German Spy Agency Wants To Buy Zero-Day Vulnerabilities
#1
The newspaper Süddeutsche Zeitung reports that the German spy agency BND will spend €28 million on what it calls its 'Strategic Technical Initiative' (SIT) next year, and that it has asked the German government for a further €300 million (original in German). The German edition of the English-language site "The Local" explains how the money will be used:
Quote:The aim of the programme is to penetrate foreign social networks and create an early warning system for cyber attacks.

Government spokesman Steffen Seibert confirmed to dpa on Monday that the BND had worked with French computer security firm Vupen, which is known to sell details of security holes to governments, in the past.
Techdirt has written about Vupen a couple of times recently, and emphasized why buying such zero-day vulnerabilities to use for surveillance purposes without passing them on to be fixed makes the Internet much less safe for everyone. According to a related story in Der Spiegel (original in German), the BND hopes to apply zero-days to undermine the main encryption technology used to protect online communications, the Secure Sockets Layer (SSL) protocol. As The Local writes:
Quote:The programme to penetrate SSL, codenamed Nitidezza, would also target the HTTPS protocol which is the standard for many banks, online shops, webmail providers and social networks.

"Holes in SSL need to be patched [fixed] because it is ubiquitous and everyone depends on it for their security," said Jim Killock of London-based digital rights NGO Open Rights Group.

"There is a real risk that failing to fix problems means criminal gangs will seek to obtain the same data using the same defects."
SIT means that not only will the privacy of millions of people be at risk, but so will their economic activities and that of all the companies that use SSL to carry out online transactions.

The BND's move is particularly worrying, since it could well encourage spy agencies in other nations to follow suit, thus starting a bidding war for serious software flaws. That, in its turn, will encourage even more people to find and sell zero-days, rather than report them, reducing security online. It's probably too much to hope that government agencies would ever agree to give up acquiring and using software bugs in this way, but they should at least be required to limit their use so as to minimize the serious harm they could wreak across the entire Internet.

Originally Published: Thu, 13 Nov 2014 19:25:00 GMT
source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  HELP !! APPLE IS FORCING ME TO BUY THEIR SHIT! Ladyanne3 8 2,420 Apr 13, 2024, 18:53 pm
Last Post: dueda
  Win 7 dying, such a sad day :( 59465 only finds 47 torrents in dht search ID10TError 27 43,046 Feb 15, 2024, 16:12 pm
Last Post: lustrous
  Anyone from the 70s or 80s here? Cause want info about a ghost adoption agency LadyAnn 4 27,943 Oct 18, 2021, 09:30 am
Last Post: LadyAnn
  Can someone pls detail for me How I would go and buy drugs off the darkweb w bitcoin ID10TError 21 50,893 Oct 28, 2020, 02:04 am
Last Post: LillyLacTac
  Happy International Talk Like a Pirate Day! Aw- 1 9,291 Sep 19, 2020, 16:45 pm
Last Post: RobertX



Users browsing this thread: 1 Guest(s)