Jump to content

Security flaw in ‘nearly all’ modern PCs


pondus

Recommended Posts

Well, at least it requires physical access to the machine so it's not nearly as bad as it could have been, but still, it does have far reaching implications for the trust that consumers/businesses have had in the technologies built into their devices to protect their data in case of device theft.

By the way, I happened to notice this while browsing that site where the article was sourced from and I think I'm much more worried about that than I am about someone getting to my data by stealing my laptop.  Of course I live alone, work from home, and am seldom away from my laptop for very long anyway so my circumstances aren't typical.  I don't even password protect Windows, much less use any encryption on my drive to defend against physical access attacks.  I'm far more concerned about remote hacking attempts personally.

Link to post
Share on other sites

I agree, it's not something to worry the normal user.

Targeting a specific laptop to steal, government minister, security service, business leader, etc. could be more of an issue.
But if they are lax enough to leave a laptop full of sensitive information lying around then they are probably not using the security features properly anyway.

Once you physically have your hands on the machine there's much more that you can do than if accessing it online.

But I don't see hackers running round stealing machines just to find out what might be on there.
It wouldn't be worth the effort.

The government backdoor is more of an issue, just because they can doesn't mean they should.
But you are never going to stop them, governments make the laws, Security Services have always ignored those laws.
eg. By law British police need a court warrant to 'tap' a phone, intercept mail, etc. MI5/MI6/NSA/GCHQ and the rest just do it whenever they want to.

Link to post
Share on other sites

Yes, unfortunately here in the US most of the laws protecting privacy were done away with or at least dramatically compromised since 9/11 and the sad irony is that thanks to such aggressive policies regarding government surveillance going into effect, everyone is actually far less secure as a result because for every backdoor that exists to allow the good guys into the systems of the bad guys, there's one more opportunity for the bad guys to compromise the systems of everyone.

Then of course in the private sector organizations like Malwarebytes are relied upon to provide protection from such vulnerabilities, however since these governments have a vested interest in keeping these backdoors both active and secret, they don't work hand-in-hand with IT security organizations to improve protection, and in fact have been seen in the past doing quite the opposite, attempting to convince security providers and service providers like ISPs and hardware and software makers to deliberately exclude their malware and methods of attack from detection/protection or to give them a way in (as mentioned in the article I linked).

One must wonder just what the end goal of all of this "security" is because if it is to make everyone safer, it seems quite counterproductive to continually and consistently make things easier for malicious hackers.  I'm honestly pretty disgusted with the whole situation.  I understand why surveillance of systems of enemies of the state is important, but when securing that access means that everyone else on the planet, including their own law abiding citizens and allies, must also have their systems compromised for that to be possible then the ends simply do not justify the means in my opinion.  Besides, after all of the publicity that programs like PRISM and the like have gotten over the past several years, I'm certain that any high value targets won't be using any form of digital communication to orchestrate their efforts anyway, so the only information that these organizations end up harvesting is data that they shouldn't have from innocent people who are not threats, and in many cases are the very people they are supposed to be protecting.

Link to post
Share on other sites

It's nothing new, governments have always used the "terrorist" card to erode civil liberties.

The first use in English of the term 'terrorism' occurred during the French Revolution, the revolutionaries created terror in the country so the ruling class had to try and keep them down.
Some say it even goes back as far as the Zealots who opposed the Roman occupation of Judea in the 1st century AD.
The Richestag fire in 1933 was branded as a 'terrorist act', and look what that led to for civil rights.

When you get opinionated nutters in charge of a country then any opposition becomes dangerous terrorists, rights go out of the window, every criticism of them is false and a deliberate attempt to undermine them, all foreigners are against them, and trading unfairly with them, so keep them out, better still round them up in camps and/or deport them.

Mmmmm.. Somehow that all sounds familiar.

Edited by nukecad
Link to post
Share on other sites

Well, I don't want to get too political here as that's against forum rules, however I will say that none of the US administrations in my lifetime have had any regard for the privacy of the citizens of our own or any other country and both changes to law as well as straight up violations of US laws, international laws and foreign policies have taken place under each and every one of them in the name of increased security when it comes to surveillance.  All those leaks illustrated that fact as have many other things that have come to light over the past decade or two.  I also think that a lot of it has a lot more to do with an insatiable desire for funding by certain surveillance oriented organizations within governments than it does with actual security because it's much more expensive and therefore far easier to justify larger budgets to attempt to monitor all communications and devices globally than it is to target a select few high-value targets who represent real threats to national security and global welfare and peace.  It's like the difference between sending an unmanned probe to a distant world vs the cost of a full fledged manned mission and colonization if framed around space exploration.  The one that costs more will no doubt be the one to be chosen as the stated goal/highest priority by the organization requesting funding from Congress.

Link to post
Share on other sites

I'd go further and say that surveilance/spying is built into our genetic make up.

'Fear of the stranger' has always been a strong motivational force. So you have to keep an eye on them and keep them out.
Probably because for most of history that stranger wanted to take away what was yours.

You still see the same argument trotted out everyday in every country - 'they' are taking all our jobs/women/healthcare/benefits/houses/whatever.
Often 'they' are simply the members of lower classes than yours trying to better themselves.

The issue with trying to monitor everything is that there just isn't time to do that, even automated monitoring couldn't keep up with just the phonecalls.
The security services want blanket powers so that they can monitor targeted individuals without any regulation.
And yes, big budgets and salaries for doing it.

I think the problem with the funding of deep space missions is different, they take a long time so you may not be around to get the credit for success.

Funding for security measures to keep out the stranger can always be found.
The Great wall of China, Hadrians wall, the Berlin wall, (it's starting to sound familiar again).

Link to post
Share on other sites

You're most likely correct about the time and dataset size issue, but I suspect that much of it is in preparation for the eventuality of mainstream quantum computing and some degree of true artificial intelligence (not just the basic machine learning/heuristics algorithms that exist currently that so many industries falsely claim as "AI").  Currently their main weapon of choice is keyword flagging, which has an extreme probability of FPs, especially with so many aware of these mass surveillance programs (meaning there is a very high probability of people deliberately saying "bad" words such systems would likely flag and making dissenting/threatening sounding statements in jest just to create such possible FP events and to waste the bureaucrats' time, money, manpower and resources).  The reality is, anyone actually speaking of such things would not use any obvious terminology and would likely speak in code that deliberately sounds like common, normal conversation using some obscure keying system based on either a privately created code or some obscure text all participating parties are privy to.  There are far too many simple ways to fool machines (and people) for a mass surveillance program to be capable of catching anyone beyond the less sophisticated/minor threats that no one in their right mind would justify expending such resources and technologies to catch (i.e. common, local crime, small time drug deals, pranks etc. etc.) and I sincerely doubt those monitoring would find it worth it to expose their surveillance capabilities by seeking to apprehend any offenders of that nature so it's essentially a self-defeating system, no matter how "quiet" they try to be about it at this point.

Basically the cat is out of the bag at this point, everybody knows about it, both friend and foe, so the awareness of the system of mass surveillance defeats the entire purpose and justification for the existence of the system of mass surveillance.  There's an old saying, "Three may keep a secret, if two of them are dead." and in this case, far too many people know far too much for their "secret" systems of surveillance to be a legitimate threat to anyone they seek to thwart or capture using it.  They were beaten as soon as word got out about the Homeland Security Act and the Patriot Act and as soon as all the cameras started going up everywhere in the UK.  At that point I think only the most ignorant were unaware that we now live in a surveillance state, and that definitely includes the bad guys who have an incentive to conceal their actions and plans from the organizations who have access to such tools.  To put it into IT security terms, it's like the bad guys taking all of their latest malicious creations and uploading them to VirusTotal to be scanned to see which vendors, if any, detect them.  As soon as any file is shared there all of the participating vendors have access to it for analysis so the bad guys have already lost.  This is why they've set up their own offline scanning systems that don't provide the samples to the vendors whose engines they scan them with so that they can still test their new wares for efficacy in their stealth capabilities to evade detection without giving malware researchers direct access to their new binaries before they've even sent them out to the wild to infect unsuspecting users and potential targets.  

Link to post
Share on other sites

Quote

Currently their main weapon of choice is keyword flagging, which has an extreme probability of FPs,

I often wonder how many times my forum username has been flagged by the security services in the 14 years or so that I've been using it?
Especially when it gets shortened to 'Nuke', as it often does in posts.

(To explain it for anyone who doesn't know, I was a CAD design draughtsman working for the nuclear industry when I needed a catchy username on an AutoCAD forum, it's stuck ever since).

Link to post
Share on other sites

Hehe, I don't doubt that it's happened many times.  I think back on the names of video games, movies and other fictional creations and wonder how often such things get flagged, though I suppose it would be intelligent of them to cross-reference as much as possible with basic tools like Wikipedia and Google to determine likely meaning of such references.

I sort of think of all of this government surveillance as Google with intent.  They want all the world's data/telemetry just like Google, but have a different purpose for it than Google (assuming Google doesn't seek to enter the political/military/security arena, though you never know I suppose :P ).

Link to post
Share on other sites

  • 3 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.