Slashdot Mirror
NSA Bought Exploit Service From VUPEN
New submitter Reverand Dave writes "The U.S. government – particularly the National Security Agency – is often regarded as having advanced offensive cybersecurity capabilities. But that doesn't mean that they're above bringing in a little outside help when it's needed. A newly public contract shows that the NSA last year bought a subscription to the zero-day service sold by French security firm VUPEN. The contract, made public through a Freedom of Information Act request by MuckRock, an open government project that publishes a variety of such documents, shows that the NSA bought VUPEN's services on Sept. 14, 2012. The NSA contract is for a one-year subscription to the company's 'binary analysis and exploits service.'"
It's not as conspiracy-theory cool as magical backdoors implanted in every piece of hardware, but this is how the NSA actually breaks into systems... they do it the same way everyone else does, just on a much larger scale and with even less fear of legal repercussions that the cyber criminals.
rubbish. I'd be more concerned if they didn't closely monitor all zero Day hacks. This is a SECURITY firm, not a backroom russian exploits dealer, they sell this advanced knowledge because people want to protect themselves and know what is coming. The weather service is not about weather warfare it's about advanced knowledge of what's coming. Insert car analogy here if that's insufficiently obvious.
Some drink at the fountain of knowledge. Others just gargle.
VUPEN is to a backroom russian exploits dealer what a 'defense contractor' is to a 'gunrunner' or 'arms trafficker'. Same business; but the prices are higher and they pinkie swear that they would never, ever, sell to anybody who is wicked, though they aren't overly forthcoming about who they will sell to.
for the life of me I don't know why Cisco, Microsoft and other big players just don't pay up to get at least some insight into how these guys are finding exposures in their systems
it's almost as if they've been persuaded not to, eh?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
This isn't the only way or even the main way that the NSA exploits systems.
Things we know:
1) The NSA collects SSL keys.
2) The NSA can generate fake SSL keys.
3) The NSA has performed MiTM attacks against Google and Microsoft.
4) We know where many of the places are that the splice into the undersea cables.
5) US embassies often have Echelon hardware for tracking satellite communication.
6) The GCHQ stores three days of internet traffic (not metadata but everything).
7) The NSA collects metadata from everything. Email. Phone. Letters. Facebook.
8) The NSA planted spies in large corporations.
9) The NSA have influenced/degraded encryption standards.
10) The US government and Israel created stuxnet.
11) The NSA monitors all credit card transactions outside of the US.
We don't know the specifics though. We don't know:
1) If there is a backdoor in Windows or Linux or libssl.
2) If hardware random number generators have been backdoored.
3) If there are backdoors on the motherboard or in the ethernet firmware.
4) How they are tracking in other ways, via license plate readers or sensing your various personal radio devices.
5) How are spy satellites used for domestic surveillance?
6) Just how much information is shared between the agencies to avoid fourth amendment rules. We know that the NSA and the GCHQ share an office. We know that the NSA gave unfiltered data on non-criminals to Israel.