[caligastia]

Automated discovery and exploitation of architectural flaws is merely the next step in the evolution of software. For the past few years we have been witness to a 'whack-a-mole' type of dynamic in the field of computational security. Exploits are published, a day later they become a Metasploit module, and a day after that anybody in the world can use it on everyone else in the world at the click of a mouse. If you are a full time sys-admin plugged into all the advisory mechanisms you may, for a time, be able to keep your systems patched, but the machines never sleep, they never blink, they never forget, and apparently, they never die.

In the race against time, it is fair to say at this point that the machines have won. It may not be completely obvious yet, in the way that a tidal wave out at sea is only a small hump under your individual ship, but when it comes ashore, when the confluence of terrain and massive liquid power becomes manifest, then, of course, it is obvious.

What appears to be happening is a kind of terra-forming activity, a new software layer is spreading, one that has the keys to everything - our social lives, our morning cup of coffee, our cars.. our nukes.

This has an end condition, of course - and that is the total loss of control over our technological infrastructure.

[zby]

"It might be argued that the human race would never be foolish enough to hand over all the power to the machines. But we are suggesting neither that the human race would voluntarily turn power over to the machines nor that the machines would willfully seize power. What we do suggest is that the human race might easily permit itself to drift into a position of such dependence on the machines that it would have no practical choice but to accept all of the machines decisions. As society and the problems that face it become more and more complex and machines become more and more intelligent, people will let machines make more of their decision for them, simply because machine-made decisions will bring better result than man-made ones. Eventually a stage may be reached at which the decisions necessary to keep the system running will be so complex that human beings will be incapable of making them intelligently. At that stage the machines will be in effective control. People won't be able to just turn the machines off, because they will be so dependent on them that turning them off would amount to suicide."

[doublextremevil]

is that from the unabomber manifesto?

[Cyranix]

For those wondering whether parent comment is hyperbole: yes, that is quoting Ted Kaczynski's manifesto.

[zby]

Yes. It haunts me how relevant it is.

[dguido]

> Automated discovery and exploitation of architectural flaws is merely the next step in the evolution of software.

> This has an end condition, of course - and that is the total loss of control over our technological infrastructure.

Why can't you use the same technology to defend your software?

[EthanHeilman]

Agreed. If you had a tool which could detect all of a particular class of exploits in your software one could just add it to your compiler so it would throw an error.

Of course this assumes that automated discovery is not very computationally intensive, which in some cases it appears to be. The search space of a program is enormous. Instead one possible world is one in which exploits can be found automatically, but discovery requires massive computational effort. This seems extremely likely to me because exploits that don't require massive computational effort will be found and limited quickly eliminating the low hanging fruit.o

Thus governments with the best algorithms and the most money/powerplants/datacenters/fabs have an advantage because they can patch their own software while developing exploits for other peoples software.

The strategy comes in at:

1. how many exploits do you keep in reserve given a particular rate of discovery, and how and when do you use exploits?

2. How do you handle the case when you and the target are using the same software? If you start to patch it, the exploit might leak to the target. If you use the exploit before patching, the target might use it against you.

Operationally protecting exploits from spies seems hard. A government with a technical advantage might well be a disadvantage to a less technically savvy government with a human intelligence advantage.

To quote the Honey Badger video:

>"You do all the work for us, honey badger, and we'll just eat whatever you find, how's that? What'daya say, stupid?"

To avoid this a government might use the exploit development capability only defensively in peace time, keeping no reserve of exploits, until they have an immediate need. Of course this might weaken deterrence.

tl;dr cyber

[munin]

> patch their own software while developing exploits for other peoples software

what planet do you live on where this distinction can be made?

[EthanHeilman]

I'm not sure I understand your objection, could you be more explicit?

[munin]

it isn't like there's "Google Chrome" and "Russian Chrome", everyone in the world runs the same software with global distribution channels. and if the solution is "well, we'll make software distribution tied to geographic regions" how well do you think that's going to work, especially when there's a dynamic of "if you can get the Chinese Internet Explorer it will have way fewer bugs than the American one, and you can diff the two to find the bugs?"

[EthanHeilman]

1. US military hardware runs different software than Russian military hardware.

2. There are major geographic differences in the software, hardware and architecture of Industrial Control Systems. Not to mention vulnerabilities that might only exist in certain configurations which are common to the contractors building those systems.

3. Major powers are developing their own GPS satellite constellations. Some countries develop their own satellite software.

4. Most web applications are customized to the client.

5. Due to fears of hardware backdoors, it is looking like we might seen a balkanization of communication hardware (internet routers, etc). Note that their are already geographic and regional differences in cell and phone communications.

6. S. Korea's legally mandated https encryption, SEED, is not used outside of S. Korea. An attack on SEED software would be very specific to that country.

You are correct though in the notion that much of the consumer OTS software is global in scope. It really depends on the vertical you are attacking.