Slashdot Mirror
NSA Uses Vulnerabilities Before It Discloses Them, Keeps Some To Itself (reuters.com)
An anonymous reader writes: The NSA, perhaps seeking to repair its reputation, has started talking about how it handles vulnerabilities in computer software. But in doing so, they've only confirmed their own questionable behavior. The agency says it discloses zero-day flaws about 91% of the time. This means, of course, that they hold back about 9% of the flaws for their own use. They also don't mention when they disclose these flaws — which is damning, given statements from several current and former government officials indicating the NSA frequently waits and takes advantage of the vulnerabilities before notifying the companies who make the compromised software. This is the NSA's argument: "[T]here are legitimate pros and cons to the decision to disclose vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."
You want to keep some vulnerabilities for yourself just in case. You never know what will happen in the future.
I am a US citizen as frustrated about unauthorized domestic surveillance as anyone. But this summary goes too far. Finding, keeping and using vulnerabilities is exactly what the NSA is supposed to do, and there is nothing questionable about that behavior.
If the submitter wants the government to have a group that finds and discloses vulnerabilities as part of its remit, then make a case for creating such a group. Don't saddle the NSA with the job.
This is definitively criminal thinking and behavior.
I don't think it exists in this context.
Questionable perhaps, but the article also provides a pretty good answer by mentioning Stuxnet, which was used to halt Iran's enrichment of uranium. Surely being able to stop what's at best an oppressive theocracy from obtaining nuclear weapons with no casualties or collateral damage has some value?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
...disposing of it. After all we need our men to stay alert in-case there's a terrorist attack. MURICA!
The NSA has an Information Assurance mission and a Signals Intelligence mission. If the Information Assurance mission is secondary, which seems to be the case, then it should be offloaded to independent agency whose only goal is to assist keeping vital US interests secure from cyber attacks. Let the NSA focus on external threats.
Spies use privacy vulnerabilities
Are we going to publicly announce that soldiers kill people next? Perhaps someone thinks it is noteworthy that a bank charges interest on loans! Or that boxers HIT each other.
excitingthingstodo.blogspot.com
Here is the NSA's claim.
"Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."
a. The Terrorists. The Terrorists. Terrorism has been used by thugs throughout history to justify violations of rights. The TARGETED and use Intelligence in self-defense, on case-by-case basis lawfully approved, is justified and important to security. Even police sometimes need to do this to catch criminals. Mass indiscriminate surveillance of the global population, including violating personal data stores that are supposed to be our private property, is a violation of human rights. The number one violators of the right to privacy in world today seems to be the NSA.
b. How NSA ""Stop the theft of intellectual property" by not disclosing vulnerability? If follows if the NSA finds one so can someone else!
c. What good is the NSA's claim they "discover even more dangerous vulnerabilities that are being used to exploit our networks" when they don't disclose some of them? This is like arguing I disclosed an SQL injection vulnerability but didn't disclose an XSS one. Do hackers and those with malicious intent care what specific vulnterabilities they use to get into systems or is the objective getting into the system?
The fundamental problem though isn't the NSA. The real problem is the megalomaniacs that have encouraging and funding the anything-goes culture of the NSA. This would include both Bush AND Obama.. both Democrats and Republicans. This is one of those rare situations where the issue isn't partisan. Both members of the left and right have been supporting this overarching spying.
Thus those that claim to care about freedom, need to start calling out not only the other guys politicians but their own over this issue too.
Many feel a sense of hostility for the NSA out of control snoopying but the reality
If the police failed to act on information a rape or murder was planned because they wanted to catch the perpetrator in the act, there would be outcry. You don't jeopardize the safety of the innocent to assail the (potentially) guilty. Collecting foreign intelligence is not more important than heading off immediate threats to domestic citizens. Clearly the NSA views it as all about "catching the bad guy" and has forgotten the reason the bad guys are considered bad. It's like SWAT leaving a bomb in a public building because, "Hey, maybe we could trip it when the bad guys get back."
When things get complex, multiply by the complex conjugate.
If so, why?
They are an intelligence agency. You'd EXPECT that they would hold onto some method to do their job, which absolutely involves electronic infiltration. This is neither controversial nor unexpected.
Don't mistake the fact that they reach out to industry to improve everyone's (worldwide) security most of the time, for that being their primary mission or charge. That's a nice bonus.
If you want to get worked up, get angry about the same shit Snowden did- the possible indiscriminate spying against US citizens, and the idea that they only way that the government can do its job is by casting a worldwide net that monitors everyone everewhere all the time. Not that they can hack systems, which is a huge part of why they fucking exist.
What do you think the NSA is for??? Free government funded penetration testing and reporting service? Sheesh.
Better known as 318230.
The NSA is a security service. Having tools to break and enter into the communication and data storage of potential enemies of the state is their business. That's what they do. Their whole reason to exist, to be blunt. If they can't do that, well, they can as well not exist at all. Which would not be beneficial for the US, in general, because, well, their enemies sure as fuck won't do away their version of the NSA. You'd deprive yourself of a valuable tool in international espionage.
What something like this needs, and what is sorely lacking today, is oversight. You needn't take away such powerful tools. You need to ensure they are not being abused. That's the real problem here.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If this is what passes for news in this crowd, I've been here too long and must be moving on.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Asking for a friend.
Security Agency, completely against computer security. You know vulnerabilities can be used against US targets too right? Backdoors can be used by criminals.
God spoke to me
The surprise is that they disclose so many. Invasion into personal privacy is only collateral damage at the moment, whilst there are relatively sane governments in power. Things might change in the future.
No shit, Sherlock.
[T]here are legitimate pros and cons to the decision
No there are not. There is only the LAW. The decision has already been made, ratified and written down. It's not up to some bureaucrat to make things up as he goes along. Governments are compelled to act within the bounds set by law. When they stop doing this, they are no longer law abiding nations and lose the right to enforce law on the people.
Seven puppies were harmed during the making of this post.
Many, many times in my career I have found some vunerability and delayed disclosing it while enjoying it myself. I found a wonderful way of spiriting - nay, liberating - electronic components out of work that would have found their way into a dumpster. I found a way of accessing peoples' accounts on TSO and VM; I found ways of resetting the prepayment cards for lunch at work. I've keylogged PCs; I have tcpdumped and etherealed to find passwords to gain access to systems. I used I don't know how many exploits to get free Sky TV. I installed an FM transmitter in my manager's office about that time of year when salary plans were being discussed. I've picked many locks. I've used Apache and other exploits to break into systems where admins had long before forgotten root passwords. Not everything I have done has been legal. It's all contributed to me being who I am today, and having the skill set that I rely on to do my job.
If I think about it, I can't expect any different from the NSA. If they are going to learn the skills that they need to do their jobs, they do need to flex their muscles. We do need to have some level of trust in the agencies that have been put into place to protect our citizens.
It is never ethically justifiable to knowingly sacrifice one person to save a million. It is merely efficient, and that is entirely different. You still have to live with the fact that you took an innocent life, and saving many other lives will never undo that.
When the saving of millions is merely speculative though, even "needs of the many" arguments for efficiency have no rational justification whatsoever, since you may be sacrificing one and saving none.
People are not tokens at the gambling table, to be sacrificed on a whim as if they were spare cash.
A secretive, clandestine spy agency does secretive, clandestine things and has no scruples. Mmm... what a surprise! The thing we should really be complaining about is that they claim to have effective oversight and act within the law.
Keep America Safe by spending their tax dollars to make computers less secure... Wtf
Each one of their arguments can be used in reverse.
Holding back vulnerabilities means US companies continue to use compromised software. Foreign actors could use information gained by exploiting those vulnerabilities to plan a terrorist attack, steal our nation's intellectual property, or discover even more dangerous vulnerabilities that could be used to exploit our networks.
They themselves (and any government agencies they choose to share the vulnerabilities with) are no longer at risk - but that's it.
The NSA is involved in large-scale theft of other nations' intellectual property. These people are really disgusting.
This reminds me of an idiot who went on a zero day, full disclosure forum, advocating that they should "hold the best stuff back" so that they "look like gods" to the next, upcoming generation of hackers.
Let's just say that this silly jackass was laughed off the board, and is now enjoying his second stint in FPMITAP for unoriginal idiocy with a computer.
So the NSA is at the same basic intellectual (for lack of a better term) level...
Sigh.
Chas - The one, the only.
THANK GOD!!!
I didn't think I would ever see another article with the proper use of the term zero-day. I expect when the NSA talks about zero-day they get the terminology right. An exploit the NSA discovers and doesn't use isn't a zero day until someone else start using it. Exploits they buy are most likely zero-day. Bugs found and reported to vendors but not used aren't zero-day if a patch arrives before an exploit. A real trick is knowing if a new exploit is being used and I think it is clear that the spooks might have an advantage in detecting that sort of thing.
Has anybody noticed how they love to include things like: terrorism, child porn, drug trafficking, copyright infringement, and "intellectual property" as threats to our national security? None of these things or like-things have *any* serious consequence to the existence of the United States, its government, or its people as a whole. There aren't enough drug traffickers or paedophiles in the world to overthrow the US government and I'd be totally lost as to how intellectual property issues are a threat to the people or government. No- these things are not threats to the government or people. They are at best ordinary criminal activity of which largely has no harmful effect except in and of itself (to a large degree). What we have done by passing laws is created an opportunity for some people to justify there use of violence (ie law enforcement, judges, military, etc) against people we may not care for and are or may be perceived to be dangerous to us or some of those around us. However if you put people into a corner by making something a crime they *will* use violence in self-defence. Totally predictable and much more defensible than the position of the government. The one is on the attack and the other is defending ones interests.
English: Disclosing a vulnerability can mean we forgo an opportunity to use the power of the state to spy on innocent people for no reason, crush legitimate political dissent, blackmail political figures to make them our puppets, engage in economic espionage that puts vast sums in the coffers of political insiders, interfere with foreign governments both friend and foe, cover up our vast incompetence, avoid the consequence of our bad decisions, and interferes with our degenerate addiction to unencumbered personal power that makes use feel superior to everyone else on the planet.
Why is Snark Required?
I bet that 9% that they released are all the exploits they could find, where the "intentional" delay is just the time they needed to find them. the other 91% is just made up.
Golly. I could have not read "Data and Goliath" and learned *one* of the appalling truths in it from Slashdot only a few wees later.
There's no time like the present. Well, the past used to be.
NSA -- No Sales for America -- Would you buy something that possibly would have embedded surveillance equipment?
NSA -- Not Safe for America
NSA -- Not Sensible to Anyone
When people criticize the NSA, they assume the NSA is well-managed, and doing something wrong. It is NOT well-managed. Management problems can be hidden. One example that was not hidden, Edward Snowden, an employee of a sub-contractor, could take huge amounts of data.
The only surprising thing about this would be if anyone were surprised!
...none of us would have a problem with what they claim to do. (only the sheep think the nsa is telling any truths)
But since the three-letter agencies of our oligarchical police-state have yet to FIND or PREVENT any attack of any kind, ever, then we should assume the following:
- They are lying.
- They cannot protect anyone from anything.
- They have no value to We The People.
- They have no justification for even 10% of their budget.
- Their main threat is We The People, and that is how they run their 'business'.
- If they were gone tomorrow, nothing would get worse and a lot of things would improve.