Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Director Says Agency Shares Most, But Not All, Bugs It Finds

Posted by Soulskill on from the you-can-trust-us dept.

Trailrunner7 writes: When the National Security Agency discovers a new vulnerability that looks like it might be of use in penetrating target networks, the agency considers a number of factors, including how popular the affected software is and where it's typically deployed, before deciding whether to share the new bug. The agency shares most of the bugs it finds, NSA Director Mike Rogers said, but not all of them.

Speaking at an event at Stanford University, Rogers said that the NSA has been told by President Barack Obama that the default decision should be to share information on new vulnerabilities "The president has been very specific to us in saying, look, the balance I want you to strike will be largely focused on when you find vulnerabilities, we're going to share them. By orders of magnitude, when we find new vulnerabilities, we share them," Rogers said.

4 of 170 comments (clear)

  1. That sounds nice... by daemonhunter · · Score: 5, Insightful

    That sounds good. Except for one tiny thing:

    I DON'T BELIEVE YOU.

  2. Number is irrelevant compared to severity by ibpooks · · Score: 5, Insightful

    By orders of magnitude, when we find new vulnerabilities, we share them

    Number is irrelevant compared to severity, and you can be damn sure they keep the severe ones to themselves.

  3. A short reminder by Anonymous Coward · · Score: 5, Informative

    "(TS//SI//REL) DEITYBOUNCE provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads."

    "(TS//SI//REL) This technique supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and XP. It currently targets Dell PowerEdge 1850/2850/1950/2950 RAID servers, using BIOS versions A02, A05, A06, 1.1.0, 1.2.0, or 1.3.7."

    "(TS//SI//REL) Through remote access or interdiction, ARKSTREAM is used to reflash the BIOS on a target machine to implant DEITYBOUNCE and its payload (the implant installer). Implantation via interdiction may be accomplished by nontechnical operator through use of a USB thumb drive. Once implanted, DEITYBOUNCE's frequency of execution (dropping the payload) is configurable and will occur when the target machine powers on."

    https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html

    So there was an explot on the BIOS of Dell Power Edge servers, and it allowed them to re-flash the bios with their own code, and they didn't disclose that, they kept it secret to use for themselves, and every semi-tech country like China and Russia to use, undermining Dell, one of the major US exporters.

    Well f*** you, NSA.

    Look at the lastest disclosure, GCHQ can spy on Americans via commercially obtained data and access to the NSA database, NSA must be aware of this and does nothing because GCHQ is in 5-eyes and so they get the data too. So regardless of how Congress and the Courts rules, NSA can bypass that decision.

    What's happening within the NSA is they follow a cult, the cult of General Alexander, and so there is the laws of the USA, and the laws of the EU and there is the cult, and the cult trumps to the laws, and in doing so it trumps the democracy. The NSA and GCHQ staff need to get their shit together and think for themselves and realize they pose the biggest threat to the free world.

  4. Re:To what Standard? by Anonymous Coward · · Score: 5, Insightful

    To what standard do you hold the US government as opposed to other governments?

    The standard it proclaims for itself about being a beacon of freedom oh and that whole "Land of the free. Home of the brave" stuff.

    You can be damn sure that every other intelligence agency is doing exactly the same thing... but you're criticizing NSA why exactly?

    Because the US holds itself up as being morally superior to others? Because its Head of State is proclaimed to be the "Leader of the Free World" in hilariously Orwellian doublespeak.

    My government protects me as I expect your government to protect you.

    Dictatorships always proclaim this. That they only do what they do for the "good of the people".

    I laughed at the Merkel spying thing... as if they didn't expect us to get as much information as possible, and as if we didn't expect them to return the favor.

    Will you continue laughing when your allies no longer want to come to your aid because you treat them no differently than enemies?