Comments on: Security companies and governments conspire to discover and hide software vulnerabilities that can be used as spyware vectors

By: donovan acree

donovan acree — Mon, 02 Apr 2012 15:38:00 +0000

Aren’t the actions of VUPEN illegal under WIPO and the DMCA?

By: Tonweight

Tonweight — Mon, 02 Apr 2012 13:54:00 +0000

Please assume the Party Escort Submission Position…

By: Charlie B

Charlie B — Sun, 01 Apr 2012 16:52:00 +0000

I think your assessment of the capabilities of a bunch of script kiddies is extremely unrealistic.

By: David Weintraub

David Weintraub — Sun, 01 Apr 2012 02:56:00 +0000

Hold on. The only thing we have is the word of one scuzzy “Security company” word that they only sell to “Nato governments” and “Nato Partners”, and you REALLY believe this scumbag?

I wish the U.S. government was actually one of the customers. It would then be reported to the National Vulnerability Database http://nvd.nist.gov/ and reported back to the firms that make the software. After all, security vulnerabilities hurt trust in the overall economy and makes the nation weaker. Not something any government really wants to do.

Nor are banks VUPEN customers. U.S. regulations require banks to share known security vulnerabilities with other banks and with the company that produced the software. That would hurt VUPEN’s bottom line.

I doubt that VUPEN is selling these exploits to either governments or banks.

By: The Life Of Bryan

The Life Of Bryan — Sun, 01 Apr 2012 02:15:00 +0000

They do if you’re represented by a Democrat.

By: Al Billings

Al Billings — Sat, 31 Mar 2012 22:51:00 +0000

Because my congressperson (I hate that word) controls French companies?

By: Al Billings

Al Billings — Sat, 31 Mar 2012 22:50:00 +0000

Where will you find these hackers? Why will they come work for you? If they’re good enough to do that, they’re usually good enough to be consultants or work for a private security firm for a hell of a lot more than you’ll be able to pay them.

By: Cowicide

Cowicide — Sat, 31 Mar 2012 15:40:00 +0000

Maybe it’s time to attack assholes like VUPEN? I’m just askin’ questions.

By: corydodt

corydodt — Sat, 31 Mar 2012 05:44:00 +0000

Oh, of course they will post the list. Right after they shred the company.

By: jeligula

jeligula — Sat, 31 Mar 2012 05:13:00 +0000

Hell, I broke my Gunny’s Officer Voting System password in 1990 merely by guessing what a man like him might use. I got it on the 14th attempt. Turned out it was “lesbians”‘. Nothing is as exploitable as personal knowledge.

By: jeligula

jeligula — Sat, 31 Mar 2012 05:09:00 +0000

Enjoy the pony.

By: Guest

Guest — Sat, 31 Mar 2012 04:15:00 +0000

The scariest part about all this is that people actually assumed that the government was on their side in the first place. Surprise!!??????

By: Andrew Singleton

Andrew Singleton — Sat, 31 Mar 2012 03:56:00 +0000

Stay where you are Citizen. A security detail will be with you shortly. Remain Calm and stay put. This is merely for your own protection.

By: Andrew Singleton

Andrew Singleton — Sat, 31 Mar 2012 03:48:00 +0000

Can i share your dreams?

By: anharmyenone

anharmyenone — Sat, 31 Mar 2012 02:34:00 +0000

Ask your congressperson about this at the next townhall meeting and write to your congressperson in the meantime. Also email this article to journalists.

By: itsgene

itsgene — Sat, 31 Mar 2012 02:08:00 +0000

Remember, the governments of the world got software companies to embed detection algorithms to protect us from accidentally scanning banknotes, and got printer companies to add barely visible tracking information to every print. What makes you think they wouldn’t add government-accessible holes to their OSes?

By: phisrow

phisrow — Sat, 31 Mar 2012 01:03:00 +0000

Here is what I don’t understand:

Obviously, the assorted spooks inhabiting NATO enjoy having exploits with which to access various computer systems.

However, it is widely asserted that hacks against the US and other NATO-bloc nations are a serious security issue(and, as a nation with major financial, industrial, and scientific endeavors online compared to most other countries capable of fielding hackers, this isn’t exactly implausible).

Further, the routes for legal access to most domestic systems are already quite wide(CALEA, warrants, national security letters) and extralegal access probably wider still, and you don’t need an exploit if you have a warrant and a gun.

Given these things, why are such entities tolerated? Sure, in the CIA’s ideal world, they’d have access to absolutely everything; but this isn’t their ideal world: they know that outfits like China have fairly sophisticated hackers, and even petty racketeers have script kiddies and basic virus kits. Surely it would be in their interest to promote computer security, no?

An insecure system can be broken with an exploit, and all sorts of people have exploits. A secure system can be broken with a warrant or a gun and rather fewer people have those. It seems like even the most nakedly self-interested intelligence entities would prefer the latter case, given their access to warrants and guns…

By: domanite

domanite — Sat, 31 Mar 2012 01:01:00 +0000

Is anyone concerned about the obvious next step: governments using their influence and access to *inject* vulnerabilities and back doors? For all I know, the Patriot Act might make that legal. It might even gag the targets. (Putting in tinfoil hat now…)

By: dweller_below

dweller_below — Sat, 31 Mar 2012 00:35:00 +0000

I dream about a future time when the US has become wiser on internet security.

In my dream, the CDC has a branch that handles the epidemiology of computer infection. The CDC collates infection rates and publishes meaningful metrics that allow us to judge the relative effectiveness of various programs of IT Security measures.

A couple years ago, I doodled the outlines of those metrics at: https://it.wiki.usu.edu/SecurityPerformanceMetric

In my dream, governments and ISPs have coordinated to isolate and reform any ISP that tolerates the insertion of spoofed source packets. Prolonged DoS attacks are a faint, distasteful memory.

I dream that the US government refuses to do business with any organization that interferes with effective and timely disclosure of security vulnerabilities. Once the NSA started regularly disclose all it’s known IT vulnerabilities the world vulnerability market-place collapsed.

And a pony. In my dreams I’m riding a blue, hypo-allergenic pony.

By: Marc45

Marc45 — Sat, 31 Mar 2012 00:35:00 +0000

Just a fantasy but wouldn’t it be sweet if the CEO of VUPEN had their identity stolen as a result?

By: EH

EH — Fri, 30 Mar 2012 23:56:00 +0000

The honeypot.

By: SoItBegins

SoItBegins — Fri, 30 Mar 2012 23:28:00 +0000

What’s to keep Anon from finding their list of vulnerabilities and posting them to the world?

By: Eark_the_Bunny

Eark_the_Bunny — Fri, 30 Mar 2012 23:23:00 +0000

If I were a good software company, I think I would have some high grade in-house hackers to constantly try to exploit my software in order to know where the vulnerabilities are and not just wait for someone else to find out.

By: corydodt

corydodt — Fri, 30 Mar 2012 23:08:00 +0000

Have fun keeping Anon from burning down your house, VUPEN. You may know a list of vulnerabilities, but I bet you don’t know all of them. And you depend on your software too.

By: hdon

hdon — Fri, 30 Mar 2012 23:03:00 +0000

May I be the first to say, “DURRRRR!”

Of course if you’re a terrorist and want to avoid all these vulns, all you probably have to do is run a web browser like Lynx.

By: Palomino

Palomino — Fri, 30 Mar 2012 23:01:00 +0000

I have a house with ten doors. Each door has a coded lock from a different company. One company, not wanting to be liable for a break-in, and to prove their lock is more superior, hires VUPEN to secretly come to my home to figure out a way to break at least one of the other nine companies codes. VUPEN then sells the info to all ten companies, who may or may not employ a band of thieves or rapists.