NSA Uses Vulnerabilities Before It Discloses Them, Keeps Some To Itself

An anonymous reader writes: The NSA, perhaps seeking to repair its reputation, has started talking about how it handles vulnerabilities in computer software. But in doing so, they've only confirmed their own questionable behavior. The agency says it discloses zero-day flaws about 91% of the time. This means, of course, that they hold back about 9% of the flaws for their own use. They also don't mention when they disclose these flaws — which is damning, given statements from several current and former government officials indicating the NSA frequently waits and takes advantage of the vulnerabilities before notifying the companies who make the compromised software. This is the NSA's argument: "[T]here are legitimate pros and cons to the decision to disclose vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."

Same as Jailbreaking iPhones

[sanf780]

You want to keep some vulnerabilities for yourself just in case. You never know what will happen in the future.

Re: Same as Jailbreaking iPhones

[mrclevesque]

: )

Re: Same as Jailbreaking iPhones

[davester666]

It's just a little anal probing. You probably won't even notice...much.

Re: Same as Jailbreaking iPhones

[JustAnotherOldGuy]

It's just a little anal probing.

As long as it's just a little. Because after what the IRS has done to me, "just a little" sounds downright neighborly.

Re: Same as Jailbreaking iPhones

[ememisya]

Troll? Funny, sure, but I think it's trolling to consider my comment trolling.

Biased summary

[GlobalEcho]

...confirmed their own questionable behavior...

I am a US citizen as frustrated about unauthorized domestic surveillance as anyone. But this summary goes too far. Finding, keeping and using vulnerabilities is exactly what the NSA is supposed to do, and there is nothing questionable about that behavior.
If the submitter wants the government to have a group that finds and discloses vulnerabilities as part of its remit, then make a case for creating such a group. Don't saddle the NSA with the job.

Re:Biased summary

Wrong the NSA's goal is surveillance, the DISA (Defense Information Systems Agency) is digital security. That the NSA can assist the DISA is only a second thought.

Re:Biased summary

i don't agree that we should be funding an agency to spy on our own citizens and undermine
our digital security.

so if you agree that thats part of the role of government, for the children, then sure, nothing wrong
with what the NSA is doing

however, a lot of us disagree, and furthermore, we never had an opportunity to express our
opinion as to whether or not we wanted to live in a police state.

so this is us weakly trying to say no. try to pretend we have a right to our opinon so your
mind doesn't collapse from all the cognitive dissonance from supporting a 'police state democracy'

Re:Biased summary

[TWX]

The foreigners use the same technologies as the citizens, and are thus vulnerable to the same sort of exploits.

I guess I feel much the same way as GlobalEcho does. I actually do not have a problem, in of itself, with the concept of attempting to discover the real criminal plots that are used to attack people. What I have a problem with is when the number of persons being subject to scrutiny is far too many generations removed from the original subject, when the scrutiny is applied to things that aren't criminal acts or should otherwise be protected-speech (ie, counter-political groups, peaceful civil rights groups, and other such organizations that did not advocate violence or even equip themselves with the tools for violence), and when the checks and balances to ensure that overzealous application of the surveillance is curtailed are ignored or violated (ie, warrantless).

My problem with the idea is that there currently is no line between surveillance target and everyone else. If surveillance target == enemy, then that means everyone == enemy, or at least potential enemy. It leads to an us-versus-them mentality that is now prevalent in law enforcement at all levels of government. It works to destabilize the nature of our government being by us, for us, and starts resembling something out of 1984 or out of East Germany during its Stasi period. That is not healthy.

There need to be real rules covering investigation of people. There needs to be justification. There needs to be oversight. There needs to be the occasional criminal prosecution of a law enforcement official when they blatantly overstep their authority, and dismissal of charges from time to time through fruit-of-the-poisonous-tree legal concept, to remind law enforcement that if they ignore the law, those they attempt to prosecute can also ignore the law, and the only way to prosecute is to remain within its bounds.

It's not too far yet, but we need to continue to push for it to be corrected.

Re:Biased summary

The NSA, and ultimately the US, re the enemies of the rest of the world.

Yeah, because you would fare much better under Vladimir Putin or perhaps you would prefer the Iranian mullahs or the hard-core Sunnis of ISIS? Take your head out of your hindquarters, grow a brain and come back when you have something to say that isn't completely ignorant and stupid.

Re:Biased summary

[MyAlternateID]

That depends. If they're using them against Americans, then it's not what the NSA is supposed to do. The NSA has been caught spying on Americans before, so skepticism is IMO warranted.

Skepticism was warranted long before that happened because those in positions of power are never to be trusted.

Re:Biased summary

after everything thats happened these past 14 years, you really believe
there is a hard bright line between domestic and foreign operations?

do you even think it would be possible to define such a line?

Re:Biased summary

You pick examples from the middle east when every US intervention there turns the place into even more of a clusterfuck?

Re:Biased summary

[soap_and_dish]

This is the same logic that's applied to any military secrets - keeping information out of the hands of the enemy means also keeping it out of the hands of citizens. That sometimes makes sense. Sometimes. But it fails when withholding this information makes the country and its residents less safe.

The trouble is that we tend to forget that these organizations do not exist to attack, they exist to protect. Just as our penal system has gone over almost wholly to revenge and punishment rather than rehabilitation, our "defense" agencies have gotten far more aggressive. This seems to be a pretty consistent failure of logic which we are collectively suffering through. From militarization of police to projection of military power to the fucking article - in which we are making ourselves more vulnerable in the name of also making other entities ("the enemy") more vulnerable.

Re:Biased summary

[Peter+H.S.]

I am a US citizen as frustrated about unauthorized domestic surveillance as anyone. But this summary goes too far. Finding, keeping and using vulnerabilities is exactly what the NSA is supposed to do, and there is nothing questionable about that behavior.
If the submitter wants the government to have a group that finds and discloses vulnerabilities as part of its remit, then make a case for creating such a group. Don't saddle the NSA with the job.

Well, you are wrong in thinking that it isn't the job of NSA to disclose at least certain vulnerabilities.

NSA's job description also include counter intelligence. That means it should also do its best to protect US government servers, including the US military and potentially too, civilian US military contractors, who may have highly valuable knowledge on their servers.

So certain vulnerabilities affecting software that the US government uses, are circulated back into the software community, it is simply in the interest of NSA as a counter intelligence agency to do so.

Re:Biased summary

[penguinoid]

Much as I like to dump on the NSA, in this case they're doing things exactly right. If I were in their position, I'd use the zero day exploits against my targets, ensure we have a defense against it, maybe prepare a patch or workaround for publication, keep watch for others using that exploit. At some point I'd disclose the exploit to the developers, starting with the most obvious ones or the those which are already being exploited by others.

Much as it would be nice for all exploits to be disclosed immediately, doing so unilaterally would leave our cyberespionage people weaponless (but other countries wouldn't be).

The only problem I see in this situation is that apparently the target is "everyone".

Re:Biased summary

[phil.swansborough]

Yes, because the NSA is really ever going to be about protecting citizens. How can people still believe that any "security" agency ever has the interests of the majority of citizens at heart is beyond me. They are there to protect the wealthy and powerful, not you. They will never ever be there for you.

Re:Biased summary

[TWX]

I was referring to within the borders of the United States predominately. Internationally, nations, even friends, have spied on each other since the concept of the nation first formed.

Re:Biased summary

[Rujiel]

"There need to be real rules covering investigation of people. There needs to be justification. There needs to be oversight. "

There are effectively none of these, and you're still satisfied with the NSA anyway. Very telling about your priorities. Also almost no one on here lauds another user by name, let alone bolds it--comes off as sockpuppety.

Re:Biased summary

[dunkindave]

You pick examples from the middle east

I don't think Putin would consider Russia part of the Middle East. And to add to the anonymous coward's list, try living in North Korea, or in Somalia, or Sudan if you aren't Muslim, or Zimbabwe, or Burma, or Eritrea, or China if you are not wealthy or like to speak your mind, or ...

Re:Biased summary

[dunkindave]

I mean... technically the NSA's primary mission is to protect the warfighter (it's a DoD organization unlike the rest of the intelligence agencies).

I think DIA, ONI, NGA, AFISRA, Military Intelligence Corps, MCIA, a a couple others would disagree with the latter part of that statement.

Iran

[ultranova]

The NSA, perhaps seeking to repair its reputation, has started talking about how it handles vulnerabilities in computer software. But in doing so, they've only confirmed their own questionable behavior.

Questionable perhaps, but the article also provides a pretty good answer by mentioning Stuxnet, which was used to halt Iran's enrichment of uranium. Surely being able to stop what's at best an oppressive theocracy from obtaining nuclear weapons with no casualties or collateral damage has some value?

Re:Iran

That's what happens when you allow religious nut jobs to roam free...

Please leave Texas out of this.

Re: Iran

[31415926535897]

Right, legacy means nothing to him. Nor does party momentum. Obama does everything from righteousness and virtue now.

Re:Iran

[chipschap]

The NSA retains some offensive weapons. This is wrong?

You can answer that question as per your beliefs, and you're fully entitled to do that. But I could argue that if the NSA shouldn't have offensive weapons, neither should the Army or any other government entity. Again, you may be a pacifist and agree with that, too.

But there's practical reality at play here. Pacifism doesn't always work in the face of aggression.

Re:Iran

There was a lot a collateral damage: a dramatic boost in the private zero-day industry. The NSA is boosting a cyber cold war, instead of shutting it down as much as possible. Now the country with the most to lose will lose, and that is the US. Remember, other countries now have access to the same information, meaning they could do the same thing to our infrastructure, and they already have: the stolen personnel files. Remember that the same argument against nuclear proliferation applies to zero-day proliferation. Better that the NSA focus on securing infrastructure. One of the best tools to end the cold war was the star wars missile defense system, and that is the strategy we need today: kill the demand, don't grow the supply. Same issue with the drug war.

Re: Iran

[AK+Marc]

The Republicans paid the Iranians to commit acts of war in 1980 to sway the election to the warmonger party, why would this time be any different? If Iran attacks, it's probably as paid stooges for the Republicans.

Re:Iran

[radarskiy]

"what's at best an oppressive theocracy from obtaining nuclear weapons"

The Guardian Council is opposed to nuclear weapons. It was the secular authorities that were pursuing their development.

The only value nuclear weapons have for Iran are a) to prevent the USA from pre-emptively invading, and b) to trade away in a diplomatic deal. The latter did not even require actual weapons to have been developed.

There is no plausible way in which Iran represents a threat to the USA. The only people that the post-revolutionary Iran has used their military offensively against are the Taliban (remember them?), and defensively they fought against the USA-backed Iraq.

Re:Iran

[Chaos+Incarnate]

The problem isn't the NSA having offensive weapons. The problem is the NSA knowing that some installations are built on quicksand but not informing the owners.

That's not helping national security, that's degrading it.

Re: Iran

[AK+Marc]

For 1980? That was admitted by the Republicans and Iranians. No conspiracy needed, just read the confessions. Why do you think that Ollie North went to jail? To protect The Party from the fallout of the illegal payments to Iran. Not only was the deal treason in 1980, but they followed through with the payment as a second treason. Just like G Gordon took one for the team for Watergate, the investigations into treason stop when someone goes to jail for a much lesser crime.

Re:Iran

But I could argue that if the NSA shouldn't have offensive weapons, neither should the Army or any other government entity.

And if the NSA shouldn't have nuclear bombs, neither should the Army or any other government entity. Oh, right, that's absurd. Honestly, the fact is the NSA has two very contradictory goals: the protection of government systems against penetration and network warfare and the collection of foreign communications by both passive and clandestine means. This story isn't really news precisely because to do the latter almost inherently means interfering with the former. It's the same reason why [insert company]'s security team wants to push out details to mitigate attacks and release patches as soon as reasonable possible but [insert company] wants to delay patches into bundles and minimize the level of details to the public for PR purposes. Those very contradictory goals hurt everyone. It's only made worse when it's made clear just how much the NSA has defined "foreign" in such loose terms that often they'll still collect information on people non-foreign. Add to that the whole data swapping with other countries...

But there's practical reality at play here. Pacifism doesn't always work in the face of aggression.

Long-term pacifism is the foundation of what civilization is: non-force behavior that organizes towards a collective structure. Yes, civilizations can be destroyed. That doesn't carte blanche justify aggression or genocide on one's own end. And honestly, this whole discussion would be radically different if the NSA actually stuck to its job and there wasn't a very clear issue that other agencies couldn't subvert the NSA's information to bypass the intentions of limiting the scope of surveillance to actual foreign powers that are a real threat to people of the US. Instead, it's more in line with political tyranny.

PS - Yes, leaping to nuclear bombs seems like a strawman, but then your own discussion is very much strawman too. The NSA could be a passive-only surveillance and it could be left up to the CIA to do clandestine surveillance so the NSA could effectively undermine the CIA's efforts for the good of the American people. The whole step towards offensive acts can fundamentally undermine an agency in ways that, well, are obviously currently being undermined now. Besides, we don't per se give the Army nukes nor simply hand over weapons to the Army per se to do as they please. They're invariably under orders from the civilian government (President and under Acts of war) in a more direct way than the NSA seems to be. Perhaps if the NSA were less autonomous it'd be less of an issue, but then the NSA would have even more political tyranny in its actions.

Water is wet

[gurps_npc]

Ice is cold. Lava is hot.

Spies use privacy vulnerabilities

Are we going to publicly announce that soldiers kill people next? Perhaps someone thinks it is noteworthy that a bank charges interest on loans! Or that boxers HIT each other.

Re:Water is wet

[athe!st]

I've also heard scurrilous rumours the pope is a catholic

Deconstructing BS

Here is the NSA's claim.

"Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."

a. The Terrorists. The Terrorists. Terrorism has been used by thugs throughout history to justify violations of rights. The TARGETED and use Intelligence in self-defense, on case-by-case basis lawfully approved, is justified and important to security. Even police sometimes need to do this to catch criminals. Mass indiscriminate surveillance of the global population, including violating personal data stores that are supposed to be our private property, is a violation of human rights. The number one violators of the right to privacy in world today seems to be the NSA.

b. How NSA ""Stop the theft of intellectual property" by not disclosing vulnerability? If follows if the NSA finds one so can someone else!

c. What good is the NSA's claim they "discover even more dangerous vulnerabilities that are being used to exploit our networks" when they don't disclose some of them? This is like arguing I disclosed an SQL injection vulnerability but didn't disclose an XSS one. Do hackers and those with malicious intent care what specific vulnterabilities they use to get into systems or is the objective getting into the system?

The fundamental problem though isn't the NSA. The real problem is the megalomaniacs that have encouraging and funding the anything-goes culture of the NSA. This would include both Bush AND Obama.. both Democrats and Republicans. This is one of those rare situations where the issue isn't partisan. Both members of the left and right have been supporting this overarching spying.

Thus those that claim to care about freedom, need to start calling out not only the other guys politicians but their own over this issue too.

Many feel a sense of hostility for the NSA out of control snoopying but the reality

Re:Deconstructing BS

[Opportunist]

The main problem here is that the NSA went away from a defensive position and is more and more used as an offensive tool in international (and domestic) espionage. Which by itself isn't so bad a thing, but using it indiscriminately not only on allies but on the own, domestic population without impunity is clearly stepping over the line.

Personally, I dare say international surveillance of alleged allies already does this. It damages the US' credibility far more than anything gained that way could compensate.

First Priority is to Protect the Innocent

[physicsphairy]

If the police failed to act on information a rape or murder was planned because they wanted to catch the perpetrator in the act, there would be outcry. You don't jeopardize the safety of the innocent to assail the (potentially) guilty. Collecting foreign intelligence is not more important than heading off immediate threats to domestic citizens. Clearly the NSA views it as all about "catching the bad guy" and has forgotten the reason the bad guys are considered bad. It's like SWAT leaving a bomb in a public building because, "Hey, maybe we could trip it when the bad guys get back."

Re:First Priority is to Protect the Innocent

[Opportunist]

Well, there is the "need of the many" counter argument. If you can catch a serial killer by sacrificing one target and ensure that way that he is being stopped and cannot kill dozen others, is it justified?

Is it justified to allow a terrorist plot to go ahead if that means the heads behind it have to expose themselves in a way that you can cut them off?

This game is rarely one painted in just black and white.

And this is a surprise?

[QuietLagoon]

If so, why?

They have no duty to disclose

[cfalcon]

They are an intelligence agency. You'd EXPECT that they would hold onto some method to do their job, which absolutely involves electronic infiltration. This is neither controversial nor unexpected.

Don't mistake the fact that they reach out to industry to improve everyone's (worldwide) security most of the time, for that being their primary mission or charge. That's a nice bonus.

If you want to get worked up, get angry about the same shit Snowden did- the possible indiscriminate spying against US citizens, and the idea that they only way that the government can do its job is by casting a worldwide net that monitors everyone everewhere all the time. Not that they can hack systems, which is a huge part of why they fucking exist.

NSA?

[Dan+East]

What do you think the NSA is for??? Free government funded penetration testing and reporting service? Sheesh.

Re:NSA?

[warm_warmer]

Free government funded...

Just to clarify, did you mean free or did you mean government-funded?

Nothing wrong with it per se

[Opportunist]

The NSA is a security service. Having tools to break and enter into the communication and data storage of potential enemies of the state is their business. That's what they do. Their whole reason to exist, to be blunt. If they can't do that, well, they can as well not exist at all. Which would not be beneficial for the US, in general, because, well, their enemies sure as fuck won't do away their version of the NSA. You'd deprive yourself of a valuable tool in international espionage.

What something like this needs, and what is sorely lacking today, is oversight. You needn't take away such powerful tools. You need to ensure they are not being abused. That's the real problem here.

It goes without saying

[dhaen]

The surprise is that they disclose so many. Invasion into personal privacy is only collateral damage at the moment, whilst there are relatively sane governments in power. Things might change in the future.

Kerfuffle

[Dunbal]

[T]here are legitimate pros and cons to the decision

No there are not. There is only the LAW. The decision has already been made, ratified and written down. It's not up to some bureaucrat to make things up as he goes along. Governments are compelled to act within the bounds set by law. When they stop doing this, they are no longer law abiding nations and lose the right to enforce law on the people.

Re: National Security Agency

[GoodNewsJimDotCom]

I love the USA. I just wish we didn't feel the need to promote malware vectors instead of patch them. I try and keep my Windows computers off the Internet anymore since there are so many viruses you can get just by clicking a wrong link. You don't even need to run a file anymore to get a virus. Things are pretty bad now. I wonder if things will get worse or better for computer security.

To be fair, I do the same

[niks42]

Many, many times in my career I have found some vunerability and delayed disclosing it while enjoying it myself. I found a wonderful way of spiriting - nay, liberating - electronic components out of work that would have found their way into a dumpster. I found a way of accessing peoples' accounts on TSO and VM; I found ways of resetting the prepayment cards for lunch at work. I've keylogged PCs; I have tcpdumped and etherealed to find passwords to gain access to systems. I used I don't know how many exploits to get free Sky TV. I installed an FM transmitter in my manager's office about that time of year when salary plans were being discussed. I've picked many locks. I've used Apache and other exploits to break into systems where admins had long before forgotten root passwords. Not everything I have done has been legal. It's all contributed to me being who I am today, and having the skill set that I rely on to do my job.

If I think about it, I can't expect any different from the NSA. If they are going to learn the skills that they need to do their jobs, they do need to flex their muscles. We do need to have some level of trust in the agencies that have been put into place to protect our citizens.

Re:People are not gambling tokens

[Opportunist]

Such entities are not running on morality. By definition no group of people, unless governed explicitly by some moral codex, will waste a nanosecond pondering the moral implications.

For reference, see corporation.

Not news unless you're naive

[matbury]

A secretive, clandestine spy agency does secretive, clandestine things and has no scruples. Mmm... what a surprise! The thing we should really be complaining about is that they claim to have effective oversight and act within the law.

In other words, they're script kiddie wannabes.

[Chas]

This reminds me of an idiot who went on a zero day, full disclosure forum, advocating that they should "hold the best stuff back" so that they "look like gods" to the next, upcoming generation of hackers.

Let's just say that this silly jackass was laughed off the board, and is now enjoying his second stint in FPMITAP for unoriginal idiocy with a computer.

So the NSA is at the same basic intellectual (for lack of a better term) level...

Sigh.

An article with the proper use of zero-day?

[thogard]

I didn't think I would ever see another article with the proper use of the term zero-day. I expect when the NSA talks about zero-day they get the terminology right. An exploit the NSA discovers and doesn't use isn't a zero day until someone else start using it. Exploits they buy are most likely zero-day. Bugs found and reported to vendors but not used aren't zero-day if a patch arrives before an exploit. A real trick is knowing if a new exploit is being used and I think it is clear that the spooks might have an advantage in detecting that sort of thing.

NSA speak translated to English

[Required+Snark]

NSA speak: Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks.

English: Disclosing a vulnerability can mean we forgo an opportunity to use the power of the state to spy on innocent people for no reason, crush legitimate political dissent, blackmail political figures to make them our puppets, engage in economic espionage that puts vast sums in the coffers of political insiders, interfere with foreign governments both friend and foe, cover up our vast incompetence, avoid the consequence of our bad decisions, and interferes with our degenerate addiction to unencumbered personal power that makes use feel superior to everyone else on the planet.

"Data and Goliath" by Bruce Schneier

[eric_harris_76]

Golly. I could have not read "Data and Goliath" and learned *one* of the appalling truths in it from Slashdot only a few wees later.

Surprise!

[Another+Mouse+Coward]

The only surprising thing about this would be if anyone were surprised!

Re:Uhh... what?

[BronsCon]

And if that depressing insight is moderated as flamebait rather than insightful, perhaps I should consider that as confirmation. It's been a good run and my karma indicates that I will be missed; perhaps more than some of you realize.