SoylentNews is people
SoylentNews
Ars Technica UK has an informative article about how zero-day vulnerabilities are actually used in practice, who buys them, and the state of the zero-day market cum regulations.
How do you defend yourself against the unknown? That is crux of the zero-day vulnerability: a software vulnerability that, by definition, is unknown by the user of the software and often its developer as well.
Everything about the zero-day market, from research and discovery through disclosure and active exploitation, is predicated upon this fear of the unknown—a fear that has been amplified and distorted by the media. Is the world really at threat of destabilisation due to lone-wolf hackers digging up vulnerabilities in popular software packages and selling them to whichever repressive government offers the most money? Or is it just a classic case of the media and megacorp lobbyists focusing on the sexy, scary, offensive side of things, and glossing over the less alluring aspects?
And then what about legislation and regulation of zero-days? In most countries, there are scant legal mechanisms for discouraging or punishing the discovery of new zero-days. There are even fewer laws and directives dictating how zero-days should be responsibly disclosed. It isn't that lawmakers aren't aware of these problems, it's just that there isn't an easy solution. How do you craft a law that allows some research groups to keep on digging for vulnerabilities while at the same time blocking the black hats? What if the government's idea of "responsible disclosure" means disclosing all vulnerabilities to GCHQ or the NSA?
Recently, Europe began discussing how best to interpret the Wassenaar Arrangement—an agreement between 41 countries that was originally designed to limit the proliferation of physical, military weapons to non-desirables—when it applies to the proliferation of surveillance software, intrusion tools, and zero-day software vulnerabilities. In the US, the Senate is set to vote on the Cybersecurity Information Sharing Act as soon as today [20 Oct]. The legislation would expand the Computer Fraud and Abuse Act to include security research. The US is trying to decide how to interpret Wassenaar when it comes to the exporting of intrusion software and zero-days too.
(Score: 2, Interesting) by rob_on_earth on Thursday October 22 2015, @08:17PM
this x100!!
make hacking completely legal and make the hackers stars, quickly identifying ALL low hanging fruit and advancing what low hanging fruit is.
I hate the idea that a company can put up a web site with customers details or other valuable data and then just sit back and complain when they get hacked.
Start a "Hack the planet day" everyone hacks everything!
Instead we force those who could have done us this great service under ground or into jail!