NSA Director Says Agency Shares Most, But Not All, Bugs It Finds

← Back to Stories (view on slashdot.org)

NSA Director Says Agency Shares Most, But Not All, Bugs It Finds

Posted by Soulskill on Wednesday November 5, 2014 @04:48AM from the you-can-trust-us dept.

Trailrunner7 writes: When the National Security Agency discovers a new vulnerability that looks like it might be of use in penetrating target networks, the agency considers a number of factors, including how popular the affected software is and where it's typically deployed, before deciding whether to share the new bug. The agency shares most of the bugs it finds, NSA Director Mike Rogers said, but not all of them.

Speaking at an event at Stanford University, Rogers said that the NSA has been told by President Barack Obama that the default decision should be to share information on new vulnerabilities "The president has been very specific to us in saying, look, the balance I want you to strike will be largely focused on when you find vulnerabilities, we're going to share them. By orders of magnitude, when we find new vulnerabilities, we share them," Rogers said.

30 of 170 comments (clear)

Min score:

Reason:

Sort:

That sounds nice... by daemonhunter · 2014-11-05 04:51 · Score: 5, Insightful

That sounds good. Except for one tiny thing:
I DON'T BELIEVE YOU.
1. Re:That sounds nice... by meerling · 2014-11-05 06:14 · Score: 3, Insightful
  
  Exactly. With their culture and policy of black box secrecy and the number of times they've been caught lying both to the public, as well as to their supposed bosses (congress, senate, president) is there anyone left dumb enough to believe anything they say?
2. Re:That sounds nice... by Phreakiture · 2014-11-05 06:54 · Score: 2
  
  Not sure why you're currently modded redundant as I came to say pretty much the same thing.
  That sounds like something Yogi Berra would say.
  
  --
  www.wavefront-av.com
Number is irrelevant compared to severity by ibpooks · 2014-11-05 04:52 · Score: 5, Insightful

By orders of magnitude, when we find new vulnerabilities, we share them
Number is irrelevant compared to severity, and you can be damn sure they keep the severe ones to themselves.
1. Re:Number is irrelevant compared to severity by jones_supa · 2014-11-05 05:07 · Score: 3, Insightful
  
  Exactly. They need only a handful of the most juicy vulnerabilities.
  Besides, that we are having this whole discussion is ridiculous. "Yeah, know a bunch of secrets that we could use to crack into your computer...but we do reveal most of them -- honest!"
2. Re:Number is irrelevant compared to severity by Charliemopps · 2014-11-05 05:46 · Score: 3, Insightful
  
  By orders of magnitude, when we find new vulnerabilities, we share them
  Number is irrelevant compared to severity, and you can be damn sure they keep the severe ones to themselves.
  Assuming this wasn't a bold faced lie. Which it more than likely was.
  Assume that this statement was made for some other carefully designed purpose.
To what Standard? by Triklyn · 2014-11-05 04:59 · Score: 3, Insightful

To what standard do you hold the US government as opposed to other governments? You can be damn sure that every other intelligence agency is doing exactly the same thing... but you're criticizing NSA why exactly?
My government protects me as I expect your government to protect you. Can't believe I'm going to do this... quoting blacklist quoting orwell, because i've certainly never read the mans essays myself, “Those who abjure violence can only do so by others committing violence on their behalf.”
I laughed at the Merkel spying thing... as if they didn't expect us to get as much information as possible, and as if we didn't expect them to return the favor. Faux outrage over common practices. IMO. If you don't want your leaders getting spied on... spend more money on your own agencies.
1. Re:To what Standard? by iceperson · 2014-11-05 05:09 · Score: 3, Insightful
  
  The US government sitting on knowledge of vulnerabilities is to public safety as not putting out a wet floor sign in the hopes that a terrorist will slip and fall is to crime prevention.
2. Re:To what Standard? by Triklyn · 2014-11-05 05:28 · Score: 4, Insightful
  
  In that yes, if a vulnerability does not afford strategic value internationally, yeah, release it if it'll increase public security. But i'm inclined to believe we'd all agree that there's a cost benefit going on.
  If it lets you spy on the iranians... or you know, cause their centrifuges to spin themselves apart. I don't want my intelligence agencies to release that vulnerability until they've spun those fuckers down.
  It's really not in the NSA's job description to be exposing vulnerabilities in public systems so much as exploiting them. We don't have an agency whose job description touches cyber security.
3. Re:To what Standard? by Anonymous Coward · 2014-11-05 05:31 · Score: 5, Insightful
  
  To what standard do you hold the US government as opposed to other governments?
  
  The standard it proclaims for itself about being a beacon of freedom oh and that whole "Land of the free. Home of the brave" stuff.
  
  You can be damn sure that every other intelligence agency is doing exactly the same thing... but you're criticizing NSA why exactly?
  Because the US holds itself up as being morally superior to others? Because its Head of State is proclaimed to be the "Leader of the Free World" in hilariously Orwellian doublespeak.
  
  My government protects me as I expect your government to protect you.
  Dictatorships always proclaim this. That they only do what they do for the "good of the people".
  
  I laughed at the Merkel spying thing... as if they didn't expect us to get as much information as possible, and as if we didn't expect them to return the favor.
  
  Will you continue laughing when your allies no longer want to come to your aid because you treat them no differently than enemies?
4. Re:To what Standard? by Overzeetop · 2014-11-05 05:41 · Score: 4, Interesting
  
  Doubtful.
  Have you seen the economy of the rest of the world? Europe makes US manpower look practically 3rd world, and their energy costs are through the roof. Asia is starting to get expensive for manpower, and the environmental problems they're having are making it hard to attract and retain top global talent because nobody wants shitty water and air. Are you going to go to Russia to avoid domestic spying, 'cause that's not really the first place I think of when I list free and open discourse on privacy matters. Africa...yeah, right.
  The US is the worst place to do business, except when you count just about everywhere else in the world. In which case it turns out to be pretty high on the list. And, honestly, it's not really dropping in the rankings.
  
  --
  Is it just my observation, or are there way too many stupid people in the world?
5. Re:To what Standard? by Lunix+Nutcase · 2014-11-05 05:43 · Score: 4, Interesting
  
  If it lets you spy on the iranians... or you know, cause their centrifuges to spin themselves apart. I don't want my intelligence agencies to release that vulnerability until they've spun those fuckers down.
  You do realize that your statement here completely misses their point, right? How naive are you that you think only the NSA knows about these vulnerabilities? You really think criminals and other countries like China don't also know them and aren't using them against corporations and individuals in the US?
  
  It's really not in the NSA's job description to be exposing vulnerabilities in public systems so much as exploiting them. We don't have an agency whose job description touches cyber security.
  Hahahaha. That's so wrong it's hilarious. A central tent of the NSA's mission is to protect the security of the networks in this country.
6. Re:To what Standard? by Lunix+Nutcase · 2014-11-05 05:47 · Score: 2
  
  Doubtful.
  Then you've not been reading the news. This isn't even particularly new news.
7. Re:To what Standard? by Anonymous Coward · 2014-11-05 05:48 · Score: 3, Informative
  
  Hahahaha. That's so wrong it's hilarious. A central tent of the NSA's mission is to protect the security of the networks in this country.
  That's not what he said. He said specifically that the NSA's job description isn't to expose vulns, and he's correct. Where he slipped is in saying that there's no agency which handles that. The truth is that this role does belong to US-CERT, and they do it all the time. They also coordinate heavily with NIST's NVD.
8. Re:To what Standard? by Triklyn · 2014-11-05 06:13 · Score: 2
  
  browsed it... the article says that companies that are worried about US tech companies are looking to Chinese companies... with strong ties to the military and government... wtf? Don't they have straight up state sponsored corporate espionage?
9. Re:To what Standard? by JohnFen · 2014-11-05 06:40 · Score: 3, Insightful
  
  To what standard do you hold the US government as opposed to other governments? You can be damn sure that every other intelligence agency is doing exactly the same thing... but you're criticizing NSA why exactly?
  For two reasons: The NSA is part of my own government, and the other governments aren't, and the US government is in a position to cause me a lot more harm than other governments are. That other nations may be doing the same thing is irrelevant to the issue at hand. We cannot set our standards of freedom and liberty based on the global lowest common denominator.
10. Re:To what Standard? by bigpat · 2014-11-05 08:22 · Score: 2
  
  it's a cost benefit. what's the risk to the american public from a vulnerability versus the gain from exploiting it. money money money vs security security security
  Assume foreign intelligence knows what you know and the only advantage might be that you know it first.
  I don't think working with the developers to fix vulnerabilities is about money while keeping secrets is about security. It is about weighing the risk to national security in leaving American IT infrastructure and individuals vulnerable to exploits versus your own ability to exploit the vulnerabilities for foreign intelligence gathering. The problem is that there will be a bias in the analysis which will always make us more vulnerable overall by favoring intelligence gathering over our own security. The NSA can deflect blame for attacks by foreign intelligence agencies, terrorists and criminal gangs (especially attacks on industry and individuals), but if they come up short on intelligence then Congress will question their budget.
  The policy simply needs to be a bit more without exception to be effective at protecting American infrastructure to counter the bias towards intelligence gathering
Double speak by Kardos · 2014-11-05 05:00 · Score: 4, Interesting

So I assume all the deliberately introduced vulnerabilities are excluded from the tally because they technically "did not find them" ?
1. Re:Double speak by Dagger2 · 2014-11-05 05:18 · Score: 2
  
  Or perhaps most of their bug searching is done by subcontractors, so it's not technically the NSA finding any of them.
2. Re:Double speak by Kardos · 2014-11-05 05:47 · Score: 2
  
  > "By orders of magnitude, when we find new vulnerabilities, we share them"
  I wonder how many ways they've thought of to misclassify freshly discovered vulnerabilities as old.
Re:Positive spin by Thanshin · 2014-11-05 05:16 · Score: 4, Funny

Do you have a citation for that?
Yes. Mike Rogers said they din't do that. Which is tantamount to proof of the contrary.
I'm pretty sure that the guy could end world poverty just by acknowledging its existence.
A short reminder by Anonymous Coward · 2014-11-05 05:23 · Score: 5, Informative

"(TS//SI//REL) DEITYBOUNCE provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads."
"(TS//SI//REL) This technique supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and XP. It currently targets Dell PowerEdge 1850/2850/1950/2950 RAID servers, using BIOS versions A02, A05, A06, 1.1.0, 1.2.0, or 1.3.7."
"(TS//SI//REL) Through remote access or interdiction, ARKSTREAM is used to reflash the BIOS on a target machine to implant DEITYBOUNCE and its payload (the implant installer). Implantation via interdiction may be accomplished by nontechnical operator through use of a USB thumb drive. Once implanted, DEITYBOUNCE's frequency of execution (dropping the payload) is configurable and will occur when the target machine powers on."
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
So there was an explot on the BIOS of Dell Power Edge servers, and it allowed them to re-flash the bios with their own code, and they didn't disclose that, they kept it secret to use for themselves, and every semi-tech country like China and Russia to use, undermining Dell, one of the major US exporters.
Well f*** you, NSA.
Look at the lastest disclosure, GCHQ can spy on Americans via commercially obtained data and access to the NSA database, NSA must be aware of this and does nothing because GCHQ is in 5-eyes and so they get the data too. So regardless of how Congress and the Courts rules, NSA can bypass that decision.
What's happening within the NSA is they follow a cult, the cult of General Alexander, and so there is the laws of the USA, and the laws of the EU and there is the cult, and the cult trumps to the laws, and in doing so it trumps the democracy. The NSA and GCHQ staff need to get their shit together and think for themselves and realize they pose the biggest threat to the free world.
How do we know... by Adeptus_Luminati · 2014-11-05 05:25 · Score: 2

... when the NSA is lying to us?
A: Anytime their lips are moving.

--
No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
Re:Positive spin by Ralph+Wiggam · 2014-11-05 05:48 · Score: 2

You made the claim. You back it up. That's how basic logic works.
I realize that's a foreign concept of Slashdot these days.
NSAs impossible mission by MobyDisk · 2014-11-05 06:28 · Score: 3, Insightful

The NSA has a dual mission of information assurance–protecting American networks–and signals intelligence–gathering electronic data on foreign networks.
Unfortunately for them, both American networks and foreign networks use the same software. So their mission is "make sure nobody can get in that safe, including you" and also "break into that safe." This is a no win situation.
That sounds nice... by Shirgall · 2014-11-05 06:37 · Score: 3, Insightful

They only report the bugs they find, not the ones they create.
President by brunes69 · 2014-11-05 07:54 · Score: 2

The fact that a POTUS would even understand what a software vulnerability is speaks volumes.
I can't even imagine what this conversation would have sounded like with the two previous presidents.
Share with whom? by dccase · 2014-11-05 08:26 · Score: 2

He doesn't say.
Safe to assume he meant "share with other intelligence agencies", rather than "share with you"?
Re: Positive spin by Ralph+Wiggam · 2014-11-05 09:23 · Score: 2

They lie about everything and it's impossible to prove anything.

The root post says that the NSA had vulnerabilities put into iOS and Windows. That's very provable.
Re: Positive spin by Ralph+Wiggam · 2014-11-05 11:15 · Score: 2

But even better, do you have any reason to think this is not going on?
Do you have any reason to believe that the government is not secretly controlled by the Pod People? They say they're not, but that's exactly what Pod People would say.
I base my opinions on facts and evidence. You base your opinions on how well they fit into your existing worldview.
And none of those links have anything to do with your original statement.