Cyber attacks will 'catastrophically' spook public, warns GCHQ
A digital attack against the UK causing even minor damage would have a "catastrophic" effect on public confidence in the government, GCHQ has privately warned Whitehall. The Cheltenham spy agency's new Cyber Security Operations Centre (CSOC) makes the prediction in a document prepared for Cabinet Office and seen by The Register …
...on public confidence in the government?
Waaay too late, boys.
So they visit Direct.gov.uk and it times out, and they go hide in their panic room? I think that that is not a cyber attack problem, that is a mental health problem.
Do the same people panic if the BBC cancels a program because of the snooker?
Either that or some department has been given a big budget and excessive powers and feels so guilty about that, they feel the need to justify it with vague exaggerated silly claims. Surely not!
What makes them think that a "cyber" attack will affect Blighty more than, say, a bombing? Or a bunch of crooks managing to "acquire" a government cdrom or usb stick or laptop full of easily abused information?
I think this is tacit admission CSOC doesn't actually understand much about this "cyber" thing, OR they're cynically playing on the fact that whitehall sure has no idea whatsoever, a not uncommon occurrence. In the same way that terrorism by "scary brown people" is somehow worse than terrorism by catholic or protestant white people.
That the report isn't much good is evident: For decades we've been hearing that quantum crypto will be here "real soon now", and the state of the art hasn't advanced sufficiently to increase its slow progress much, yet. Even so, the basic rules of information security remain the same, so even with a breakthrough or ten, for the end users it means (expensive) upgrades but business as usual. And since that business wasn't too well run in the first place, the point is largely moot. Even the successor to quantum crypto cannot protect against sheer negligence.
Note that the quantum crypto scaremongering (not the crypto itself) has been thoroughly discredited in this very rag. But that doesn't stop a good solid round of new rules and security industry pork barreling. What this means is that to this multi-faceted ``cyber'' danger the most dangerous thing for us the citizenry is, again, the very report itself. Carry on government.
"What makes them think that a "cyber" attack will affect Blighty more than, say, a bombing?" .... Anonymous Coward Posted Monday 22nd February 2010 12:46 GMT
Maybe they have been presented with a scenario/diaspora/virtual reality for which appropriate regular danegeld payment will deliver irregular remedy and unconventional relief for as long as is necessary in a Novel Partnership of Mutual Advantage?
"I think this is tacit admission CSOC doesn't actually understand much about this "cyber" thing, OR they're cynically playing on the fact that whitehall sure has no idea whatsoever, a not uncommon occurrence. In the same way that terrorism by "scary brown people" is somehow worse than terrorism by catholic or protestant white people." ...... Maybe so, AC, in all those cases, but they sure as hell should know what IT can do in Creative Hands/Hearts and Minds. They should sure as hell know that one wrong move loses them the whole Game, Set and Match and renders them just a dumb spectator munching on a hotdog specially prepared for the masses who are just spectators.
And how, pray tell, is this different from everything else they've bungled so far?
I'm quite sure that a good scare to ``Do Something, Now'' will get them moving and have them do that, net effect they bungle up some more. But one used to dealing with ``standard class people'' might be excused to think they might notice how that ``Does Not Work Effectively Or Much At All, Really'', and maybe try some quiet deliberation and some actual thought. If this is all they can come up with, then perhaps they aren't fit to represent us, and we really ought to do something about that.
We had cyber attacks on government sites here in Australia only a week or so ago (DDOS attack by the Anonymous action group in protest of the governments internet filter policy), and it made not a blind bit of difference to anyone.
The FAIL is for the report saying it will have catastrophic impact on public confidence!
......broadband will mean that states are able to achieve their aims by hiring criminal botnets to carry out DDOS or other attacks on their enemies' infrastructure."
is this why botnets appear to be so resilient?
they are seen as a potential resource by their hosts?
"catastrophic" effect on public confidence in the government"
In a way tha *multiple* losses of 100s of MB of highly personal details (HMRC, prison staff, army applicants, etc) has not.
"Quantum computing."IMHO someon has been reading *way* too much Tom Clancy.
One of those technologies that has been coming "Real soon now" for about a decade at least.
Perhaps a *little* more difficult that its supports claim? Rember *everything* looks slimple on a whiteboard.
Only a Civil Servant who *wants* to give them more money would fall for this alarmist twaddle.
"A digital attack against the UK causing even minor damage would have a "catastrophic" effect on public confidence in the government"
I'm not overly sure it *could* get any lower.
There should be a considerable degree of skepticism about whether a quantum computer with a serious number of qubits (>1024) can actually be constructed. My own belief is that the failure to construct a quantum computer capable of instantaneously breaking all known codes will tell us something very interesting and new about physics - indeed, that it may turn out to be as significant as the failure of the Michaelson-Morley experiment, which disproved the existence of the luminiferous aether.
That's just a hunch, though. Should "reality" prove otherwise, the philosophical implications are of even greater import.
'Quantum comuting'
That's what I've been doing since I started working from home.
The worst-worst-case scenario is that construction of a working bignum-bit quantum computer crashes the operating system of the virtuality which we call "the universe", or causes the external real intelligence(s) running the computer simulation that we call "the universe" to shut it down in exasperation or disgust.
"Growing reliance on the internet to deliver public services will 'quickly reach a point of no return'" -- and this is the problem.
The obvious answer to this is to try to *reduce* this reliance on the internet. Make sure there are alternatives in place to allow any public service to be accessed in the more traditional way.
Not only does this mean there can be no discrimination against non-computer owners, it also avoids backdoor privatisation of law through enforced use of proprietary technology.
""It is unlikely that any state actor will have been able to put quantum systems into operation by 2015, although some state actors may have basic quantum computing capabilities by 2020," CSOC says."
How very wise of GCHQ to have chosen not to mention non state actor capabilities .... the great known unknown which constantly, transparently and steganographically trails its Bait and Goodies before them, for the SMARTer Players in the Greatest of Great Games to Ponder Purchase before Obvious Sale Elsewhere to more Astutely Aware Competitors and Partners into Wiser Intelligence Servering of Obscene Advantage for Quantum Control Systems Market Control.
often result in mass panic and catastrophic loss of confidence in the government (does anyone actually still have confidence in them?).
I fail to see how your internet not working is worse than your lights, radio and computer not turning on.
"Either that or some department has been given a big budget and excessive powers and feels so guilty about that, they feel the need to justify it with vague exaggerated silly claims. Surely not!"
What is this word "Guilty" that you use in relation to a Govenment department?
I hadn't heard of this phrase until last week in a quiz, and now aMaNfRoMmArS uses it.
Weird
Last night channel 4 news showed an article on a US government mock-up of a possible "internet meltdown cyber warfare" type scenario which seemed bent on pushing the idea that we all need to be very afraid of such an event. And now we get this report from the UK "Cyber Security Operations Centre".
It's an amazing coincidence that these two completely separate (yet parallel) stories break within 24 hours of each other. If I were of a suspicious nature I'd say something smells a bit fishy and maybe we're being "fed" these stories in order to make us afraid (after all it seems to me that we're becoming a tad blazé about international terrorist attacks and it's high time we had something new to fear).
But I'm sure it's all a coincidence and there's no orchestration whatsoever behind these stories (or the ones that will break over the rest of this week).
...it's been nearly twenty years since I've learned to regard as total bullshit any computer-related blather from a government agency or the general media using the prefix "cyber".
My (rather generalized) standard response is that they can go cyberfuck their cyberselves.
-
("Electronic Pearl Harbor", anyone?)
I admire your cynical naivety, AC, in doubting/hoping/questioning that coincidences are not orchestrated, for of course whenever they are, is the Nature of Reality then a Mainstream Virtual Reality Flow being Programmed into the System.
"Last night channel 4 news showed an article on a US government mock-up of a possible "internet meltdown cyber warfare" type scenario which seemed bent on pushing the idea that we all need to be very afraid of such an event. And now we get this report from the UK "Cyber Security Operations Centre"." ...... Methinks any fears and/or concerns are firmly rooted and routed in those who would be pimping the fear agendas, hell bent on pushing the idea that we all need to be very afraid of such events. [Oh, and here's wishing Dick Cheney all the Best of Care and Attention that he deserves ..... http://news.bbc.co.uk/2/hi/americas/8529585.stm]
"Officials plan to feed the results of the meetings into policy, including whether and how the UK should develop offensive capabilities online." ....... Oh FFS.... Aren't you/they already doing at least all of that? What sort of Mickey Mouse operation is the UK CyberSecurity Operations Centre. And what is the point of reinventing the wheel whenever the how of developing offensive capabilities online is so very well known by those with developed offensive capabilities online.
OK ..... who's got the spooky email address that puts one directly in touch with the GCHQ Beginners or are they so aware that nothing is secret and communications are rigged, that they hide themselves away afeared to exchange pleasantries and information/questions and answers?
Which all sort of ask the one Big Question ...... Who is Leading Whom and with What? And that is a National/International and InterNetional Question which you will be hard pushed to Answer anywhere near Correctly, or are you content to believe that Things just Happen Randomly and everything therefore is just a Reaction rather than an IntelAIgently Designed Plan, in a Suite of Plans and CHAOS reigns Supreme and Sublime?
The one novel thing about CyberSpace Security is, that it is a Place in which to Deal Global Scale Business in which the Intellectual Property Exchanged and which Drivers IT, is not Confined or Owned by any Nationality or IntelAIgently Designed Entity, but rather Run by a Host of them Hosting Intellectual Property Exchange which Drivers IT and Media Systems of SMART Power and Animal Control. And a Real Money Spinner for GCHQ Spookery should they ever get their Act together and actually Decide to Lead with CyberIntelAIgents Purchase and AI Leverage, rather than Floundering in the Shallows like a Beached Whale.
"after all it seems to me that we're becoming a tad blazé about international terrorist attacks and it's high time we had something new to fear"
Meanwhile downunder, the guvmint scaremongers have just released a "Terrorism Whitepaper" which is meant to scar^H^H^H^H inform us about all the growing threat of "home grown terrorists" and the need for biometric passports from suspect countries despite the fact that none of the know terrorists so far have been caught using forged passports and even more ludicrously, our nearest and largest source of terrorist threats, Indonesia, are not included in the "blacklist" of countries requiring biometric passports.
"Officials plan to feed the results of the meetings into policy, including whether and how the UK should develop offensive capabilities online. "
Waste of time.
Bin your stupid policy and schoolboy dreams of waging cyber warfare and do something that will actually make a difference in the real world: Stop using Internet Explorer 6.
Stop using Internet Explorer 6, stop using Internet Explorer 6, stop using Internet Explorer 6, stop using Internet Explorer 6.
Stop using Internet Explorer 6.
And then we can FINALLY MOVE ON.
This news comes the day after the Argies "cyber attacked" The Penguin News... did that "catastrophically spook" anyone? No.
People were more bemused than scared.
OK, so it was an epic fail because they used Spanish text (Falklanders speak English), and they only hacked a local newspaper, but they did their best.
what the report is saying is, "a cyberterrorist attack will cause headless-chicken syndrome for the media and politicians, and thusly for the unwashed masses, far more severely than the actual damage done would suggest"
given past events, seems a pretty safe bet to me
Quote: Growing reliance on the internet to deliver public services will "quickly reach a point of no return", meaning "any interruption of broadband access becomes intolerable and will have serious impacts on the the economy and public well being"
Better throw that clause out of the Mandybill then.
...on the economy or public well-being, but the last time I had an appreciable broadband outage here, I switched over to my 56k internal modem, let Thunderbird run to catch any important messages, and went downstairs to watch a movie on TV.
A slight pain in the ass for an hour or so, as I recall, but _impact_...?
"Meanwhile a quantum-encrypted message would be impossible to intercept because just by observing it the eavesdropper would destroy it."
So all you need to do is observe your enemies communications and you've nailed them. If observing the message destroys it, then you in effect destroy their means of communication just by looking at it. So how can they then co-ordinate anything when you have basically broken the comms link between them.
Or am I missing something here?
Observation in the quantum sense, means eavesdropping or "bugging". In other words, a quantum communications channel shuts down if someone is attempting to "tap" it. This behaviour is generally regarded as preferable to having one's communications spied on, without knowing about it.
Also if you are in a position to attempt to tap, you are almost certainly in a position to physically destroy. Ordinary doors, locks, men with machine guns etc. will protect a quantum communications channel (usually a fibre optic) from being blocked by observation in much the same way as it will protect a conventional wire from being severed. The difference is that if they have managed to breach your physiccal security, they still won't get any information out of the channel.
So, every time the Quantum Computer has to perform, it feels observed and stops working (until new funding arrives - of course).
...to my list of words on my "regard as bullshit" trigger-word list, vis-a-vis government and media:
"Quantum"
QKD channels can withstand a certain amount of eavesdropping and still retain their security.
The key is only ever established from photons that arrive at their destination so any eavesdropping has to be active. Simply trying to tap and 'read' the photons is not sufficient - something has to be sent on to the destination in its place. Quantum mechanics guarantees that one cannot copy or clone the photons.
The two ends of a QKD channel can assess the error rate on the quantum communication and, provided it is below a certain bound, can still establish a secure key between them. It is irrelevant whether these errors arise from active eavesdropping or from other system errors such as detector dark count noise.
There are classical processing techniques that will allow the distillation of a shared secret from a collection of partially secret bits. Knowing the error rate one can provably establish the maximum amount of key information that could have possibly leaked to an eavesdropper and reduce this to an arbitrarily small amount using these techniques.
Observation of a quantum computer IS what collapses the state onto the 'answer'. In a QKD channel observation by an eavesdropper is a source of errors that can be measured and dealt with. In quantum computation it is the act of observation, or measurement, that collapses the processed input state onto what is hoped to be the correct answer.
"The Cheltenham spy agency's new Cyber Security Operations Centre (CSOC)"
Anybody who uses the term "cyber security" in earnest can be safely ignored. They are all, quite simply, completely ignorant.
Seems to me that you right-pondians have elections coming up ... use them wisely.
Perhaps, if there's a cyber attack, we could all just queue up at the Post Office, like in the old days? Assuming it's not been sold off to some free-market profiteer....
Admittedly, some net obsessives may find it spooky having to be in a line with other real people, some of whom may be old, or perhaps look less well off, but on balance, I think most of us would cope.
"The NSA is said to be investing heavily in quantum computing"
Who said that ? They will have "disappeared" by now if they were right. I guess it depend on what "heavily" is - 35% of budget ?
The NSA is so well financed (along with the CIA) that the entire GCHQ budget is most probably less than their spend on transportation. GCHQ need to get real and not try and scare the civil servants into providing more money with these sensationalist comments.
Rather than selling off assets like QinetiQ, government should get a grip. No more taxpayer money until they make savings from such mistakes. Oh, GCHQ should not get staff to leave when acting in the public interest.
I mean, I understand the correct procedure: grossly inflate scale of threat, demand budget and exclusions to privacy laws to resolve it, see department grow into Big Brother. But what these public services that are delivered online that we'd be distraught to miss? A page showing the opening times of the local library? Something about MP attendance? I'm really lost...
I think the biggest threat to our online existence are ISPs and mobile providers who continually over-sell capacity and then want to remove anyone who has the audacity to actually use their "unlimited" connection.
It's very important to distinguish between 'quantum cryptography' and 'quantum computing' as they are two quite different technical beasties.
Quantum cryptography is a terrible misnomer - invented to sound catchy but somewhat misleading. It should properly be called quantum key distribution (QKD). It uses the properties of quantum mechanics to establish a secure random sequence of bits between two users. This random sequence can be used as a key in symmetric crypto algorithms. It is just an alternative technology to traditional key distribution mechanisms.
QKD systems are commercially available. With some investment and a bit of adaptation and tinkering the entire UK telecommunications network could be protected using QKD within a reasonably short timescale. There is, however, no political or commercial will to do so.
Security is about risk management. Where are you most vulnerable? What failure will cause the biggest impact? etc etc. Existing arrangements for key distribution are not seen as sufficiently vulnerable in order to warrant the substantial investment it would take to implement a QKD mechanism as an alternative. With protecting a single link using QKD currently costing around the £50k mark just for the kit the assessment, quite rightly, is that the money is better spent protecting systems that are more vulnerable.
Quantum computing is another kettle of fish. It exploits the properties of quantum mechanics to perform some computations faster than can be achieved through classical means. Essentially it performs a massively parallel computation on the components of a wavefunction. The components each have a phase relationship and they are brought together to interfere to yield the correct answer. The principal reason why quantum computers are difficult to build is that this phase relationship is very sensitive. Even the slightest interaction with the environment will destroy the necessary phase coherence very quickly.
Quantum computers work and have been demonstrated but only very small versions have been built.
Furthermore there are only a few known algorithms for which a quantum computer provides any substantial benefit. Two of these just happen to be the ability to factorise and solve the discrete log problem - precisely the things you need to do to be able to crack the most popular public key crypto systems. So should someone figure out how to build a quantum computer of any size then we'd need to replace any crypto suite using these aysmmetric public key algorithms pretty quickly.
Symmetric algorithms like AES are not as vulnerable to attack using a quantum computer. In essence a quantum computer can halve the effective key size of a symmetric algorithm but it cannot do any better than this.
A successful 'cyber' terror attack on, say, the UK's banking network might have national security implications. If people cannot access cash or pay for goods there is the potential for short term civil unrest until the systems are back on line. This is just one example. Although if we all get smart meters then a cyber attack launched to turn off power might be more than a minor irritation. I'm sure there are other examples.
your example isn't great
"A successful 'cyber' terror attack on, say, the UK's banking network might have national security implications. If people cannot access cash or pay for goods there is the potential for short term civil unrest until the systems are back on line."
Already happend, but had nothing to do with a cyber attack, I believe it was a faulty SAN that took out a major banks card network.
People grumble and make a few phone calls, but all in all we get over it. Normal people are quite capable of dealing with minor inconvenience.
"People grumble and make a few phone calls, but all in all we get over it. Normal people are quite capable of dealing with minor inconvenience"
Yes I accept this point for a relatively minor outage.
Suppose it was possible to disable electronic payment and cash machine facilities for a few days. Most 'normal' people, as you put it, would probably manage through this. However, I think there would be the possibility that some would not cope so well and this could (note 'could') lead to some civil unrest.
The banks don't have to be the main target here - just creating enough chaos and difficulty to divert attention from elsewhere might be the goal. Who knows?
I think it's important to speculate about possible threats, however unlikely. Maybe it's this kind of exercise that has inspired GCHQ to describe a cyber attack as potentially catastrophic. Who knows what goes through their heads? They probably wouldn't want to explain their thinking on this anyway - just in case someone gets a bright idea from it!
Where were GCHQ when Phorm conducted their nationwide man-in-the-middle 'cyber attacks'?
The Home Office were in meetings with BT/Phorm receiving 'assurances' about BT's nationwide mass surveillance and industrial espionage. Home Office OSCT even wrote words of comfort for them, and sought their agreement prior to publishing. Meanwhile Greek/Turkish/Russian/American spyware crooks were tapping the UK's internet communications.
So I guess my confidence in Government probably is catastrophically damaged. But more so by the Governments own stupidity and failure than anything else.
Would I trust GCHQ to save us from cyber attack? Pull the other cable. Its got Stratis Scleparis fingerprints on it.
"If observing the message destroys it,..." ...Anonymous Coward Posted Monday 22nd February 2010 14:48 GMT
It destroys the secrecy and reveals the truth, AC.
"Anybody who uses the term "cyber security" in earnest can be safely ignored. They are all, quite simply, completely ignorant." ..... jake Posted Monday 22nd February 2010 14:48 GMT
That will suit them greatly, jake .... for then is Stealth provided Sublimely .... and Most Certainly in Semantic Web XPeriMental dDevelopments.
"GCHQ need to get real and not try and scare the civil servants into providing more money with these sensationalist comments." .... Anonymous Coward Posted Monday 22nd February 2010 15:27 GMT
One would have thought that a Prime Directive Executive Role for GCHQ would be to Provide the Intelligence to Deliver Always Bounteous Funding Streams Quantitatively Easing Every Blockage and Hindrance to Virtual Progress.
"A successful 'cyber' terror attack on, say, the UK's banking network might have national security implications. If people cannot access cash or pay for goods there is the potential for short term civil unrest until the systems are back on line. "
True. But how feasible is that?
This is just one example. Although if we all get smart meters then a cyber attack launched to turn off power might be more than a minor irritation.
The ones which are *only* being included in the UK Gov'ts energy bill because one of his Lordships took a bung to introduce them. The ones which have *know* security flaws (as in transmitting the data in clear).
Now that should worry Britards across their land.
"Quantum computers would be able to test every possible cipher for a traditionally-encrypted message very quickly."
Using quantum computers for brute force attacks on symetric encryption only decreases the effort by a power of 2, i.e. 1/2 the time.
Where quantum computing will break encryption is by calculating the factors used in asymetic encryption, e.g. RSA, Diffie Hellman, which is often used for key exchange for the symetric sessions because symetric encryption is more efficient than asymetric and key can then be exchanged outside of the data channel.
Still scary though...
Quantum computers using Grover's algorithm will reduce the key space by a factor of two - not the time. An important distinction.
So a key space of 128 bits becomes a key space of 64 bits.
For exhaustive key search the time scales as 2**n where n is the key size. Adding one bit to the length of the key doubles the time (approximately), and reducing the key length by one bit halves the time.
So you're reducing this time scaling by a square root with a quantum computer. Much, much better than halving the time!
I wanted to say a little fear keeps you alive, but I know damn well I'd be playing right into the same old freaking pattern of...
1. Create Problem
2. Create Solution
3. CRACKDOWN ON CIVIL RIGHTS
4. Create New Budget to "get er done"
I would worry about the "government agenda" which will surely follow up such claims.
Considering 99.99 % of innocent (yes both in the uk and usa) government workers do not even understand basic tcpip, they can only follow along as this vague new invisible freaking threat rolls out new laws, new policies all to be neatly wrapped up in "state secrets" (or your uk equivalent of bullshit, sorry I am in the US here..) so nobody can question what's been rolled out.
That's the pattern.
won't that be grand? Could the UK get it worse then the USA?
No. the real agenda here is if they can cut off web access they can cut off information, news, and communications. This has to be justified and presented in a way which gives plausable deny-ability. They just played that game here in the usa and what did they find? They found they needed authority to hack the shit out of civilian's cellphones even more.
Or one wild freaking day this news headline pops out
"Bill would give president emergency control of Internet"
We hear Na never happen... bla bla bla all over by corporate tout media
Yet soon we can start finding documents with numbers on them like so
http://politechbot.com/docs/rockefeller.cybersecurity.questions.082809.txt
Which again isn't EXACTLY what I said. but some easy digging you get
http://www.opencongress.org/bill/111-s773/show
Confirming the pattern of incremental fascist bullshit like so
http://www.prisonplanet.com/americans-who-know-their-rights-are-the-real-target-of-napolitanos-domestic-terror-warning.html
(Rep) vs (Dem) + Electronic vote tabulation devices = FAIL That's the new message, throw out all the incumbents, them all out. (At least in the US that has to be the message)
I always seem to bring this to an American perspective. I dunno what you do to get rid of termites with their teams of mechanics in the UK, I doubt one starts their day running around saying, "impeach the queen!" heh heh heh though I laugh, perhaps you should start considering it! So everyone under the Queen can be challenged? Is that it? Your probably laughing at me now... Sadly none of this is funny.
I have my Dollar to worry about
You have your Euro to worry about
This is part of the root of what's wrong.
Where are the COPS for our monetary system?
The other problem is the constant changing of laws, lack of trust from lies and ponzi and potential new law unknowns and it makes it impossible to run a freaking business, AND keep your retirement safe from all the monetary terrorist dangers.
We got to start telling these people NO.
We need to get the crap flushed out of the markets so there can be trust again.
You or I can not be gambling with $65 trillion and when it comes due in an offshore bank
(really, a shoebox with a poop inside taped up with $65 TRILLION printed on it) saying it's classified you can't see it!
""""
(really, a shoebox with a poop inside taped up with $65 TRILLION printed on it) saying it's classified you can't see it!
""""
If you put a sticker with "Level 3 Asset" on the lid you can pawn it to the FED for maybe 60 Trillion worth of bonds - that's a pretty solid business model IMO.
This is Timely and Apposite ....... John Perry Barlow’s “Declaration of the Independence of Cyberspace” ..... http://homes.eff.org/~barlow/Declaration-Final.html
If this were a Yank outfit, I have to say that:
1) These two "nascent" outfits were trying to, In the immortal words of Mel Brooks, "...protect our phony-baloney jobs, Gentlemen!"
2) Had hired Microsoft's PR firm.
But as this is a Brit outfit, that would never happen on the right side of the pond...now would it?
I think they are so scared because of the enormous potential to gather intelligence using novel methods. Instead of bothering with codebreaking, just use a cleverly written virus which exploits one of those thousands of weaknesses that still lurk in Windows. Or Linux. Or MacOS. Or BSD. Probably even OS/390 / zOS, even though this OS does not seem to have the buffer overflow issues.
The Chinese do this with some success and that certainly is a threat for the "big boys" in the sigint biz, which are the UKUSA countries (aka "anglos"). The big dog is always pissed off by other dogs coming close to the meat trough.
One the long run they should simply hire all the x86 and ARM assembly crackers they can get hold of. Surely they can come up with tools that automatically detect a large class of exploits automagically.
Future AI computers jobs will auto protect networks and firewalls with hacker preventing plugins from some future AI CORP company and will call them something to trooper AI.
Have the power of a thousand man army in your firewall............
Ahh will be fun when that day arrives.
Sign up, sign up for The Register's weekly IT security newsletter - click here
