible for protecting US Military and US Government communications systems. They run a risk assessment and determine that the App can't be run on US Military and Government systems because they don't use the OS the App is written for. Extremely low risk means the value for exploitation far exceeds the risks of not alerting the vendors, furthermore, if the vendor is a state-sponsored vendor in country not necessarily friendly to the US, all the more reason to keep your mouth shut cause it's likely the exploit was developed on purpose and not an error at all.

This is just one example and it doesn't cover much of the range of scenarios related to this topic. It's just not a clear black and white issue.
 
You must log in or register to reply here.
Back
Top