Failure to responsibly disclose is one definition...
... Of a black hat. Isn't it?
While some fear the US government is hoarding a vast pool of zero-day security vulnerabilities, the reality is that it probably holds just a few dozen, according to a study by Columbia University. In a presentation at the DEF CON hacking conference in Las Vegas today, Jason Healey, senior research scholar in the university's …
... Of a black hat. Isn't it?
Er, so, who funded this "research"?
Nobody, and I mean that literally in the sense of "not one sentient human being in the entire history of ever", has ever tried to claim with a straight face that government agencies don't do anything shady.
If they buy a 0 day, and don't share details with the vendor, they are knowingly aiding and abetting criminals and potentially terrorists, who will be buying (and eventually using) those same exploits from the same source the spooks did.
The only 0 days they should be permitted to keep in their arsenal and not inform the vendor about are those they discover themselves. Not that I like that much either, but they're going to do it whether I like it or not, so this way at least minimizes the harm they do. This way they won't aid and abet criminals, or provide them with taxpayer funds.
"The only 0 days they should be permitted to keep in their arsenal and not inform the vendor about are those they discover themselves."
What makes you think they DON'T discover them themselves and what we're seeing most of the time is parallel efforts to a single goal?
DougS, pretty much with you.
However, given that some of the stuff the NSA does is arguably criminal / unconstitutional, "This way they won't aid and abet criminals, or provide them with taxpayer funds." seems overly optimistic to me.
If they discover them themselves, fine, but if they later discover someone else knows about the same exploit then they should consider that exploit "in the wild" and inform the vendor.
So two ends of the house are working against eachother. Pick an F'ing side, NSA. Especially with taxpayer money.
And also, do we really trust these guys to tell us what is going on? So we're relatively sure the NSA has enough budgeted to buy far more than 50 zero-days, and they have people working internally to find more vulnerabilities and that internal effort is not included in the budget we know about. And who knows what connections the NSA has to major corporations, getting still more zero days because they have agreements with (insert name of giant tech company here) in return for this or that favor, or because the NSA & friends has recruited some employees of these big tech companies to insert a vulnerability into products or provide copies of code.
And yes, some of these zero-days that were bought/found/inserted The fact is that we have zero idea of what the NSA is doing, or what the NSA is outsourcing to its various buddies overseas so they can "keep" some pledge they made to someone in a position of power in DC.
Me thinks when the shit finally does hit the fan and it becomes painfully obvious how our society is more vulnerable to cyber attacks than any other the NSA will be getting rid of stockpiling zero days quicker than the CIA dumped water boarding and Italian renditions.
This is why I've always thought that the NSA needs to be split into two organizations:
An offensive group that works with the military and CIA to do what they currently do, but acknowledge that they are a military organization and subject to the rules of combat.
And a purely defensive group that is as transparent as possible. They'd help with US companies making secure software, provide security auditing to US-based organizations and government agencies, maybe even produce an Open Source security suite for US entities (Citizens, companies, NGOs, etc). They could leverage the fact that we already have equipment intercepting all packets going in and out of the country and stick some layer 3-7 firewalls in place (especially if they release the code as part of the OSS security suite). They'd save the country billions in just blocking fraud and malware by doing such a thing. A banking trojan making the rounds? Block it at the edge of the country and prevent it from getting into the country, or stop it from spreading once its in by distributing the signature / definition to the machine-level security suite. Hell, such an organization might actually end up being a net-positive benefit to the people from just blocking ransom-ware alone.
One problem. How would you handle requests for an interdepartmental transfer. Outright ban?
So how do you handle a DOMESTIC (never touches the edge firewalls), POLYMORPHIC (no distinct signature) malware that can disguise itself as legitimate traffic (meaning trying to block it risks too much collateral damage)?
You're wrong, but nice job of BSing... not really. You'd think with 3 minutes of research, any idiot can figure this out... apparently not!
NSA is not in charge of the nation's cyber defense. This is the job of USSTRATCOM, who delegates much of the responsibility to USCYBERCOM.
"So how do you handle a DOMESTIC"
Which is why I mentioned releasing the firewall code as part of a on-premise piece of security software. PLus, at that point, the FBI could actually arrest the person responsible rather than issue a warrant for some unnamed guy in the Baltics and never catch them.
Spookhauses know everyone with a couple of function brain cells knows they a stockpile of 0 day exploits. So they imply they have 50 or 100 in a 'nod, nod, wink, wink' bone but no one but them has any idea how many they actually have and for what OSes, programs, etc.
So now comes the question. Which would you prefer: anarchy or the police state? Because in today's world, keeping third options is becoming more and more difficult.
A false dichotomy. Third options are actually much less difficult than in the past. The keys are education and opportunity for as many people as possible: enlightened self-interest is the best defence we have against both anarchy and the police state.
Company X knows that embedded programmers will create backdoors and give / sell them to spooks. So it proactively creates one of its own and then sells it, in advance, separately to each of the spook orgs. This maximizes utility and profit for Company X. Soviet Communism fell because of not too dissimilar madness, "so it can't be all bad".
There could be 'about 50' known (but secret) 0-day exploits on file.
At the same time, there can also be 'about thousands' of unknown 0-days yet to be discovered.
These two estimates are not the slightest bit contradictory.
Both estimates also seem to be perfectly reasonable.
A good statistician should be able to tease out reasonable estimates for both values, even the number of 'unknown unknowns'. It's not that difficult to extrapolate from rates of discovery, etc. Where the 'etc.' is fairly complicated. But still not that difficult.
"We know nothing (at least very little)."
I'd expect them to say that.
I suspect the average lifetime of a known zero day to be fairly short before someone else finds out about it. New ones are discovered and reported every day. Some that are so published will have been known about in secret for some months before by others and may then have been part of this arsenal with a sales life similar to goods on a greengrocery counter. Those whose work requires access to these exploits being kept secret as long as possible won't want to share them - so the NSA probably doesn't want to share with the CIA or military intelligence agencies unless used in connection with a joint operation and vice versa. That's going to be because use of a zero day exploit against a high value target also comes with a risk of exposing it making future use less reliable, especially if the target has a good enough intrusion detection system.
The morality and ethics of this area also extremely murky. Where a zero day is used against a target and their equipment interfered with, the legal rights of the target are then negated, if the exploit-manipulated and then potentially uncertain state of their system is then used as evidence against them without their knowledge that an exploit has been used against their data. If the state fails to hold its nose through unwillingness to buy exploits on the black market paying taxpayer money to criminals in the process, then they will be blamed by certain parts of the media for allowing terrorist plots to succeed in massacring many innocents and so on when claims are inevitably made that something could have been done to prevent this.
Seems to me that hackers are asked to hack. As such, they may or may not be asked to make the hack used part of the official catalog. So a simple work around to this is that you tell the hackers to only report the zero days that were low hanging fruits.
"There are also ways around the new rules, Healey said. Based on interviews, it seems the FBI's method for hacking into the iPhone wouldn't be covered under the rules, since technically the Feds only purchased a tool to crack the smartphone, not the knowledge of how it was actually done."
Cue the founding of firms based just down the road from Fort Mead, staffed with ex-NSA hackers, who sell 'tools' to the government, without having to disclose the holes they used.
Not only are they still within the rules, but someone gets to make lots of money off of it too, hooray!
Given the different operating systems involved on many different systems throughout the world, I would guess there is A LOT MORE than 50 zero days available to the US Government. However, we'll never know as these fall into special access programs; and those who work on Apple do not know what those who work on Microsoft have. Those who work on CISCO applications will not know what those who work on firewalls will have. Etc. etc.
It's always interesting when someone makes a claim about being with some agencies program, yet fails to really put 2 and 2 together.
So Professor Healey... I'd say give your students a pass, but give yourself a big fail... because you didn't adequately provide a good background for them to use. It also seems your background in JTF-GNO (as it was properly referred to when founded) is questionable.
If you were part of the organization then... just what exactly did you do? Because it seems you're way off base. You don't even have the wisdom to realize just how many different applications and OS's are researched.
Biting the hand that feeds IT © 1998–2018