Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Uses Vulnerabilities Before It Discloses Them, Keeps Some To Itself (reuters.com)

Posted by Soulskill on from the you-can-trust-us dept.

An anonymous reader writes: The NSA, perhaps seeking to repair its reputation, has started talking about how it handles vulnerabilities in computer software. But in doing so, they've only confirmed their own questionable behavior. The agency says it discloses zero-day flaws about 91% of the time. This means, of course, that they hold back about 9% of the flaws for their own use. They also don't mention when they disclose these flaws — which is damning, given statements from several current and former government officials indicating the NSA frequently waits and takes advantage of the vulnerabilities before notifying the companies who make the compromised software. This is the NSA's argument: "[T]here are legitimate pros and cons to the decision to disclose vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."

17 of 121 comments (clear)

  1. Same as Jailbreaking iPhones by sanf780 · · Score: 2

    You want to keep some vulnerabilities for yourself just in case. You never know what will happen in the future.

  2. Biased summary by GlobalEcho · · Score: 3, Insightful

    ...confirmed their own questionable behavior...

    I am a US citizen as frustrated about unauthorized domestic surveillance as anyone. But this summary goes too far. Finding, keeping and using vulnerabilities is exactly what the NSA is supposed to do, and there is nothing questionable about that behavior.
    If the submitter wants the government to have a group that finds and discloses vulnerabilities as part of its remit, then make a case for creating such a group. Don't saddle the NSA with the job.

    1. Re:Biased summary by Anonymous Coward · · Score: 2, Insightful

      Wrong the NSA's goal is surveillance, the DISA (Defense Information Systems Agency) is digital security. That the NSA can assist the DISA is only a second thought.

    2. Re:Biased summary by Anonymous Coward · · Score: 5, Interesting

      i don't agree that we should be funding an agency to spy on our own citizens and undermine
      our digital security.

      so if you agree that thats part of the role of government, for the children, then sure, nothing wrong
      with what the NSA is doing

      however, a lot of us disagree, and furthermore, we never had an opportunity to express our
      opinion as to whether or not we wanted to live in a police state.

      so this is us weakly trying to say no. try to pretend we have a right to our opinon so your
      mind doesn't collapse from all the cognitive dissonance from supporting a 'police state democracy'

    3. Re:Biased summary by TWX · · Score: 4, Insightful

      The foreigners use the same technologies as the citizens, and are thus vulnerable to the same sort of exploits.

      I guess I feel much the same way as GlobalEcho does. I actually do not have a problem, in of itself, with the concept of attempting to discover the real criminal plots that are used to attack people. What I have a problem with is when the number of persons being subject to scrutiny is far too many generations removed from the original subject, when the scrutiny is applied to things that aren't criminal acts or should otherwise be protected-speech (ie, counter-political groups, peaceful civil rights groups, and other such organizations that did not advocate violence or even equip themselves with the tools for violence), and when the checks and balances to ensure that overzealous application of the surveillance is curtailed are ignored or violated (ie, warrantless).

      My problem with the idea is that there currently is no line between surveillance target and everyone else. If surveillance target == enemy, then that means everyone == enemy, or at least potential enemy. It leads to an us-versus-them mentality that is now prevalent in law enforcement at all levels of government. It works to destabilize the nature of our government being by us, for us, and starts resembling something out of 1984 or out of East Germany during its Stasi period. That is not healthy.

      There need to be real rules covering investigation of people. There needs to be justification. There needs to be oversight. There needs to be the occasional criminal prosecution of a law enforcement official when they blatantly overstep their authority, and dismissal of charges from time to time through fruit-of-the-poisonous-tree legal concept, to remind law enforcement that if they ignore the law, those they attempt to prosecute can also ignore the law, and the only way to prosecute is to remain within its bounds.

      It's not too far yet, but we need to continue to push for it to be corrected.

      --
      Do not look into laser with remaining eye.
    4. Re:Biased summary by MyAlternateID · · Score: 2

      That depends. If they're using them against Americans, then it's not what the NSA is supposed to do. The NSA has been caught spying on Americans before, so skepticism is IMO warranted.

      Skepticism was warranted long before that happened because those in positions of power are never to be trusted.

    5. Re:Biased summary by Anonymous Coward · · Score: 2, Insightful

      after everything thats happened these past 14 years, you really believe
      there is a hard bright line between domestic and foreign operations?

      do you even think it would be possible to define such a line?

    6. Re:Biased summary by soap_and_dish · · Score: 2

      This is the same logic that's applied to any military secrets - keeping information out of the hands of the enemy means also keeping it out of the hands of citizens. That sometimes makes sense. Sometimes. But it fails when withholding this information makes the country and its residents less safe.

      The trouble is that we tend to forget that these organizations do not exist to attack, they exist to protect. Just as our penal system has gone over almost wholly to revenge and punishment rather than rehabilitation, our "defense" agencies have gotten far more aggressive. This seems to be a pretty consistent failure of logic which we are collectively suffering through. From militarization of police to projection of military power to the fucking article - in which we are making ourselves more vulnerable in the name of also making other entities ("the enemy") more vulnerable.

  3. Iran by ultranova · · Score: 2, Interesting

    The NSA, perhaps seeking to repair its reputation, has started talking about how it handles vulnerabilities in computer software. But in doing so, they've only confirmed their own questionable behavior.

    Questionable perhaps, but the article also provides a pretty good answer by mentioning Stuxnet, which was used to halt Iran's enrichment of uranium. Surely being able to stop what's at best an oppressive theocracy from obtaining nuclear weapons with no casualties or collateral damage has some value?

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

    1. Re:Iran by Anonymous Coward · · Score: 4, Funny

      That's what happens when you allow religious nut jobs to roam free...

      Please leave Texas out of this.

    2. Re: Iran by 31415926535897 · · Score: 2

      Right, legacy means nothing to him. Nor does party momentum. Obama does everything from righteousness and virtue now.

    3. Re:Iran by chipschap · · Score: 2

      The NSA retains some offensive weapons. This is wrong?

      You can answer that question as per your beliefs, and you're fully entitled to do that. But I could argue that if the NSA shouldn't have offensive weapons, neither should the Army or any other government entity. Again, you may be a pacifist and agree with that, too.

      But there's practical reality at play here. Pacifism doesn't always work in the face of aggression.

    4. Re:Iran by Chaos+Incarnate · · Score: 2

      The problem isn't the NSA having offensive weapons. The problem is the NSA knowing that some installations are built on quicksand but not informing the owners.

      That's not helping national security, that's degrading it.

      --
      Benford's Corollary to Clarke's Law: "Any technology distinguishable from magic is insufficiently advanced."
  4. Water is wet by gurps_npc · · Score: 2
    Ice is cold. Lava is hot.

    Spies use privacy vulnerabilities

    Are we going to publicly announce that soldiers kill people next? Perhaps someone thinks it is noteworthy that a bank charges interest on loans! Or that boxers HIT each other.

    --
    excitingthingstodo.blogspot.com
  5. They have no duty to disclose by cfalcon · · Score: 3, Insightful

    They are an intelligence agency. You'd EXPECT that they would hold onto some method to do their job, which absolutely involves electronic infiltration. This is neither controversial nor unexpected.

    Don't mistake the fact that they reach out to industry to improve everyone's (worldwide) security most of the time, for that being their primary mission or charge. That's a nice bonus.

    If you want to get worked up, get angry about the same shit Snowden did- the possible indiscriminate spying against US citizens, and the idea that they only way that the government can do its job is by casting a worldwide net that monitors everyone everewhere all the time. Not that they can hack systems, which is a huge part of why they fucking exist.

  6. Nothing wrong with it per se by Opportunist · · Score: 2, Insightful

    The NSA is a security service. Having tools to break and enter into the communication and data storage of potential enemies of the state is their business. That's what they do. Their whole reason to exist, to be blunt. If they can't do that, well, they can as well not exist at all. Which would not be beneficial for the US, in general, because, well, their enemies sure as fuck won't do away their version of the NSA. You'd deprive yourself of a valuable tool in international espionage.

    What something like this needs, and what is sorely lacking today, is oversight. You needn't take away such powerful tools. You need to ensure they are not being abused. That's the real problem here.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. To be fair, I do the same by niks42 · · Score: 2

    Many, many times in my career I have found some vunerability and delayed disclosing it while enjoying it myself. I found a wonderful way of spiriting - nay, liberating - electronic components out of work that would have found their way into a dumpster. I found a way of accessing peoples' accounts on TSO and VM; I found ways of resetting the prepayment cards for lunch at work. I've keylogged PCs; I have tcpdumped and etherealed to find passwords to gain access to systems. I used I don't know how many exploits to get free Sky TV. I installed an FM transmitter in my manager's office about that time of year when salary plans were being discussed. I've picked many locks. I've used Apache and other exploits to break into systems where admins had long before forgotten root passwords. Not everything I have done has been legal. It's all contributed to me being who I am today, and having the skill set that I rely on to do my job.

    If I think about it, I can't expect any different from the NSA. If they are going to learn the skills that they need to do their jobs, they do need to flex their muscles. We do need to have some level of trust in the agencies that have been put into place to protect our citizens.