How the market for zero-day vulnerabilities works


Zero-days -- bugs that are unknown to both vendors and users -- are often weaponized by governments, criminals, and private arms dealers who sell to the highest bidders. The market for zero-days means that newly discovered bugs are liable to go unpatched until they are used in a high-profile cyberattack or independently discovered by researchers who'd rather keep their neighbors safe than make a profit. Read the rest

Check whether Hacking Team demoed cyberweapons for your local cops

Michael from Muckrock sez, "Turns out death squads aren't the only agencies buying Hacking Squad's controversial spyware. Town from Miami Shores, FL to Eugene, OR appeared on a list of US agencies that received demonstrations from the hacked surveillance vendor. MuckRock has mapped out who was on the lists, and is working to FOIA what these towns actually bought, if anything. Check and see if your city is on the map." Read the rest

Spies can't make cyberspace secure AND vulnerable to their own attacks

In his Sunday Observer column, John Naughton makes an important point that's hammered home by the escape of the NSA/GCHQ Regin cyberweapon into the wild: spies who make war on the Internet can't be trusted with its security. Read the rest

Schneier: NSA's offense leaves Americans undefended

Writing in the Atlantic, Bruce Schneier explains the NSA's insane program of creating, discovering and hoarding vulnerabilities in computer systems in order to weaponize them. These vulnerabilities allow the NSA to attack its enemies (everyone), but let other states, hackers, and crooks attack Americans. The NSA claims it is "securing" cyberspace, but its dominant tactic requires that everyone be made less secure so that the NSA can attack them if they feel the need. Read the rest

Security as a public health discipline, not an engineering one

In my latest Guardian column, If GCHQ wants to improve national security it must fix our technology, I argue that computer security isn't really an engineering issue, it's a public health issue. As with public health, it's more important to be sure that our pathogens are disclosed, understood and disclosed than it is to keep them secret so we can use them against our enemies. Read the rest