Canadian spy agency releases its top anti-malware tool as free software

Originally published at: https://boingboing.net/2017/10/20/national-security-done-right.html

…

Totally makes sense, so now Trump will make it’s removal part of NAFTA negotiations.

Canadian spy agency releases its top anti-malware tool as free software.

Maple syrup can do anything, really.

I’m pretty sure if you fully submerse a computer infected with malware in maple syrup it will no longer being infected with malware.

That is a terrible waste of maple syrup! Unless you plan to also put whip cream and strawberries on it and eat it for breakfast?

… that might be worth killing an afternoon on to spool up such a machine.

My assumption is they are giving it away because they use something better now.

Hmmm… I’m suspicious. Maybe it’s infected with spywear too !

In the strange world of information security, you can either have everyone be armored, or have everyone be naked.

It’s a real relief to see a government agency NOT pick the “naked” option for once.

But it’s a nice polite type of infected

Thou hast just received the Amish Virus.

As we haveth no technology nor programming experience, this virus worketh on the honour system. Please delete all the files from thy hard drive and manually forward this virus to all on thy mailing list.
We thank thee for thy cooperation.

— The Amish Computer Engineering Dept.
http://people.duke.edu/~charlie/AmishVirus.html

So you are suggesting that the famous heist of the Canadian strategic maple syrup reserves were a hack targeted at the Canadian cyber defense abilities?

This absolutist binary view of infusec isn’t one I have really encountered amongst professionals in the >20 years of my career in the field.

To quote Bruce Schneier:

There is a fundamental tension between attack and defense. The NSA can keep the vulnerability secret and use it to attack other networks. In such a case, we are all at risk of someone else finding and using the same vulnerability. Alternatively, the NSA can disclose the vulnerability to the product vendor and see it gets fixed. In this case, we are all secure against whoever might be using the vulnerability, but the NSA can’t use it to attack other systems.
…
Because everyone uses the same software, hardware, and networking protocols, there is no way to simultaneously secure our systems while attacking their systems — whoever “they” are. Either everyone is more secure, or everyone is more vulnerable.

All protected or all unprotected. Those are our options.

Yeah, it ninja-edits your e-mails to moderate the tone if they’re too hostile. And every now and again you’ll get a random pop-up window with a link saying “CLICK HERE FOR FREE LEAFS TICKETS!!!” It’s legit–it takes you straight to a window that prints out valid tickets–but the seats you get are only so-so.

I think you misunderstand Shneirer here. When he was much younger he was indeed part of the “encrypt everything” crew and a bit more black and white in how he saw the world but his views have certainly matured. The question of TLA or other disclosure is related to but not the same as “everyone armored or naked”. After all, even with the best armor money can buy, all it takes is one really nasty zero day to bring things down. Sometimes its just one line of code in an application, not even about disclosure at all.

Note carefully that Schneier here says “more secure or more vulnerable”. The qualifier “more” matters. He isn’t speaking of absolutes because he knows better.

I’m confused as to why you even bring up Schneier’s younger days, since the article I cited is barely over a year old. But since you brought up absolutes, let me remind you that there is an absolute in Schneier’s argument: an absolute either/or. Either we disclose and patch vulnerabilities, making ourselves and our adversaries more secure, or we conceal and exploit vulnerabilities, making ourselves and our adversaries more vulnerable. It would be nice if we could simultaneously make ourselves more secure and our adversaries more vulnerable, but that’s not an option. This has nothing to do with the existence of zero days and everything to do with the approach that governments should take when they discover any vulnerability, zero day or not.

And that’s why I say: all armored or all naked. Being armored does not make you invulnerable, but being naked does make you more vulnerable. And it’s a real relief to see a government agency handing out armor instead of conspiring to strip us all naked.

“More” compared to what? That point isn’t addressed. A network with a choke router is more secure than one without and a network with a traffic inspection firewall is more secure than one with a choke router. Of course none of that says anything about internal patch & configuration management. In theory you could have a fully patched and well configured network without a choke router that is more secure than an unpatched and poorly configured network with a choke router. I could go on but I hope you get the point that it is in fact not a question of absolutes.

You’ve setup what is in fact a false dichotomy here. “disclose and patch” is in reality far more complex than those three words would indicate. Disclose could, but isn’t always, simple enough on its own but “and patch” is complicated sometimes and gets even more complicated with the hard cold reality of getting patches implemented. In the real world, sometimes patches break things and don’t make it past UAT into production. Then of course there are all the vendor owned systems that don’t get patched. Ever. Its on the network, its isolated as much as it can be isolated, but its never going to get patched until it gets replaced. All this is assuming a viable patch can be created by the vendor before someone else discovered the potential vulnerability in the wild and exploits it on their own.

The second part of the dichotomy of “conceal and exploit” is speculating on unknown unknowns. First off not all vulnerabilities can be effectively exploited for anything of value. But beyond that if the vulnerabilities are not disclosed, the associated risk(!) is unknown. If it is perhaps viable, it is unknown if it is actually used by a thread actor or not.

Zero Day:

That is to say, it does in fact have to do with just that but does not tell us about the effectiveness of the vulnerability or its risk value in a given network.

1, NIST SP 800-30: “Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.”

You have a curious talent for using your technical knowledge to bring up interesting facts that are entirely unrelated to the actual topic of discussion.

The thing that started this discussion was a government’s decision to freely share powerful security software. Sharing this software had the potential to make the government’s enemies stronger, and they knew that. But they shared it anyway, because they wanted their friends to be stronger. Sure, some spies criminals might now have a better tool at their disposal, but now decent folks all across the world will also have this tool at their disposal, and that’s a good thing.

It would be nice if we could share this software exclusively with nice people, but that’s not possible. Similarly, it would be nice if we could warn nice people about vulnerabilities and exploits without warning our enemies, but that’s not possible, either. Knowing this, many governments have chosen to hoard vulnerabilities in order to leave their enemies vulnerable, but this comes at a cost to normal folks like us. Happily, Canada has chosen the other path, and made everyone stronger. My point, and Schneier’s point, is that you have to pick one path or the other, and it’s better to pick the path where everyone gets stronger and safer, nice and nasty people alike. Or do you have some third way where we can both warn and not warn people about software problems?

“More” compared to how secure we would be if we didn’t get warned about vulnerabilities and we didn’t get to share the government’s toys.

Now please, if you’re going to pick nits, at least try to pick relevant ones.