Anyone who thinks the linked blog post is insightful or sensible should watch all of Marcus Ranum’s “Cyberwar: You’re Doing It Wrong” from 2012, especially from 12:42 on the topics of coordination and mythical weapons.
The sense of entitlement is enormous, not to mention the loss of focus on the users: general purpose software does not exist to serve government operations. If you find a bug you should fix a bug.
And everybody deserves good security.
> In January 2021, Google’s Project Zero published a series of blog posts coined the In the Wild Series. Written in conjunction with Threat Analysis Group (TAG), this report detailed a set of zero-day vulnerabilities being actively exploited in the wild by a government actor.
The event was a bombshell story and provided a rare, exciting, and deeply technical look into the often secret world of nation-state computer hacking. The report dissected not only the state actor’s exploit code but detailed how the entire operation worked, including deployment configuration and a teardown of implant code and command-and-control communications.
Project Zero and TAG were not passive observers in their investigation. They actively probed the actor’s attack servers, extracted as many exploits as they were able to, and reverse engineered the capabilities. Yet despite performing this intimate level of analysis, one of TAG’s main work products – attribution of the attacker and parties being targeted – was conspicuously absent from the report.
What the Google teams omitted was that they had in fact exposed a nine-month-long counterterrorism operation being conducted by a U.S.-allied Western government, and through their actions, Project Zero and TAG had unilaterally destroyed the capabilities and shut down the operation.
Leave a Reply