Flame Hypocrisy

I liked Kurt Wismer's post Flame's Impact on Trust. He says:

if you haven't watched it yet, i encourage you to check out the video of chris soghoian's talk at personal democracy forum 2012. the TL;DR version is that, because it compromised the microsoft update channel, the flame worm damaged our trust in automatic updates and that's a bad thing because automatic updates have done so much good for consumer security.

mikko hypponen is even reported to be planning to write a letter to barack obama to ask him to stop the US government from doing this sort of thing again.

Kurt links to this story US Government Behind Flame Virus According to Expert with choice quotes like this:

Hypponen believes that making Microsoft digital certificates untrustworthy in the eyes of some of the 900 million Windows users around the globe is a very serious and worrying move...

Hypponen told IBTimes UK that he was planning on writing an open letter to Barack Obama this week to say: "Stop taking away the trust from the most important system we have, which is Microsoft Windows Updates."

To be blunt, this is one of the dumbest arguments I've ever heard. I don't think this is the right approach. The reason is simple:

If a "security researcher" discovered and weaponized the vulnerability, the argument would be totally different.

The security research community would be pointing at Microsoft for being at fault for developing such vulnerable software and processes. The "security researcher" would present his or her findings at a major security conference and receive rock star treatment. Those promoting "full disclosure" would push back on any attempts to contain information about the attack. And so on...

The bottom line is that a "security researcher" discovered and weaponized the vulnerability. Critics should start with that fact and let their normal security instincts take over.

Update: I struck the inflammatory language because I didn't intend for this post to be interpreted as a personal attack. To be honest I was feeling ornery after my early morning flight was cancelled, and an eight hour wait at the airport wasn't doing my mood any favors. Sorry Mikko and Chris!

Comments

Anonymous said…
It's good that there are people trying to stop this escalating digital cold war.
We are a small company (<500 employees) and barely manage to handle common (criminal) attacks. We do not need the additional fallout/inspiration for the bad guys by govermentaly initialized attacks.

I've been in a war 20 years ago and have no desire to participate in an other one. My first shots where in self defense back then, too. Everything was justifiable by survival instinct, but in retrospect we should've been a lot smarter.
If Hypponen and others are trying to remind them that this is leading us down a very wrong way, it shouldn't be called hypocrisy.
Chris Buechler said…
It's a poor argument. For one, I doubt if 99% of Windows users will have any understanding about how Flame worked, if they even hear about it at all. Two, and most importantly, if someone exploiting something actually lead people to not use it, every web browser, OS, email, Microsoft Office, Adobe Reader, the Internet in general, and computing as a whole would have been abandoned entirely many years ago.
Unknown said…
Richard,

the choice that 'this government' had was to send a drone and operate surgically or clusterbomb the f-- taking responsibility for all collateral damage. They have opted for the latter and thus acted irresponsibly.

Most of the researchers I know will work with MS to solve the issue before disclosure. I agree that some will not and opt to put MS to shame. Again it's a choice.

The difference between a researcher and a gov is that a researcher does not have any responsibility to the people and a government, by it's very definition, does have that responsibility.

Whatever gov has decided to do this, has betrayed its people, its economy and its allies.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4