zlacker

[parent] [thread] 3 comments
1. Alyssa+(OP)[view] [source] 2017-02-28 08:57:50
Reverse-engineer? A middlebox?

Which holds trusted secret keys and which, in its normal unremarkable operation, intercepts, parses, reconstructs, decrypts, re-encrypts, forwards, and optionally logs both confidential and attacker-controlled traffic? And is also known to be used for nationwide bulk internet censorship by regimes often called 'oppressive'?

Why, doesn't it just.

Please consider, very carefully, the ethics and equities issues one might face with any interesting findings here.

replies(1): >>lmm+V7
2. lmm+V7[view] [source] 2017-02-28 11:01:14
>>Alyssa+(OP)
What's true is true - better to know it than stick our heads in the sand. If these boxes have vulnerabilities (who am I kidding, they do parsing, they're probably implemented in C "for performance", of course they have vulnerabilities), we are better off for knowing about them than not.
replies(1): >>Alyssa+ql
◧◩
3. Alyssa+ql[view] [source] [discussion] 2017-02-28 13:49:48
>>lmm+V7
But what of the equities issue - what to do with that knowledge, once discovered? Might it depend on who "we" are?

My point is that actually helping this particular vendor, for example, may not be everyone's cup of tea.

replies(1): >>jacque+Yu
◧◩◪
4. jacque+Yu[view] [source] [discussion] 2017-02-28 15:15:43
>>Alyssa+ql
Yes, good point. One might aim to 'help' them into an early grave whilst actually helping them to strengthen their product.
[go to top]