Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Bought Exploit Service From VUPEN

Posted by Soulskill on from the they-get-by-with-a-little-help-from-vupen dept.

New submitter Reverand Dave writes "The U.S. government – particularly the National Security Agency – is often regarded as having advanced offensive cybersecurity capabilities. But that doesn't mean that they're above bringing in a little outside help when it's needed. A newly public contract shows that the NSA last year bought a subscription to the zero-day service sold by French security firm VUPEN. The contract, made public through a Freedom of Information Act request by MuckRock, an open government project that publishes a variety of such documents, shows that the NSA bought VUPEN's services on Sept. 14, 2012. The NSA contract is for a one-year subscription to the company's 'binary analysis and exploits service.'"

81 comments

  1. The truth gets out... by CajunArson · · Score: 5, Interesting

    It's not as conspiracy-theory cool as magical backdoors implanted in every piece of hardware, but this is how the NSA actually breaks into systems... they do it the same way everyone else does, just on a much larger scale and with even less fear of legal repercussions that the cyber criminals.

    --
    AntiFA: An abbreviation for Anti First Amendment.
    1. Re:The truth gets out... by goombah99 · · Score: 3, Insightful

      It's not as conspiracy-theory cool as magical backdoors implanted in every piece of hardware, but this is how the NSA actually breaks into systems... they do it the same way everyone else does, just on a much larger scale and with even less fear of legal repercussions that the cyber criminals.

      rubbish. I'd be more concerned if they didn't closely monitor all zero Day hacks. This is a SECURITY firm, not a backroom russian exploits dealer, they sell this advanced knowledge because people want to protect themselves and know what is coming. The weather service is not about weather warfare it's about advanced knowledge of what's coming. Insert car analogy here if that's insufficiently obvious.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    2. Re:The truth gets out... by khasim · · Score: 4, Interesting

      This is a SECURITY firm, not a backroom russian exploits dealer, ...

      Bullshit.

      From TFA:

      VUPEN is one of a handful of companies that sell software exploits and vulnerability details.

      Just because they're French instead of Russian does not change the fact that they're selling exploits.

    3. Re:The truth gets out... by girlintraining · · Score: 1, Flamebait

      It's not as conspiracy-theory cool as magical backdoors implanted in every piece of hardware, but this is how the NSA actually breaks into systems... they do it the same way everyone else does, just on a much larger scale and with even less fear of legal repercussions that the cyber criminals.

      Hey. Stop being all logical and shit. We need to be yelling at them for being net.deities who spell billion trillion dollars on backdoors in all the things... then yelling at them for spending a billion trillion dollars on superfluous things like NOCs that look like the Enterprise bridge... and now we have to yell at them for being cost-effective by using exploits published by others.

      Get with the program: Everything the NSA does is bad! They can do no right. Even if they right now figured out a cure for cancer, we'd have to burn it and keep anyone from getting it, because it might have genetic backdoors into our brain meats that render the tin foil hats useless!

      --
      #fuckbeta #iamslashdot #dicemustdie
    4. Re:The truth gets out... by Anonymous Coward · · Score: 0

      and with even less fear of legal repercussions that the cyber criminals.

      No, the same as the cyber criminals, why? because most are abroad in countries that give the USA the middle finger like China or Eastern Europe.

    5. Re:The truth gets out... by Virtucon · · Score: 4, Interesting

      VUPEN sells access to their vulnerabilities on a sliding scale and It's well known that governments buy services from them. That's not news, but for the life of me I don't know why Cisco, Microsoft and other big players just don't pay up to get at least some insight into how these guys are finding exposures in their systems. It would seem to me money well spent if they did and at least closed up these holes or made VUPEN's job harder, making it tougher for these data stealing, scum sucking government agencies breaking into everything and anything.

      --
      Harrison's Postulate - "For every action there is an equal and opposite criticism"
    6. Re:The truth gets out... by MobSwatter · · Score: 2

      Realistically, one could enter conjecture to the aspect that this is the reasoning behind why there was significant backlash against white hat folks for finding vulnerabilities, approaching the vendor and when vendor failed to respond with either a projected fix date or at least acknowledgment, the finder ended up going public with it. Vendor was probably awaiting an answer from the goberment on what to do and how to conduct the "NSA's" business.

    7. Re:The truth gets out... by Anonymous Coward · · Score: 0

      well now we know who butters your bread. fskin narc.

    8. Re:The truth gets out... by fuzzyfuzzyfungus · · Score: 3, Insightful

      VUPEN is to a backroom russian exploits dealer what a 'defense contractor' is to a 'gunrunner' or 'arms trafficker'. Same business; but the prices are higher and they pinkie swear that they would never, ever, sell to anybody who is wicked, though they aren't overly forthcoming about who they will sell to.

    9. Re:The truth gets out... by Anonymous Coward · · Score: 0

      well now we know who butters your bread. fskin narc.

      She never said what she was in training for ...

    10. Re:The truth gets out... by bill_mcgonigle · · Score: 4, Insightful

      for the life of me I don't know why Cisco, Microsoft and other big players just don't pay up to get at least some insight into how these guys are finding exposures in their systems

      it's almost as if they've been persuaded not to, eh?

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    11. Re:The truth gets out... by Anonymous Coward · · Score: 1

      Come on, man. They're selling exploits to the highest bidder. The proper way to do it would be to keep it in-house for consulting while keeping the flaws secret from the clients, or disclose the flaws to the affected companies and then the public without rewards. They know what the NSA does with the exploits, these people are not idiots.

    12. Re:The truth gets out... by Anonymous Coward · · Score: 0

      They know how it's done. It's "just" stack/heap smashing exploits with added tricks to get around the memory protections they've started to add to modern compilers and OSes. They just have not the incentive or ability to fix it.

    13. Re:The truth gets out... by Anonymous Coward · · Score: 0

      I would assume that VUPEN would refuse to sell to Microsoft and Cisco on account of it diminishing the value of the zero-days they're holding.

    14. Re:The truth gets out... by Anonymous Coward · · Score: 0

      you think they don't know? this is all a giant cat and mouse game. those exploits aren't accidental.

    15. Re:The truth gets out... by Error27 · · Score: 3, Insightful

      This isn't the only way or even the main way that the NSA exploits systems.

      Things we know:
      1) The NSA collects SSL keys.
      2) The NSA can generate fake SSL keys.
      3) The NSA has performed MiTM attacks against Google and Microsoft.
      4) We know where many of the places are that the splice into the undersea cables.
      5) US embassies often have Echelon hardware for tracking satellite communication.
      6) The GCHQ stores three days of internet traffic (not metadata but everything).
      7) The NSA collects metadata from everything. Email. Phone. Letters. Facebook.
      8) The NSA planted spies in large corporations.
      9) The NSA have influenced/degraded encryption standards.
      10) The US government and Israel created stuxnet.
      11) The NSA monitors all credit card transactions outside of the US.

      We don't know the specifics though. We don't know:
      1) If there is a backdoor in Windows or Linux or libssl.
      2) If hardware random number generators have been backdoored.
      3) If there are backdoors on the motherboard or in the ethernet firmware.
      4) How they are tracking in other ways, via license plate readers or sensing your various personal radio devices.
      5) How are spy satellites used for domestic surveillance?
      6) Just how much information is shared between the agencies to avoid fourth amendment rules. We know that the NSA and the GCHQ share an office. We know that the NSA gave unfiltered data on non-criminals to Israel.

    16. Re:The truth gets out... by omnichad · · Score: 2

      Is fskin a new brand of condom?

    17. Re:The truth gets out... by Anonymous Coward · · Score: 0

      The "big players" have a lot of insight into how zero-days are discovered, but it would cost Microsoft, Cisco, et. al. much more money to find and fix vulnerabilities using those intensive methods than they would make. Ultimately, how could they prove the extra security created by hunting and fixing potential zero-days? The number of such flaws is effectively uncountable, given the methods used to create the software. No matter how many you find, you have no idea how many are left. The amount of additional sales the software companies could generate due to unprovable security claims just won't justify the expense or effort.

      Similarly, there are known methods for developing high-assurance software (e.g., see the TCSEC or Common Criteria), but there's an insufficient market given the cost and slow development cycles for such software. The market is for features, not security.

    18. Re:The truth gets out... by gl4ss · · Score: 2

      they sell exploits.. to whoever pays for them.

      only thing they do different than so called russian exploit dealers is that they sell it as a subscriber service.

      heck, many of those reselling probably subscribe to such services. what difference is there where it is from? and if one would think that nsa just has to subscribe to their feed then by that logic the company can ask any fee they damn please from nsa. maybe they did.. and you yanks are wondering where the fuck all your money is going.

      --
      world was created 5 seconds before this post as it is.
    19. Re:The truth gets out... by Anonymous Coward · · Score: 0

      Could you point to the "ad hominem" argument used here?

    20. Re:The truth gets out... by Anonymous Coward · · Score: 0

      For VUPEN that would be like shooting their cash cow for a few bucks. It shows they don't care about securing systems, they want the holes so they can sell exploits.

    21. Re:The truth gets out... by dissy · · Score: 1

      This is a SECURITY firm, not a backroom russian exploits dealer, they sell this advanced knowledge because people want to protect themselves and know what is coming. The weather service is not about weather warfare it's about advanced knowledge of what's coming. Insert car analogy here if that's insufficiently obvious.

      The differences is that (unfortunately) I can't enter my credit card number and have the weather service send a network of compromised lightning storm clouds and tornadoes to kill the guy that pissed me off on IRC.

    22. Re:The truth gets out... by Anonymous Coward · · Score: 0

      Oh, oh! I've heard this one before! Let me finish it for you:

      ...and there are fewer and fewer Linux and Mac users because they're being put in jail because all they do is write Windows viruses, because they're jealous! And and and Apple switched to Intel CPUs because the industry got together and told them that if they didn't, they'd make a NEW internet, just for Apple computers so they couldn't talk to other computers or infect them with viruses!

    23. Re:The truth gets out... by Flere+Imsaho · · Score: 1

      It's not as conspiracy-theory cool as magical backdoors implanted in every piece of hardware, but this is how the NSA actually breaks into systems... they do it the same way everyone else does, just on a much larger scale and with even less fear of legal repercussions that the cyber criminals.

      Oh really? I don't see "everyone else" spending millions to deliberately subvert encryption standards , either.

        And since the CAs have been co-opted, SSL is laughable. Try Steve Gibson's cert "fingerprint" service and see for yourself. I tried it, and he gets a different cert for www.google.co.nz than I do. Is it the NSA? Who knows, but someone is up in my business >:-(

      --
      It gripped her hand gently. 'Regret is for humans,' it said.
    24. Re:The truth gets out... by mTor · · Score: 1

      That's not news, but for the life of me I don't know why Cisco, Microsoft and other big players just don't pay up to get at least some insight into how these guys are finding exposures in their systems.

      Well, that's pretty obvious isn't it? They won't sell it to them because they'd quickly patch up exploits and make them useless. I'm pretty sure that all of their customers (government agencies, police etc) also have a clause in their contract that they can't even give a hint to ISVs about vulnerabilities they receive from VUPEN and others.

    25. Re:The truth gets out... by Virtucon · · Score: 1

      Well so paying VUPEN is like paying a drug dealer then but the first taste isn't free. Why don't we just have a Drone take them out?

      --
      Harrison's Postulate - "For every action there is an equal and opposite criticism"
    26. Re:The truth gets out... by AdamThor · · Score: 1

      Eh, so the US subscribes to the 0-day list, maybe they just want to know if anyone is getting close to their magical backdoors?

      --
      -- "Oh. This guy again."
    27. Re:The truth gets out... by Anonymous Coward · · Score: 0

      A government buys exploits from a insecurity company like VUPEN and prosecute those teaching to circulate lie-detectors. The analogue is delicious.

    28. Re:The truth gets out... by davester666 · · Score: 1

      Or...there has been NO financial penalty for having any of these vulnerabilities, therefore, paying someone to find out how they are finding the vulnerabilities is just giving one of the CEO's Ferraris away.

      --
      Sleep your way to a whiter smile...date a dentist!
    29. Re:The truth gets out... by Anonymous Coward · · Score: 0

      AC, 'her' name girlintraining, get it?. AKA Crossdresser.

    30. Re:The truth gets out... by K.+S.+Kyosuke · · Score: 1

      Just because they're French instead of Russian does not change the fact that they're selling exploits.

      The French exploits are being served with champagne and escargots, though.

      --
      Ezekiel 23:20
    31. Re:The truth gets out... by gottabeme · · Score: 1

      If they knew it was a planted NSA backdoor, would they tell the NSA if someone found it? Or would they sell it to everyone else for a higher price first?

      I wonder if one of the big news outlets could subscribe through a front...then some interesting data might be "leaked"...

      --
      "Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
    32. Re:The truth gets out... by abbyewald · · Score: 1

      The NSA doesn't really "break into" servers, the will intercept your traffic and store the data in hidden facilitates normally located in hubs/data centers that make the backbone work. They can encrypt https traffic easily so everything your doing can see by them. Who cares are you scared? I bet you torrent files and use ABP you're the thief!

    33. Re: The truth gets out... by Anonymous Coward · · Score: 0

      Torrents != theft

      You could put copyrighted material on an ftp or http server does that make the use of ftp or http theft? No

  2. A eyball everywhere by Dunbal · · Score: 2

    Trust your government. That's what they meant by "trusted computing".

    --
    Seven puppies were harmed during the making of this post.
    1. Re:A eyball everywhere by Anonymous Coward · · Score: 0

      Eyeballs everywhere, even atop of pyramids, all they need now is frickin lasers..

    2. Re:A eyball everywhere by Anonymous Coward · · Score: 0

      Given that a large part of their mission is securing government computers, not buying this research would be in the "negligent" category.

  3. America is paying France for America's security by Anonymous Coward · · Score: 0

    The NSA probably poses a greater threat to america than america without the nsa.

    1. Re:America is paying France for America's security by amiga3D · · Score: 1

      I'm not happy with a lot of the stuff the NSA does but this kind of statement ignores the realities of an ugly world. You act as if all we had to do was just ignore the fact that there are people out there that for whatever reason want to infiltrate and attack the USA. Truly in a perfect world we wouldn't need something like the NSA but alas we have to deal with what we have. If a lot of it seems like "the end justifies the means," well that is what it is. In a world with nuclear weapons and serin gas to be totally pacifistic means to be vulnerable to everyone out there and they aren't all nice people. I can't understand why people are surprised that an agency whose entire purpose it to spy, spies on people. It's what they are.

  4. Makes sense by PPH · · Score: 1

    The NSA needs to know when the back doors it has built are uncovered. So it probably subscribes to a number of software security services that look for such stuff.

    --
    Have gnu, will travel.
    1. Re:Makes sense by segmond · · Score: 1

      Or perhaps they want to know what other exploits are out there so they can further secure their own systems against those attacks.

      --
      ------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
    2. Re:Makes sense by Anonymous Coward · · Score: 0

      I assume they use a very customized and locked down version of Linux. As an American, I would feel a lot better if once they patched their own systems, they pushed those changes back to the developers. This way the systems I work with can be more secure. I currently suspect that they are keeping the hard to find ones for themselves to use against adversaries, and that this hurts countries with a lot of technological targets.

    3. Re:Makes sense by markhb · · Score: 1

      Not to mention, they have a reasonable need to know which exploits (whether the NSA knew about them or not, and regardless of who created them) are being made public.

      --
      Save Maine's economy: write stuff down. All comments are exclusively my own, not my employer.
    4. Re:Makes sense by Anonymous Coward · · Score: 0

      Yeah, I would think the NSA would be remiss if it did NOT do this. This is totally their job.
      (We can argue about whether we really need the NSA to be doing that job later.)
      This is exactly the sort of stuff one expects them to be doing.

    5. Re:Makes sense by Nyder · · Score: 2

      The NSA needs to know when the back doors it has built are uncovered. So it probably subscribes to a number of software security services that look for such stuff.

      No, that is not what is happening. The NSA, because it doesn't have backdoors everywhere, have to buy 0 day exploits to gain access to systems.

      While NSA might be able to get some companies to put back doors in their software, they can't get most. So they have to use exploits to break into systems.

      This is actually common sense, we just have some proof of it now.

      --
      Be seeing you...
    6. Re:Makes sense by runeghost · · Score: 1

      Ah, but what if the NSA is just spending a few million(?) to make you think that?

    7. Re:Makes sense by PPH · · Score: 1

      The NSA, because it doesn't have backdoors everywhere, have to buy 0 day exploits

      VUPEN sells exploit implementations? I thought they did security/vulnerability research and sold maintenance services, patches and related stuff.

      If you want to buy the actual exploit, you have to go onto the blacknet, warez boards or whatever you kids are calling them these days. Its a seperate market and no software security firm would risk their reputation by letting it be known that they sold exploits to the other side as well. Who would trust them to report the presence of their own exploit product on customers' systems?

      --
      Have gnu, will travel.
    8. Re:Makes sense by gottabeme · · Score: 1

      The fact that NSA subscribes to VUPEN doesn't prove in any way, shape, or form that they do or do not have any backdoors in anything.

      The NSA (mostly) isn't stupid. They have the money to cover all their bases, so they do.

      --
      "Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
  5. The contact specifies the French exploits... by Anonymous Coward · · Score: 0

    ...would be renamed Freedom exploits before handing over to the NSA.

    1. Re:The contact specifies the French exploits... by Anonymous Coward · · Score: 0

      ...would be renamed Freedom exploits before handing over to the NSA.

      That's funny AC. That whole freedom fries thing must have been embarrassing, even before it turned out the French govt were right all along to question the arguments for invading Iraq - as opposed to falling in line, against the wishes of a large majority of their people,"in the name of democracy" ffs. By rights they should have renamed the Statue of Liberty to Statue of France. /rant

  6. So, the NSA is supposed to NOT subscribe? by uCallHimDrJ0NES · · Score: 1

    This is similar to being surprised that the NSA monitors money changing hands across the border. Not news. Obvious. Not a scandal.

    --
    Cloudiot: A person who does not see offsite storage as a way to lose control over access to his or her own data.
    1. Re:So, the NSA is supposed to NOT subscribe? by Anonymous Coward · · Score: 0

      NSA means ad revenue right now which is why a story about a control room built 14 years ago for the ARMY was enough to bring down the Architecture firms website.

      An article about the NSA spying on foreign nationals in foreign countries and doing signals intelligence would probably generate traffic and outrage, because spying is bad m'kay.

      Also for $1 million a year there would be less ROI for NSA to stand up their own program than to see what is going out to the bad guys, which probably fits under their remand to protect Defense and Intel networks anyway.

    2. Re:So, the NSA is supposed to NOT subscribe? by Qzukk · · Score: 1

      An article about the NSA spying on foreign nationals in foreign countries and doing signals intelligence would probably generate traffic and outrage

      Why would anyone report on that when they can get twice the outrage and twice the traffic by rerunning yet another document from Snowden regarding the NSA spying on American citizens in America and getting away with it?

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
  7. perfect timing.... by Anonymous Coward · · Score: 0

    looks like their contract came up for renewal and the NSA didn't want to pay the extortion fees anymore

  8. NSA != cybersecurity by Anonymous Coward · · Score: 0

    The NSA exploits cybersecurity weaknesses. Who is the government agency responsible for protecting us from the same weaknesses?

    1. Re:NSA != cybersecurity by oodaloop · · Score: 2

      No one has that responsibility. US Cybercom doesn't have it, nor does DHS. It's a known gap in our defensive posture. US businesses have resisted any attempts from the gov to regulate their cyber security. No one wants the gummint coming in and telling them how to set up and maintain their networks. And critical infrastructure, like power and other utilities, have likewise resisted any attempts at regulation, even though they are all hooked up to the internet with little thought to security. So, the current situation is we have little cyber security as a nation, and no one is responsible for it.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    2. Re:NSA != cybersecurity by Tokolosh · · Score: 1

      ...they are all hooked up to the internet with little thought to security.

      Citation and motivation, please.

      --
      Prove anything by multiplying Huge Number times Tiny Number
    3. Re:NSA != cybersecurity by Anonymous Coward · · Score: 0

      ...they are all hooked up to the internet with little thought to security.

      Citation and motivation, please.

      http://yro.slashdot.org/story/11/07/29/1633231/gao-report-dod-incompetent-at-cybersecurity ;-)

    4. Re:NSA != cybersecurity by bsDaemon · · Score: 1

      That would be the NSA
      http://www.archives.gov/federal-register/codification/executive-order/12333.html

    5. Re:NSA != cybersecurity by mcl630 · · Score: 1

      Part of the NSA's mission is ensuring our cybersecurity. Obviously they're doing exactly the opposite of that.

  9. Of course by paxprobellum · · Score: 1

    Of course they buy exploits. Why wouldn't they? I would be somewhat surprised if they didn't leverage every available tool..

    1. Re:Of course by nurb432 · · Score: 1

      I would be disappointed if they didn't take advantage of every resource available. A "not invented here" mentality in a high stakes game gets you killed.

      --
      ---- Booth was a patriot ----
  10. Public Property by Anonymous Coward · · Score: 0

    Since this was paid for with US tax dollars, does that mean that everyone in the US has paid for this service and should have access? LOL

  11. Cheese eating surrender monkeys by spectrokid · · Score: 1

    Does that make them "freedom exploits"?

    --

    10 ?"Hello World" life was simple then

  12. Why? by Anonymous Coward · · Score: 0

    Why would they need to subscribe when they're monitoring and saving the ENTIRE Internet!?

    -- stoops

    1. Re:Why? by AHuxley · · Score: 1

      So they can have task look like it was done by some code sold to 'publicly' with a well hidden trail back to some other group.
      The US gov gets what it needs and blame floats around as a press report for years.

      --
      Domestic spying is now "Benign Information Gathering"
  13. Makes sense by nurb432 · · Score: 1

    If you are in a business you want to see what your competition are doing, especially if its just a matter of subscribing...

    --
    ---- Booth was a patriot ----
  14. NO No no. You ATTACK enemies. You HELP friends. by dweller_below · · Score: 2, Interesting

    We finally found the NSA mentioned in the same sentence as an actual, tangible, external threat. And now we see that instead of attacking them, they are giving them money?!? How can they get confused on this? You ATTACK enemies. You HELP friends.

    The Exploit marketplace (here symbolized by VUPEN) is possibly the greatest threat to to existence of the internet. You can fight mistakes. You can fight attackers. But it is almost impossible to fight economics. The exploit market is creating an economy that creates and enables exploit. It is a great driving force reconfiguring the Internet for Attack, instead of Defense.

    VUPEN is a worthy opponent. The NSA should hack them front, back and center. They should never pat them on the head and give them money.

    It looks like the Exploit Marketplace was dreamed up, founded and sustained by the NSA. The leaked Black Budget showed that the NSA devotes huge resources to purchasing exploit. We have also learned that the NSA's budget included vast resources to create exploit:

    "The NSA spends $250m a year on a program which, among other goals, works with technology companies to 'covertly influence' their product designs." (From last weeks New York Times and Guardian articles)

    So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace. The NSA is no longer debating the Equities issue (https://www.schneier.com/blog/archives/2008/05/dualuse_technol_1.html ) They have only token interest in defending the Internet.

    If we could just get the NSA out of the exploit market, the whole thing would probably collapse like 2008's Housing bubble.

    1. Re:NO No no. You ATTACK enemies. You HELP friends. by X.25 · · Score: 1

      VUPEN is a worthy opponent. The NSA should hack them front, back and center. They should never pat them on the head and give them money.

      So, what you are saying is - NSA should do what US government considers 'act of war' (when done to their networks), to a company based in a friendly/allied country?

      I am sure noone will have problem with that.

    2. Re:NO No no. You ATTACK enemies. You HELP friends. by Anonymous Coward · · Score: 0

      Hello,

      i work for french gov. Forgive me if i stay anonymous. Here companies like vupen are seen like a bunch of rogue mercenaries. Unfortunately we don't have the legal tools required to close their business, but if we could, we would do it without hesitation. Such companies make internet more unstable. They truely are a threat to stability, and they hurt our capacity to defend our IT systems. Probably in the next months laws will evolve so that we can actually do something against them. At least, that's the point of view i'm pushing everyday. It is weapons, and it should be regulated as such.

      Personally, it saddens me that so much money is spent of making IT weapons. I don't think the whole world will be more secure when such business flourishes.

  15. Good by the+eric+conspiracy · · Score: 3, Interesting

    I paid a visit to Northern Va a few weeks ago. The place was crawling with construction projects and high end malls.

    That I am paying for.

    Using Vupen actually sounds like a fairly efficient use of taxpayer money.

  16. NSA should just buy Facebook by JoeyRox · · Score: 1

    That way they cut out the middleman and get right to the motherload of personal information taken from people without their consent.

    1. Re:NSA should just buy Facebook by Anonymous Coward · · Score: 0

      Why would they need to buy them? It's pretty evident that they just shove an NSL under their door and Facebook MUST comply. We're f*cked.

  17. Windows only .. by Anonymous Coward · · Score: 0

    Windows only, nothing too see here, moving on .. Now tell me again, why is Microsoft always going on about compliance and indemnification?

  18. Fine as long as they work towards full disclosure by Anonymous Coward · · Score: 0

    I don't have a problem with this provided the information they obtain is used to notify software companies/projects of any exploits. However given their track record I seriously doubt that the NSA would be interested in full disclosure.

  19. So they don't by them AS THEMSELVES. by Ungrounded+Lightning · · Score: 3, Interesting

    for the life of me I don't know why Cisco, Microsoft and other big players just don't pay up to get at least some insight into how these guys are finding exposures in their systems

    I would assume that VUPEN would refuse to sell to Microsoft and Cisco on account of it diminishing the value of the zero-days they're holding.

    Or at least not sell them the best stuff.

    Obviously, if Cisco, Microsoft, etc. were going to buy this service, they wouldn't do it (only) as themselves, acting directly. They'd do it through a front, to insure they got the same things the bad guys were getting.

    Just as a startup did, about a decade ago, when I was designing a next-generation routing chip, and we needed to obtain equipment from Cisco for testing it for function and compatibility.

    It took two half-rack, 3/4 megabuck, top-of-the-line Cisco routers to drive it properly. We bought them through another company on a very hush-hush basis, just to be sure Cisco wouldn't be tempted to send us defective or gimmicked equipment, not support it properly, or hold up shipment and slip our schedule.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  20. Buying IN Means Stealing IN by Anonymous Coward · · Score: 0

    The NSA 'programs' amount to variants of SETI@HOME.

    SETI@HOME has yet to locate ET!

    SETI@HOME has yet to indicate intelligent life on Earth!

    My money is banking that NSA stole the code from SETI@HOME and programs used by Wall Street Firms, full illegal operation.

    That is the only reason that the NSA programs are classified above TOP SECRET HTF (Hide The Facts).

  21. Most Of What The NSA Does Is Based On Outside Help by Anonymous Coward · · Score: 0

    Outsourcing as much as they do is what changed NSA from No Such Agency to Not Secret Anymore, and is what made them useless. It's all outsourced to for-profit companies now, and the desire for lucrative government contracts is what is driving all the violations of the constitution and unchecked growth of an otherwise pointless and ineffective global surveillance network. It gathers data at breakneck speed, but couldn't find any terrorists even with Russia jumping up and down while yelling at pointing at a couple.

  22. Criminal bought tools from Crowbars Inc. by Anonymous Coward · · Score: 0

    Film at 11...