{"id":10790,"date":"2017-08-07T17:13:46","date_gmt":"2017-08-07T22:13:46","guid":{"rendered":"http:\/\/huewhite.com\/umb\/?p=10790"},"modified":"2017-08-07T17:14:33","modified_gmt":"2017-08-07T22:14:33","slug":"10790","status":"publish","type":"post","link":"https:\/\/huewhite.com\/umb\/2017\/08\/07\/10790\/","title":{"rendered":"That Poker Hand You’re Holding, You Should Show All Of Us"},"content":{"rendered":"

On\u00a0Lawfare\u00a0<\/b><\/i>former Deputy Director of the National Security Agency Rick Ledgett\u00a0discusses\u00a0<\/a>the faulty premise behind calls for the US Government agencies to release to the public all knowledge concerning software vulnerabilities:<\/p>\n

WannaCry and Petya exploited flaws in software that had either been corrected or superseded, on networks that not been patched or updated, by actors operating illegally.\u00a0 The idea that these problems will be solved by the U.S. government disclosing any vulnerabilities in its possession is at best na\u00efve and at worst dangerous.\u00a0 Such disclosure would be tantamount to unilateral disarmament in an area where the U.S. cannot afford to be unarmed.\u00a0 Computer network exploitation tools are used every day to protect U.S. and allied forces in war zones, to identify threats to Americans overseas, and to isolate and disrupt terrorist plots directed against our homeland and other nations.\u00a0 It is no exaggeration to say that giving up those capabilities would cost lives.\u00a0 And this is not an area where American leadership would cause other countries to change what they do.\u00a0 Neither our allies nor our adversaries would give away the vulnerabilities in their possession, and our doing so would likely cause those allies to seriously question our ability to be trusted with sensitive sources and methods.<\/p><\/blockquote>\n

A simple but effective observation – sometimes it’s not the knowledge of the attackers which is the most dangerous, but the negligence of the victims that accounts for the losses. However, I think he makes a dangerous moral error in his conclusion:<\/p>\n

As for blame, we should place it where it really lies: on the criminals who intentionally and maliciously assembled this destructive ransomware and released it on the world.<\/p><\/blockquote>\n

This ignores the fact that\u00a0ransomware\u00a0<\/i>is a subcategory of the larger category of\u00a0malware<\/i>; malware contains the category of\u00a0weaponized software\u00a0<\/i>(for lack of a better term). The two subcategories share a number of\u00a0operational\u00a0<\/i>techniques, but the purposes of the two are dissimilar.\u00a0Ransomware\u00a0<\/i>is overwhelmingly a criminal activity, although a government could use it to, say, financially disable a corporate entity deemed critical to the functioning of an adversary. But, in general, ransomware is used by criminal elements to extract resources from other entities, ranging from corporations to individuals.<\/p>\n

Weaponized software\u00a0<\/i>is generally used by a government or country to advance its national interests. As such, that lies under a different, more poorly defined moral order.<\/p>\n

Because Mr. Ledgett is discussing\u00a0operationality\u00a0<\/i>rather than\u00a0morality<\/i>, his conclusion becomes confused, and results in a faulty implied directive, which is to condemn the opponents who use these techniques.<\/p>\n

As Mr. Ledgett should know best of all, governments & countries must advance their national interests, and using the software vulnerabilities of adversaries against them is simply the latest in a millenia long practice of advancing interests. You can’t condemn that unless you want to condemn the entire system of national entities. And the concrete results of this mistake, besides a certain general attitude of unearned victimhood, is the dissipating discussion such as the one he addresses, when everyone should understand that the context includes aggressive nations which will use our mistakes against us.<\/p>\n","protected":false},"excerpt":{"rendered":"

On\u00a0Lawfare\u00a0former Deputy Director of the National Security Agency Rick Ledgett\u00a0discusses\u00a0the faulty premise behind calls for the US Government agencies to release to the public all knowledge concerning software vulnerabilities: WannaCry and Petya exploited flaws in software that had either been corrected or superseded, on networks that not been patched or \u2026 Continue reading → <\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-10790","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/posts\/10790","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/comments?post=10790"}],"version-history":[{"count":2,"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/posts\/10790\/revisions"}],"predecessor-version":[{"id":10792,"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/posts\/10790\/revisions\/10792"}],"wp:attachment":[{"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/media?parent=10790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/categories?post=10790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/huewhite.com\/umb\/wp-json\/wp\/v2\/tags?post=10790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}