ok, and the surprise is ...
oh, there is none.
China has altered public vulnerability data to conceal the influence of its spy agency in the country's national information security bug reporting process. The damning finding from threat intel firm Recorded Future follows months of research examining the publication speed for China’s National Vulnerability Database (CNNVD …
Well, the NSA discovers their own vulnerabilities and simply doesn't report them. They don't scour company databases, find important vulnerabilities, and then force the public DBs to remove or hide those vulnerabilities from the public.
China is operating under the guise of openness, by offering to scrub numerous databases to create a centralized public database. But they are instead using the vulnerabilities already reported by others, seeing if they provide value to their spying programs, and if so, hiding them from the Chinese public.
So in theory, the Chinese citizens and companies would know about these public vulnerabilities as soon as the rest of the world if the Chinese government were not doing this.
When the NSA hoards an exploit, in theory (their theory), only they know about it. The NSA's actions can hurt the world. So see, the US is doing it better.
It's not often that I agree with the government but from my own hobby of research I do not trust much of anything coming from China.
Case in point: Last week a local company had a prize giveaway to attract potential customers to their place of business.
One of the "prizes" was a "smartwatch" from China.
The watch came with instructions that included a QR code to download an app to the users Android phone to link to the smartwatch.
There were over 100,000 of these smartwatches purchased for giveaway.
(URL shortenedlink to VirusTotal results)
If you buy hardware from China , you throw away your security.
If you guys could actually read Chinese and were on the forums you would piss yourself with shock at the information available, people selling the ability to load " modified firmware into devices at the factory level, Illegal reverse engineering & hacking to openly steal I.P & you guys think an exploit database is news.....
don't even get me started about malware being injected into hotel feeds by government sanctioned companies or HARDWIRED "bypass" boxes fitted to patch ROUND firewalls, all thanks tof your local government funded police & security dept.
On the assumption this is true, this is why we have application proxies.
Your infrastructure has no need to talk to the internet.
Oh wait. You bought Microsoft Windows 10? You use AWS public services?
You probably need to stop doing stupid things which make your security impossible to maintain, just because "everyone is doing it" or "its cheap."
Security problems are like staff problems: everyone complains its not possible, when what they really mean is they don't want to pay for it.
"For a foreign multinational company to comply with all the provisions of the CSL means (in effect) co-operating with Chinese security and intelligence services."
Does that mean that foreign multinational companies in the US don't have to follow US laws telling them to cooperate with US security and intelligence services, along with gag orders and secret FISA trials so they can't say anything?
Let me say that I'm not convinced, and the long history of US meddling makes this criticism hard to swallow.
How can we expect China to be better when we're not able to democratically control our own Western intelligence agencies?
There is no theory in which an actor can be completely protected from a rogue agent. That is, whatever powers you entrust to someone can be abused.
The entire question becomes what level of trust you can manage for your agent.
Formally, western powers have constitutional limits on the actions of their governments, including various bills of rights. In practice...well, it doesn't always work that way.
China has nothing comparable. 1) The government is not seen as an agent of its citizens in the first place. 2) The Chinese language does not even have the concept of human rights that we have in the west.
In particular, anyone posting anonymously in these forums complaining about the behaviours of our intelligence agencies is NOT doing so to avoid detection by these agencies. We are completely confident in our ability to freely criticize the actions of our government so far as the government goes. We worry much more about individuals objecting & that limiting our job opportunities.
THAT is the difference. And we hold to the thin hope that this freedom can be used to turn the corner and reign in our agent, the government.
"anyone posting anonymously in these forums complaining about the behaviours of our intelligence agencies is NOT doing so to avoid detection by these agencies."
No, because we assume those agencies already know who they are and if not, will know in about 5 minutes or less.
The only difference between the agencies is that western ones claim they're not doing it. The motivations of the governments might be slightly different but "democracy" doesn't enter much into it except for lip service.
Biting the hand that feeds IT © 1998–2019