RSS
Словарь компьютерных терминов    1_9  A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z   .....  A  Б  В  Г  Д  Ж  З  И  К  Л  М  Н  О  П  Р  С  Т  У  Ф  Х  Ц  Ч

SYSTEM
 Windows10
  Registry Windows 10
  Windows 10 tweaks & tricks
Windows8
Tweaks & tricks
  Network settings
  Registry
Windows7
Windows7: General settings
  Windows7: Registry
  Windows7: Registry faq
  Windows7: Network settings
  Windows7: Security
  Windows7: Firewall
  Windows7: Compatibility Mode
  Windows7: Administrator Password
Windows NT/2K/XP/VISTAWindows NT/2K/XP/VISTA
Win 2K faqWin 2K faq
  Win 2K(kernel & MEM.managment)
  Win 2K и XP (Securit)
  Win 2K и XP (Boot)
  Win 2K и XP (Install)
  Win 2K и XP (Admin)
  Win 2K и XP (File system)
  Win 2K и XP (Services)
  Win 2K & XP optim & tweak
  Win XP faq
  Win XP faq #2
  Win XP faq (net)
  Win XP faq (lan)
  Win XP recover & recovery console
  WinXP & ntfs
  WinXP & game faq
  Win PE
  Win Vista
  Win Vista FAQ
  Win Server tweaks
RegistryRegistry
Reg WIN2K/XP faq
Reg WIN2K/XP faq #2
Reg NT/XP: Structure
Reg XP: Restore & backup
Reg XP: Costumize XP
Reg XP: Inet
Reg NT/XP: SAM
Reg: Inet & LAN
BIOSBIOS
BIOS faq
BIOS recover
BIOS #
computer ambulance

White House Cyber Chief Provides Transparency Into Zero-Day Disclosure Process


In a lengthy statement, White House Cybersecurity Coordinator Rob Joyce explained why not all discoveries are disclosed. That will not change; but in introducing greater transparency into the process of decision-making, he hopes "to demonstrate to the American people that the Federal Government is carefully weighing the risks and benefits as we carry out this important mission."

The extent to which the government agencies use cyber vulnerabilities to further their own overseas missions became known with Edward Snowden's leaked documents. This sparked greater discussion over the morality of government collection and use of vulnerabilities without disclosing the existence of those vulnerabilities to the product vendors concerned.

Microsoft, for example, developed detailed proposals for introducing international norms of cyber behavior that would rely on no government keeping private supplies (hoarding) of undisclosed 0-day vulnerabilities; and also called for a digital Geneva Convention that would "mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them." This is unlikely to happen. "Our national capacity to find and hold criminals and other rogue actors accountable relies on cyber capabilities enabled by exploiting vulnerabilities in the digital infrastructure they use. Those exploits produce intelligence for attribution, evidence of crimes, enable defensive investigations, and posture us to respond to our adversaries with cyber capabilities," said Joyce in his statement.

The theft and release of 'Equation Group' (generally considered to be the NSA) tools and exploits by the Shadow Brokers (generally considered to be 'Russia') brought new emphasis to the issue. These tools included the EternalBlue exploit soon used by hackers (quite probably nation-state affiliated hackers) in the worldwide WannaCry and NotPetya ransomware outbreaks.

Joyce formerly served as head of the NSA’s Tailored Access Operations (TAO) unit—an offensive hacking team tasked with breaking into systems of foreign entities.

The unproven implication is that if the NSA had disclosed their vulnerabilities, the worldwide disruption caused by WannaCry and NotPetya might not have happened. There is, however, little mention of the danger of theft inherent in any store of vulnerabilities in this week's VEP transparency announcement, beyond two considerations in the decision process: "If USG knowledge of this vulnerability were to be revealed, what risks could that pose for USG relationships with industry?", and "If USG knowledge of this vulnerability were to be revealed, what risks could that pose for USG international relations?"

The full unclassified VEP process document (PDF) "describes the Vulnerabilities Equities Policy and Process for departments and agencies of the United States Government (USG) to balance equities and make determinations regarding disclosure or restriction when the USG obtains knowledge of newly discovered and not publicly known vulnerabilities in information systems and technologies."

In short, it explains the process without altering the policy. Its purpose is to introduce transparency and reassure the public that the government will weigh the offensive advantages obtained against the threat of public disruption if used by third-parties, for each 0-day vulnerability it discovers.

That transparency is valuable, but there remain numerous concerns. One is that the VEP continues to be an administrative exercise not enshrined in law. It can be changed at any time without public or legislative overview.

In May 2017, Senators Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas) introduced the 'Protecting Our Ability to Counter Hacking Act of 2017' -- the PATCH Act.

Its purpose is to promote the transparency introduced this week, but make it a legal requirement rather than an administrative choice. The Patch Act appears to have stalled, with no real progress since its introduction in May.

Other concerns appear in the Exceptions section of the VEP process document. For example, "The United States Government's decision to disclose or restrict vulnerability information could be subject to restrictions by partner agreements and sensitive operations." This will exclude 0-days discovered by, say, GCHQ and disclosed to the NSA under an effective non-disclosure agreement; and it could also exclude 0-days expected to be used in potential operations (such as Stuxnet).

It has long been suspected that members of the Five Eyes surveillance alliance share intelligence on each other's nationals to circumvent individual laws forbidding surveillance of own subjects. If this happens in practice, a similar arrangement between each members' intelligence agencies would exclude shared vulnerabilities from the VEP process. Both exclusions will undoubtedly be used by the more offense-driven agencies (the NSA and the CIA) to both hold and keep secret their most 'valuable' exploits.

Nevertheless, the purpose of declassifying the VEP process is primarily to reassure the American people that the secretive intelligence agencies do not have free rein in the vulnerabilities they keep and the vulnerabilities they use -- and to that extent it will probably succeed.


Магазин цифровой техники | Новинки магазина | Микроформаты и микроданные | Типографика в онлайн-текстах | Защита от DDoS-атак | Как добиться хорошего индексирования? | Интерактивная поисковая выдача | Использование виджетов на сайте | Эффективный e-mail-маркетинг | Оформление страницы контактов | Обратная связь с клиентами | Как завоевать доверие клиентов | Оптимизация содержимого тегов title, description, keywords | | Особенности работы с большим семантическим ядром | Руководство по социальным кнопкам | Особенности продвижения коммерческих сайтов в Яндексе | Продвижение блогов | Оптимизация сайтов на платформе WordPress | Основы таргетированной рекламы в соцсетях | Оптимизация видео на YouTube для поисковых систем | Ретаргетинг и ремаркетинг | Приемы продающей рассылки | Яндекс Метрика и Google Analytics: настройка целей | Контекстная реклама: как составить эффективное объявление | Особенности контекстной рекламы для интернет-магазинов | Правила эффективного отбора доноров в ссылочных биржах | Шпионаж — двигатель маркетингового прогресса | Технологии реферального маркетинга: от простых к высокодоходным | Статейное продвижение сайта | Тизерная реклама: принципы работы, фишки, эффективность | SEO-продвижение сообществ ВКонтакте | Контентный маркетинг | Технология RTB | Что такое сквозные ссылки | Влияние ссылок на поисковую выдачу | Оценка эффективности контекстной рекламы  | Влияние триггеров на целевые действия пользователей |   | Продвижение мобильных приложений: внешние факторы | Продвижение мобильных приложений: поисковая оптимизация | Сотовые телефоны | Magic Money | Горячая линия бесплатной юридической консультации | Благотворительность

На главную | Cookie policy | Sitemap

 

po gonn © 2004