Hacking Team: Oh great, good job, guys ... now the TERRORISTS have our zero-day exploits Spyware peddler Hacking Team is moaning that, since its internal source code was leaked online, its tools for infecting PCs with malware are now in the hands of "terrorists and extortionists." The Italian biz is not wrong ... in a way: the leaked code, which exploits vulnerabilities in Adobe Flash and the Windows operating …
Thank you! Thank you! Oh, you've been a great audience tonight, it's truly been a pleasure telling our jokes to you, but all good things must end and now Hacking Team has to fuck off pronto and stop telling such pathetic lies to an audience as clever as this, who wouldn't actually believe for a moment that nobody else in the whole world could be resourceful enough to find exploitable bugs in the Flash runtime and that all of the staff of all our customers in all of the thugocracies we hawk our wares to are intelligent, diligent, and trustworthy...
g'night!
" I want to say they're not that stupid or ignorant but obviously they were."
Why would you not describe them as they are? Not only that they have been acting in ways that are devious, underhand and mercenary. They obviously have no ethical standards at all and are solely concerned with making as much money as possible.
These character are the "enemy within". The scum of the earth and to start whining, about how their incompetence has made the world a more dangerous place defies belief.
So not only stupid or ignorant but hypocrites and liars as well.
We all read articles like this and stroke our beards (or in my case wish I had any useful amount of hair above my neck line), nod appreciatively and look for the next patch window. This is bollocks: patching has to happen yesterday and be unobtrusive: end of.
The first step is removing the need for a reboot when patching. Why the hell does a word processor patch need a reboot? Oh, it doesn't: the only thing at the moment that needs a reboot is a kernel patch and that is being addressed.
Cool.
"Among those who were said to have purchased the Hacking Team Remote Control System (RCS) spyware package were the authorities in Saudi Arabia, Sudan, Russia, and Honduras. The US government was also a customer."
... so ye shall reap
Cheers
Jon
PS The y above is really a thorne and pronounced "th" so ye is actually "thee".
Jon, ye was the second-person nominative plural pronoun; it is correct as is. Thee was the second-person singular object form; using thee there would be ungrammatical. If it were intended to be said to a single entity, it would have been “As thou sowest, so shalt thou reap”.
Where “ye” was really “þe” was for the definite article the, e.g. “Ye Olde Hacke Shoppe” was really “Þe Olde Hacke Shoppe”.
As "terrorists and extortionists."
Utter shits, who find zero day exploits and refuse to disclose them to the creators of the software but sell them to others instead.
I can't be bothered to download their crap, can anyone tell me if they have contracts that explicitly prohibit licensees from disclosing the vulnerabilities to the actual authors of the software ? Other similar companies (let's hope you get hacked too, you disgraceful bastards) have such clauses. I remember knowing about a vulnerability because of one of these companies, but being unable to fix it for a while because of these contracts. We eventually figured it out.
As a Free Software author myself, this makes my blood boil.
can anyone tell me if they have contracts that explicitly prohibit licensees from disclosing the vulnerabilities to the actual authors of the software ?
There's no incentive and only a downside to ratting out the software authors. If they do that, a patch will be kicked out and the Hacking Team software will be useless.
Well maybe this wouldn't be a problem if Hacking Team had reported the vulnerabilities when they discovered them, would it. That everything is out in the open now is a good thing, at least now everything can be patched rather than exploited by oppressive governments. Hacking Team deserves all the blame here.
As for the terrorist comment, what exactly are terrorists going to do with this? Deface a few small websites? The governments of Saudi Arabia, Sudan, Russia, and Honduras (and depending on your point of view, UK and USA) are far more of a problem.
The people who hacked "hacking team" could have been black hat and been using their source code for months to aid terrorist activities. If "hacking team" were open they should be thankful if the only people who got into their network were a group who doxxed their very precious cargo rather than using it themselves or selling it on.
What is to stop Government X (Bad) using this same kit against Government Y ("good") as most of Government Y probably had these same vulnerabilities as their software would also not be patched. Did the USA know this software was also in the hands of some hostile regimes?
And this, ladies and gentlemen, is the problem with the concept of hoarding exploits - they get out.
This should be instructive for our governments when considering their various proposals to mandate 'crackable' encryption - these 'tools' they covet and demand are vulnerabilities and their existence is a security risk whether they are 'in the wild' or hoarded by a government agency or a private firm.
One thing we need to clear up is this misconception that having someone trustworthy controlling this information somehow makes it all okay. It doesn't; the vulnerabilities still exist. What has been managed is simply the knowledge of those vulnerabilities.
Someone else will come across the same vulnerabilities and, once that happens, you have instant risk to everyone using the software/hardware. There is also the possibility - some would say inevitability - that, as has happened here, the information will be stolen.
The fact that it has happened here should give every government pause. This is a company whose very reason for existing is identifying and understanding vulnerabilities. They get paid to understand the world of 'cyber security' and what is required to breach systems. They are a professional outfit with serious commercial incentive to keep this information safe* and they were breached.
Remember - a vulnerability does not magically disappear simply because only the 'right' people know about it. Sooner or later, someone else will - no matter how clever those protecting that knowledge or how sincere their intentions.
* - After all, if the vulnerabilities are patched, their products become ineffective and thus their business has nothing to sell.
These guys sure sound like they are getting serious help from various governmental P.R. departments. Freshly flown in from various repressive regimes, the Cameron outfit and the Hopey-Changey Snake Oil show. Their lobby must be a multicultural event!
"Blame it on Snowden" bullshit emission starting in 3...2...
"Before the attack, Hacking Team could claim to control who had access to the technology, now we have been exposed as liars and have been forced to rely on misleading PR to maintain our business model."
FTFY.
They knew their job included defending against "terrorists and criminals", and they failed.
Who's for making knowingly concealing a vulnerability from the developer concerned a crime?
"Who's for making knowingly concealing a vulnerability from the developer concerned a crime?"
Not unless you first make shooting the messenger a crime. Far too many people have tried to report vulnerabilities and promptly been arrested.
This post has been deleted by its author
These guys are a hoot. They are using the newspeak definition of "ethical"
"Whatever I do to get ahead, is ethical"
Hacking Team had not responded to a request for comment on this story at time of publication. On Tuesday, a spokesman for the company told the International Business Times: “We don’t have anything to hide about what we are doing and we don’t think that there is any evidence in this 400GB of data that we have violated any laws and I would even go so far as to argue that there is no evidence that we have behaved in anything but a completely ethical way.”
That kind of culture is totally like seen at the HBGary outfit. These are just collections of "any goes" sociopaths with some technical skills. The worst.
Is to stop publicly highlighting just how much of an inept bunch of twats you are!
Bleating and moaning because you failed in such an epic fashion is probably the worse p.r possible and they deserve to crash and burn.
And that's not withstanding the money they have made providing this stuff to evil and repressive regimes and then lying about it, they deserve it all and much, much more
"its programmers are "working around the clock" on a fix"
Should be:
"its PR is "working around the clock" on a fix"
The shit has hit the fan, it's too late for anything other than damage limitation.
Oh, and good luck with that, I reckon it might be quite a job.
"it remains to be seen just what the "fix" would be for having the source code and customer list of your flagship product posted on the BitTorrent network, various websites and GitHub."
Maybe they'll use their '133t h4x0r skillz' to reboot the interwebs and restore it from a pre-hack backup.
So what you're saying is that only you can be trusted to use the vulnerabilities you discover in code responsibly?
HAHAHAHAHAHAHAAAAAA! That's fucking hilarious!
Dude, if you found them then sooner or later someone else would have too. Chances are people already had and were exploiting them. The fact that all these vulns are now known can only be good news because now it means they'll actually be fixed.
If you discover a vuln and you don't report it to the developer then you're not being responsible. End of.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
