Security companies and governments conspire to discover and hide software vulnerabilities that can be used as spyware vectors

Discuss

26 Responses to “Security companies and governments conspire to discover and hide software vulnerabilities that can be used as spyware vectors”

  1. Palomino says:

    I have a house with ten doors. Each door has a coded lock from a different company.   One company, not wanting to be liable for a break-in, and to prove their lock is more superior, hires VUPEN  to secretly come to my home to figure out a way to break at least one of the other nine companies codes. VUPEN then sells the info to all ten companies, who may or may not employ a band of thieves or rapists. 

  2. hdon says:

    May I be the first to say, “DURRRRR!”

    Of course if you’re a terrorist and want to avoid all these vulns, all you probably have to do is run a web browser like Lynx.

  3. corydodt says:

    Have fun keeping Anon from burning down your house, VUPEN. You may know a list of vulnerabilities, but I bet you don’t know all of them. And you depend on your software too.

  4. Eark_the_Bunny says:

    If I were a good software company, I think I would have some high grade in-house hackers to constantly try to exploit my software in order to know where the vulnerabilities are and not just wait for someone else to find out.

    • Al Billings says:

       Where will you find these hackers? Why will they come work for you? If they’re good enough to do that, they’re usually good enough to be consultants or work for a private security firm for a hell of a lot more than you’ll be able to pay them.

  5. dweller_below says:

    I dream about a future time when the US has become wiser on internet security.

    In my dream, the CDC has a branch that handles the epidemiology of computer infection. The CDC collates infection rates and  publishes meaningful metrics that allow us to judge the relative effectiveness of various programs of IT Security measures.

    A couple years ago, I doodled the outlines of those metrics at: https://it.wiki.usu.edu/SecurityPerformanceMetric

    In my dream, governments and ISPs have coordinated to isolate and reform any ISP that tolerates the insertion of spoofed source packets. Prolonged DoS attacks are a faint, distasteful memory.

    I dream that the US government refuses to do business with any organization that interferes with effective and timely disclosure of security vulnerabilities. Once the NSA started regularly disclose all it’s known IT vulnerabilities the world vulnerability market-place collapsed.

    And a pony. In my dreams I’m riding a blue, hypo-allergenic pony.

  6. Marc45 says:

    Just a fantasy but wouldn’t it be sweet if the CEO of VUPEN had their identity stolen as a result?

  7. domanite says:

    Is anyone concerned about the obvious next step: governments using their influence and access to *inject* vulnerabilities and back doors? For all I know, the Patriot Act might make that legal. It might even gag the targets. (Putting in tinfoil hat now…)

  8. phisrow says:

    Here is what I don’t understand:

    Obviously, the assorted spooks inhabiting NATO enjoy having exploits with which to access various computer systems.

    However, it is widely asserted that hacks against the US and other NATO-bloc nations are a serious security issue(and, as a nation with major financial, industrial, and scientific endeavors online compared to most other countries capable of fielding hackers, this isn’t exactly implausible).

    Further, the routes for legal access to most domestic systems are already quite wide(CALEA, warrants, national security letters) and extralegal access probably wider still, and you don’t need an exploit if you have a warrant and a gun.

    Given these things, why are such entities tolerated? Sure, in the CIA’s ideal world, they’d have access to absolutely everything; but this isn’t their ideal world: they know that outfits like China have fairly sophisticated hackers, and even petty racketeers have script kiddies and basic virus kits. Surely it would be in their interest to promote computer security, no?

    An insecure system can be broken with an exploit, and all sorts of people have exploits. A secure system can be broken with a warrant or a gun and rather fewer people have those. It seems like even the most nakedly self-interested intelligence entities would prefer the latter case, given their access to warrants and guns…

    • jeligula says:

      Hell, I broke my Gunny’s Officer Voting System password in 1990 merely by guessing what a man like him might use.  I got it on the 14th attempt.  Turned out it was “lesbians”‘. Nothing is as exploitable as personal knowledge.

  9. itsgene says:

    Remember, the governments of the world got software companies to embed detection algorithms to protect us from accidentally scanning banknotes, and got printer companies to add barely visible tracking information to every print. What makes you think they wouldn’t add government-accessible holes to their OSes?

  10. anharmyenone says:

    Ask your congressperson about this at the next townhall meeting and write to your congressperson in the meantime. Also email this article to journalists.

  11. Guest says:

    The scariest part about all this is that people actually assumed that the government was on their side in the first place. Surprise!!??????

  12. Cowicide says:

    Maybe it’s time to attack assholes like VUPEN?  I’m just askin’ questions.

  13. David Weintraub says:

    Hold on. The only thing we have is the word of one scuzzy “Security company” word that they only sell to “Nato governments” and “Nato Partners”, and you REALLY believe this scumbag?

    I wish the U.S. government was actually one of the customers. It would then be reported to the National Vulnerability Database http://nvd.nist.gov/ and reported back to the firms that make the software. After all, security vulnerabilities hurt trust in the overall economy and makes the nation weaker. Not something any government really wants to do.

    Nor are banks VUPEN customers. U.S. regulations require banks to share known security vulnerabilities with other banks and with the company that produced the software. That would hurt VUPEN’s bottom line.

    I doubt that VUPEN is selling these exploits to either governments or banks.

  14. donovan acree says:

    Aren’t the actions of VUPEN illegal under WIPO and the DMCA?

Leave a Reply