Google: Stop Burning Counterterrorism Operations

I remain unconvinced that the benefits of secrecy are outweighted by the benefits of transparency. It's unfortunate that the threat actor was caught so hard, but that is the cost of doing business. Couching it as protect the children or punish the terrorists doesn't change the fundamentals. Police work, soldier work, IRS work. They all have to work within and around the "normal" world. They aren't allowed to just demand obeisance because it makes their job easier

So much trouble over creating, funding, and arming “freedom fighters”/“moderate rebels” to (unsuccessfully) take down Assad. I think I concur with Google TAG here. I think exposing and fixing zero days is better than not doing so, simply because other countries can find them also. Which this article openly acknowledges thus defeating its own argument

I personally am thankful to Google for doing the thing that's right for everyone(fixing security vulnerabilities) not just some "Western" countries as the author put it(not sure why the capital w but I am not a native english speaker)

Upvoted despite vast disagreement because I (sort of) appreciate someone openly arguing this.

I'm a security researcher close to the field of the author. I'm usually very sceptical of what Google is doing.

In this case though, Google really did nothing wrong. They did what they should to protect their users. They didn't know they're interfering with a counter terrorist operation (according to the post), and even if they knew, who knows how many other less commendable operations they disrupted. And who knows who else was using the same vulnerabilities? I'm sure if Google disrupted Chinese or Russian operation the author would be very happy about that.

>However, burning operations, no matter the actor and no matter the reason, demonstrates a grave misunderstanding of the critical role that cyber plays in reducing harm in the world.

I honestly don't understand what the author tries to convey. What about Iranian operations targeting independent journalists? What about Chinese operations against Uyghurs? Is it also not OK to disrupt those? How should Google decide which operations are OK to disrupt? Especially since they don't really have full insight into campaigns.

Interesting blog post that was long overdue, I think Google should probably disclose all the details (URLs/actors responsible, methodology for catching these exploits ITW and targeting) around the ITW samples when they kill the bugs, so we can have nuanced discussion with actual facts. It would also help the threat intelligence industry ;)

How are Google (and other security researchers) supposed to know that they are about to disturb a counter-terrorism operation?

The framing is absurd & fascist to the core.

Someone was cyber attacking Chrome. Unclear if Google had even so much as a guess they knew who from. There were bugs in Chrome. Google fixed the vulnerabilities, making the software obey the contract websites & users have with each other, & detailed why they were changing the open source code in such a fashion.

This is not burning an operation. Google didn't name any operation or country. Google probably didn't know who it even was!

If they had some guesses, & did try to pick up the phone & call say MI6, about this topic of leaving this exploit jeapordizing everyone running - which they may well have done (if they confidently track down the cyber attack) - the first most likely response is "we have no idea what you re talking about" in which case fixing the vulnerability & writing a blog post is basically the only remotely acceptible option. You spent a while trying to find out who the cyber attack is launching from, you've gone crazy far to do due diligence to track down whose attack it is, and they say it's not theirs. Ok your diligence was wrong, the cyber attack is coming from somewhere else or from multiple people, you need to resolve it.

Next option is whichever security agency either fesses up & does the right thing. Google addresses the vulnerabilities, and writes a blog post about them.

Or, stand-in Intelligence Agency [SIIA] declares, no, we're SIIA, and you're leaving the defect in place, because we say so.

It's unclear what the author is really protesting here? Bugs are critical to national security so we should let people exploit them? Oh that's exactly what they're saying.

> However, burning operations, no matter the actor and no matter the reason, demonstrates a grave misunderstanding of the critical role that cyber plays in reducing harm in the world.

'The military's active use of indiscriminate cyberwarfare trump's the right to find and correct defects.' Wow. That is a bold position.

Part of the game... With Crowdstrike, Mandiant, Google, Kaspersky, etc, it's hard to remain undetected these days !

Maybe instead of spending taxpayer money on weaponized 'sploits from Zerodium while keeping everyone vulnerable, these three letter agencies should get off their lazy asses and develop HUMINT and use conventional intelligence sources and methods.

This is a real "think of the children" style argument the author is making. I'm sure if there are some unsavory operations that have been burnt they will not be trotted out.

maybe it's payback for the time the NSA hacked Google and were siphoning off data after HTTPS decryption

TLDR:

USA should be allowed to use 0 days for their "counter" terrorism operations. This is interesting at the time of USA being complicit in a genocide against a community.