NSA Uses Vulnerabilities Before It Discloses Them, Keeps Some To Itself

An anonymous reader writes: The NSA, perhaps seeking to repair its reputation, has started talking about how it handles vulnerabilities in computer software. But in doing so, they've only confirmed their own questionable behavior. The agency says it discloses zero-day flaws about 91% of the time. This means, of course, that they hold back about 9% of the flaws for their own use. They also don't mention when they disclose these flaws — which is damning, given statements from several current and former government officials indicating the NSA frequently waits and takes advantage of the vulnerabilities before notifying the companies who make the compromised software. This is the NSA's argument: "[T]here are legitimate pros and cons to the decision to disclose vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."

Biased summary

[GlobalEcho]

...confirmed their own questionable behavior...

I am a US citizen as frustrated about unauthorized domestic surveillance as anyone. But this summary goes too far. Finding, keeping and using vulnerabilities is exactly what the NSA is supposed to do, and there is nothing questionable about that behavior.
If the submitter wants the government to have a group that finds and discloses vulnerabilities as part of its remit, then make a case for creating such a group. Don't saddle the NSA with the job.

Re:Biased summary

Wrong the NSA's goal is surveillance, the DISA (Defense Information Systems Agency) is digital security. That the NSA can assist the DISA is only a second thought.

Re:Biased summary

[TWX]

The foreigners use the same technologies as the citizens, and are thus vulnerable to the same sort of exploits.

I guess I feel much the same way as GlobalEcho does. I actually do not have a problem, in of itself, with the concept of attempting to discover the real criminal plots that are used to attack people. What I have a problem with is when the number of persons being subject to scrutiny is far too many generations removed from the original subject, when the scrutiny is applied to things that aren't criminal acts or should otherwise be protected-speech (ie, counter-political groups, peaceful civil rights groups, and other such organizations that did not advocate violence or even equip themselves with the tools for violence), and when the checks and balances to ensure that overzealous application of the surveillance is curtailed are ignored or violated (ie, warrantless).

My problem with the idea is that there currently is no line between surveillance target and everyone else. If surveillance target == enemy, then that means everyone == enemy, or at least potential enemy. It leads to an us-versus-them mentality that is now prevalent in law enforcement at all levels of government. It works to destabilize the nature of our government being by us, for us, and starts resembling something out of 1984 or out of East Germany during its Stasi period. That is not healthy.

There need to be real rules covering investigation of people. There needs to be justification. There needs to be oversight. There needs to be the occasional criminal prosecution of a law enforcement official when they blatantly overstep their authority, and dismissal of charges from time to time through fruit-of-the-poisonous-tree legal concept, to remind law enforcement that if they ignore the law, those they attempt to prosecute can also ignore the law, and the only way to prosecute is to remain within its bounds.

It's not too far yet, but we need to continue to push for it to be corrected.

Re:Biased summary

after everything thats happened these past 14 years, you really believe
there is a hard bright line between domestic and foreign operations?

do you even think it would be possible to define such a line?

Re:Biased summary

You pick examples from the middle east when every US intervention there turns the place into even more of a clusterfuck?

We just snort a little of this cocaine before....

...disposing of it. After all we need our men to stay alert in-case there's a terrorist attack. MURICA!

They have no duty to disclose

[cfalcon]

They are an intelligence agency. You'd EXPECT that they would hold onto some method to do their job, which absolutely involves electronic infiltration. This is neither controversial nor unexpected.

Don't mistake the fact that they reach out to industry to improve everyone's (worldwide) security most of the time, for that being their primary mission or charge. That's a nice bonus.

If you want to get worked up, get angry about the same shit Snowden did- the possible indiscriminate spying against US citizens, and the idea that they only way that the government can do its job is by casting a worldwide net that monitors everyone everewhere all the time. Not that they can hack systems, which is a huge part of why they fucking exist.

Nothing wrong with it per se

[Opportunist]

The NSA is a security service. Having tools to break and enter into the communication and data storage of potential enemies of the state is their business. That's what they do. Their whole reason to exist, to be blunt. If they can't do that, well, they can as well not exist at all. Which would not be beneficial for the US, in general, because, well, their enemies sure as fuck won't do away their version of the NSA. You'd deprive yourself of a valuable tool in international espionage.

What something like this needs, and what is sorely lacking today, is oversight. You needn't take away such powerful tools. You need to ensure they are not being abused. That's the real problem here.

Re: Don't criminals do similar things?

Criminals also eat and drink and breathe air. Wait... Don't you do that too?!