back to article Proposed PATCH Act forces US snoops to quit hoarding code exploits

Two US senators have proposed a law limiting American intelligence agencies' secret stockpiles of vulnerabilities found in products. The Protecting our Ability To Counter Hacking (PATCH) Act [PDF] would set up a board chaired by an Department of Homeland Security (DHS) official to assess security flaws spies have found in code …

  1. Camilla Smythe Silver badge

    Assuming a Level Playing Field Within The Intelligence Community....

    Would it not make sense for all sides to 'burn' their exploits on the assumption that all sides, assuming they are equally capable, are all holding the same deck of dodgy cards.

    "Hit em with CLFUCK04!!"

    "It got burned."

    "No! That's Ours Goddammit."

    "Apparently they knew about it."

    "WTF!!?"

    "It's been patched."

    "What? You mean we can't even fuck over our own people?"

    "Fraid Not. Sorry."

  2. DagD

    I can't help but think of a George Carlin line: "What, they have bigger (pricks)? Bomb them!"

    What, the NSA has tools we don't? We want oversight!!! (so we can get our hands on them as well...)

  3. Stevie Silver badge

    Bah!

    All fixed, then.

  4. amanfromMars 1 Silver badge

    Headless chickens to a man with much ado about nothing which can be done

    Nobody in the wielding of power pays any heed to what anybody else thinks or proposes to be done and undone, for they know they be powerless to stop what is planned for the future with the tools for fools at their disposal.

    Whining about such things is the best that y'all can do.

    Haven't you realised that yet?

    1. Esme

      Re: Headless chickens to a man with much ado about nothing which can be done

      Good heavens amanfromMars1 that was nearly entirely coherent! Well done! 8-}

    2. John G Imrie Silver badge
      Alien

      Who are you?

      And what have you done with the real amanfromMarse1?

      1. Swarthy Silver badge
        Alien

        Re: Who are you?

        AMfM is still as non-sensical as always. It's just that the world is catching up. Between Brexit, Trump, T. May, and the TLAs running rampant, AManFromMars is comprehensable in comparison.

        1. amanfromMars 1 Silver badge

          Re: Who are you? @Swarthy .... and the Commencing of Proper Wars with Surreal Battle Gruopies

          AMfM is still as non-sensical as always. ... Swarthy

          Non-sensical as in otherly rational and quietly radical and quite revolutionary and quantum evolutionary, Swarthy? It would be quite impossible to not admit to that, methinks. And me thinks more than just a bit about the value and worth of qubits. Do you too, ... or are you simply happy to accept the status quo picture shows and not question too deeply their alternative hidden agendas?

          Question more, .... See NEUKlearer HyperRadioProActive IT in Future Action and Feel the EMotion.

          And what are you going to think about the likes of a BBC/RT and Old Lady of Threadneedle Street/Bank of Russia being granted the Exclusive Opportunity and denying the Heaven Sent Gift of an Almighty Program?

          cc. Mark Carney/Elvira Sakhipzadovna Nabiullina/Tony Hall/Alexey Nikolov .. and Significant A.N.Others

  5. fidodogbreath Silver badge

    Oversight

    They should create a secret Patch Court, where only the NSA is allowed to present arguments and approval is granted 99.9% of the time. Then the rule of law will truly be upheld.

  6. tfewster Silver badge
    Thumb Up

    I'm still amazed that no-one else had found this vulnerability* It would have come out eventually, though having a ready-made exploit toolkit made it worse. The lesson is, some vulns are too serious to hoard, so more oversight must be a Good Thing.

    * I assume the Russians hadn't, or there would have been some "suggestions" to Russian organisations to at least block SMB at the firewall. Though maybe the Russian security services liked having their own EternalBlueski that they could use to snoop on their own people?

    ---> for the backronym

    1. Yet Another Anonymous coward Silver badge

      Odd that the NSA didn't share it with GCHQ

      Obviously GCHQ didn't know about it - otherwise they would have told the NHS

      It's not like the British government would risk the lives of 1000s of ordinary people to keep secret a tiny exploit

      1. WatAWorld

        Is what we might learn about the terrorists worth risking people's lives for?

        Obviously GCHQ didn't know about it - otherwise they would have told the NHS

        It's not like the British government would risk the lives of 1000s of ordinary people to keep secret a tiny exploit

        We don't live in a police state. If you patch the NHS computers, civilian computer types are going to know, including civilian computer types without security clearances.

        So the decision would have been something like, "Is it what we might learn about 'the terrorists', Russians and Chinese worth risking the lives of UK citizens needing health care?"

        Similar conversation in the USA regarding US civilian lives, except that protecting US health care systems is even harder since few of them are government owned and operated.

        1. Richard 12 Silver badge

          Re: Is what we might learn about the terrorists worth risking people's lives for?

          I dont think they even considered it at all.

          I bet they simply thought "excellent, we now have a way inti these targets" and never considered whether any "non-state actors" might also find the vulnerability.

          Then they locked it away in a cupboard and forgot how it worked, only remembering what it does.

          This SMBv1 vulnerability is very, very old. I bet neither the NSA nor GCHQ even remember finding it, and never even considered whether it could destroy the NHS.

          Oh yes, and then somebody got into the NSA's cupboard and nicked it.

          1. tfewster Silver badge
            Facepalm

            Re: Is what we might learn about the terrorists worth risking people's lives for?

            @WatAWorld "If you patch the NHS computers, civilian computer types are going to know..."

            Which is why I said the "suggestion" would be to block SMB at the firewall, which can be justified for other reasons.

            @Richard 12 > "excellent, we now have a way inti these targets"

            Agreed, they would have scanned for targets and then identified those targets to find the "interesting" ones.

            1. Doctor Syntax Silver badge

              Re: Is what we might learn about the terrorists worth risking people's lives for?

              @WatAWorld "If you patch the NHS computers, civilian computer types are going to know..."

              Which is why I said the "suggestion" would be to block SMB at the firewall, which can be justified for other reasons.

              Blocking SMB at an external firewall would be effective against external scans. If you're running SMB internally because that's how your network works and the malware is distributed by phishing scams than it really doesn't help very much.

      2. MacroRodent Silver badge

        Secret patching of Windows infeasible

        Obviously GCHQ didn't know about it - otherwise they would have told the NHS

        And what could the NHS have done about it on its own? It would have had to involve Microsoft anyway, which would probably have resulted in a patch for everyone.

      3. Orba
        Black Helicopters

        Coventry Dilemma...

        The issue isn't the information being held back, not really, it's that we consider it a potentially plausible possibility that they would risk the lives of innocent citizens for a minor tactical/strategic advantage.

        It's the Coventry Dilemma all over again. i.e. The truth doesn't matter in the long run, what's done is done, our response is more telling than the truth itself will ever be, 'Quis custodiet...?' etcetc.

    2. WatAWorld

      safe assumption various intelligence agencies been using these against our businesses for years

      I'm still amazed that no-one else had found this vulnerability*

      * I assume the Russians hadn't, or there would have been some "suggestions" to Russian organisations to at least block SMB at the firewall. Though maybe the Russian security services liked having their own EternalBlueski that they could use to snoop on their own people?

      There was that Adylkuzz private cryptocurrency mining malware that had been quietly churning in the background of people's computers for a few weeks, and was only discovered during the search for WannaCry variants.

      You can assume that real intelligence agency spyware would have been as unlikely to be randomly discovered by our side as Adylkuzz was.

      The safe assumption would be to assume that the Russians, Chinese, Israelis, British, etc all knew of this vulnerability and had been using it against state, local and industrial targets for years.

      Why would the security agencies of other countries not reveal the vulnerability?

      a. Some of these countries are police states and would have probably have been able to apply protective patches to their national, state and local government computers without the public knowing.

      b. The rest of these countries have fewer industrial secrets than the USA. So less to lose and more to gain from the continued existence of the holes.

    3. John Smith 19 Gold badge
      Unhappy

      "I'm still amazed that no-one else had found this vulnerability* "

      And there's the question.

      The Act proposal is basically "Release it if you've spotted someone else exploiting it."

      Prior to this was anyone else exploiting SMB V1.0 flaws?

      Did the US Intelligence community know it?

      Also it can be argued MS issued patches (to paying customers) years ago and their biggest patch was "Shift to Windows Whatever-is-current"

      On that basis it's not at all clear this Act would have applied.

      If this act is a response to this malware then it's basically solving the wrong problem. But but disclosure should be an issue for intelligence agencies.

      Has the term "Two edged sword" ever been more a more accurate description of such (potential) weapons?

      1. Doctor Syntax Silver badge

        Re: "I'm still amazed that no-one else had found this vulnerability* "

        their biggest patch was "Shift toBuy Windows Whatever-is-current"

        FTFY and I'm not sure their intended benefits extended anywhere beyond themselves.

  7. Graham Cobb

    Simple process

    I don't think this needs a complex review board. Much the same benefit could be created with a simple process:

    1) A limit (say 5) on the total number of exploits which can be hoarded at any time.

    2) An absolute time limit on the length of time it can be hoarded for. 12 months seems reasonable. After that time, it has to be reported to the manufacturer.

    3) A risk assessment and contingency plan, including a patch prepared in advance by the NSA so it can be fixed immediately if it becomes known.

    The problem is enforcement (trust, but verify), but codifying it in a law would help. At least it would be clear a crime has been committed if a more-than-12-month-vulnerability appears on WIkileaks.

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple process

      Would you trust a patch prepared by the NSA? Sounds like a great way to smuggle spyware onto machines.

      1. Yet Another Anonymous coward Silver badge

        Re: Simple process

        >Would you trust a patch prepared by the NSA?

        You already trust patches from US corporations who rely on the favour of the US government

        1. Anonymous Coward
          Anonymous Coward

          Re: Simple process

          Hush, you're disturbing my blissful ignorance.

    2. Doctor Syntax Silver badge

      Re: Simple process

      Add:

      The authority to hoard a vulnerability must be signed off by whatever politician is in charge of the department (e.g. Home Sec or Foreign Sec in the UK) and that sign-off should be made public when the time limit has expired or the vulnerability is exploited in malware.

  8. Mike 16 Silver badge

    Can I submit a patch?

    I mean "amendment"? As much as I hate the practice of adding thoroughly unrelated amendments to laws, I would find a certain poetic justice in also outlawing "vital security updates" that include unannounced side-effects like resetting the default browser, overriding my opt-out of having all my files sent to their cloudy backup, or ticking the "just automatically update from now on, I don't want to be bothered for approval ever again" box . That would go a long way toward making people a little less afraid of "updates" when the vendor does issue them, after the spooks admit telling the vendors about them

    1. Rich 11 Silver badge

      Re: Can I submit a patch?

      And let's include "Ignoring the 'Hide this update' setting for Microsoft Silverlight" while we're at it.

  9. Anonymous Coward
    Anonymous Coward

    It's a nice thought

    But in reality, it doesn't matter if they do, or do not, create this new secret clearing house for zero day vulns, because any serious security researcher, or a nation-state-hacker-team (they always need more than one guy) can collect, examine, reverse engineer, and redeploy any remote hack that anyone can dream up, ever. We don't live in a universe where alternate laws of physics apply that would allow you to send electronic signals, then hide them again after the fact, without being in control of the signal spliter and out-of-band recording system before making the attempt.

    That would be a good trick, but it would be more practical to try and measure a quantum entanglement without disrupting it with your observation.

    1. WatAWorld

      Re: It's a nice thought

      But in reality, it doesn't matter if they do, or do not, create this new secret clearing house for zero day vulns, because any serious security researcher, or a nation-state-hacker-team (they always need more than one guy) can collect, examine, reverse engineer, and redeploy any remote hack that anyone can dream up, ever.

      That would be like the invention of the time machine in Hitchhikers Guide to the Galaxy.

      If it were so trivially easy to discover all the zero day vulnerabilities, then all the zero day vulnerabilities would be discovered at once, days after the release of the program product concerned.

      It generally takes either expertise or random luck plus time to find new zero day vulnerabilities.

      That is why it is total BS when some security researcher with either a Phd or no job eventually finds some (specifically) zero day vulnerability and releases it to the world because "all hackers already know about it".

      a. If they already knew about it then you don't deserve publicity for finding it?

      b. If they already knew about it why do the exploits only follow your information release?

      c. Peer reviewed journals, tech journals, and newspapers would not mention the zero day discoveries because trivial things are not newsworthy.

      d. We wouldn't have internet connected computers, since nothing substantial can be programmed by humans without it having vulnerabilities.

  10. Pen-y-gors Silver badge

    There is a principle to consider

    Should the police be allowed to knowingly ignore a threat to a householder? Once upon a time the parish constables would wander round, checking all was well, 'shaking hands with door-knobs' as Vimes would say, rather than sitting on their bum in a nice warm car. If such an officer discovered a front door was unlocked, should he ignore it and note the fact in case he wanted to come back later to plant evidence, or should he notify the householder so they can secure their property.

    In a democratic society I know what I'd expect them to do

    1. Agamemnon
      Pint

      Re: There is a principle to consider

      Up Vote and a Beer for the Disk World reference (I like Vimes, I understand Vimes).

  11. Marketing Hack Silver badge
    Boffin

    National Security vs. General Cybersecurity

    Considering the U.S. is probably the most computerized major nation on Earth, and has the world's most successful tech industry, the largest financial industry and a very large horde of classified data and programs, General cyber security and national security are probably the same thing.

    The challenge is getting the sigint community to see that.

    1. Yet Another Anonymous coward Silver badge

      Re: National Security vs. General Cybersecurity

      You would have thought that being the world's largest target for cyber attacks would have made them desperate to have systems patched and vulnerabilities plugged.

      Like the old joke. A man walking down Whitehall asks a stranger "which side is the foreign office on?"

      "Ours I think, most of the time" is the reply

    2. John Smith 19 Gold badge
      Unhappy

      "The challenge is getting the sigint community to see that."

      When you're in a USG agency half of which is dedicated to infiltrating computers and computer networks to extract data it's very uncomfortable to realize that the best target for your work is in fact the Unite States.

      So best not to think about it at all.

      In terms of coverage the US is probably one of the best nations on Earth (except possibly Finland with 2 mobiles per person?) for the NSA to spy on.

      But they couldn't find Bin Laden for a decade.

  12. the Jim bloke Silver badge

    So..

    If they can decree that X vulnerability must be patched, does it mean they can also decree Y vulnerability may NOT be patched ?

    There is a wide disconnect between the interests of those exercising power (as distinct from 'running the show'), and the general public.

  13. dan1980

    For any politicians (the world over) who oppose this - on the grounds that to enact this law would cripple law enforcement agencies and remove necessary tools - I would ask a simple question: what happens if software gets released WITHOUT any relevant, exploitable bugs?

    Surely that is an aspiration, no?

    If the US agencies RELY on software being buggy then does that mean they are useless without such (unwitting) external assistance?

    1. Allan George Dyer Silver badge
      Black Helicopters

      Interesting you should mention that... would you classify mandating a Government backdoor in encryption software as an "exploitable bug"? I would.

      Now, does anyone have a list of politicians who were in favour of backdoors, and who are now pushing for this bill? Bandwagon politics. Invertebrates!

  14. Pomgolian
    FAIL

    La La La..

    >It's designed to force the US intelligence agencies to pass on vulnerabilities to developers and hardware >makers if there is evidence other people are exploiting them.

    Anybody exploiting these flaw?

    NSA: <fingers_in_ears>La la la</fingers_in_ears> Not that we can see...

    OK. keep them to yourself then...

    1. VinceH Silver badge
      Thumb Up

      Re: La La La..

      I've been reading through these comments to see if anybody else spotted that before commenting myself.

  15. Quinch

    "chaired by an Department of Homeland Security (DHS) official"

    I completely trust this idea with no reservations whatsoever.

    1. WatAWorld

      Re: "chaired by an Department of Homeland Security (DHS) official"

      Good point.

      Will government civilian agencies charged with protecting US businesses and investments, like the FTC and FCC, have seats on the board?

      It would still be inadequate, because nobody to represent individual Americans, but at least there might be consideration of protecting private trade secrets.

  16. Mikel

    Gee

    Spies spy. Get over it.

    1. Richard 12 Silver badge

      Re: Gee

      Yes.

      But the only reason spies exist is to protect the people of their country.

      In this case, the spies caused massive damage to their own side.

      Why should we ignore that?

      The NSA have done it several times before, they will do it again - and every time they are breaching their purpose.

      There is a very simple solution: They can only keep a vulnerability secret for a short time, then are legally obliged to tell the developers and cannot prevent it from being patched.

      Otherwise they will hoard them, and only let them be patched after a massive attack has already happened.

      The side effect of this is that the NSA would then also be searching for vulnerabilities on a regular basis, which will then be fixed (after a delay for their use), thus protecting the people of their country.

      If they are not willing to do this, they are not fulfilling their purpose.

  17. Anonymous Coward
    Anonymous Coward

    Don't trust

    Anyone...

    1. amanfromMars 1 Silver badge

      Re: Don't trust ..... and Persistent Advanced Cyber Threats

      Don't trust Anyone...Anonymous Coward

      Don't trust Anyone ever, forever, is super secure internetional default for all valued and valuable systems touting cybersecurity credentials offering virtual protection against phantom enemies, AC. And it is a currently extremely active live field of PACT endeavours with all manner of Majic trickery?!. :-)

      Current Situation

      It is considered as far as the current situation is concerned, that there are few indications that these objects and their builders pose a direct threat to the security of the United States, despite the uncertainty as to their ultimate motives in coming here. Certainly the technology possessed by these beings far surpasses anything known to modern science, yet their presence here seems to be benign, and they seem to be avoiding contact with our species, at least for the present. Several dead entities have been recovered along with a substantial amount of wreckage and devices from downed craft, all of which are now under study at various locations. No attempt has been made by extraterrestrial entities either to contact authorities or to recover their dead counterparts or the downed craft, even though one of the crashes was the result of direct military action. The greatest threat at this time arises from the acquisition and study of such advanced technology by foreign powers unfriendly to the United States. It is for this reason that the recovery and study of this type of material by the United States has been given such a high priority.

      You can be sure that is fake news .... for the present situation is nothing at all like any of that old material. It is much more serious than was ever not imagined possible, and now super hypercritical?

      There's been a Public Domain escape and things have gone all Renegade Rogue and Private Pirate. Are you assured when that is treated as fake news or is Absolutely Fabulous Stealth virtually guaranteed by such action/treatment/non-active reaction?

  18. WatAWorld

    Past practice has meant the NSA has been helping the Russians, Chinese and terrorists

    Any vulnerability the NSA can find, a foreign intelligence agency can find.

    The current situation is that the NSA assume nobody inside the USA has any data useful to the Russians, Chinese, Indians, Iranians, Israelis, Pakistanis, Swiss, Germans, British, or terrorists.

    And we know from past disclosures the security agencies of all these countries consider international trade and trade secrets somewhat within the purview of their signals intelligence agencies.

    Even if the NSA were to start ensuring all US government computers are patched, that still leaves US local and state government, industry, business, academic, and personal computers open to hacking by foreign powers.

    The NSA's assumption that US citizens and US businesses have fewer valuable secrets than the Russians or Chinese is invalid. And those US secrets would be valuable to terrorists too.

    The NSA must be made to help safeguard Fortress North America and Fortress USA.

    By keeping secret vulnerabilities in US local and state government, industry, business, academic, and personal computers -- by keeping Americans vulnerable -- the NSA has been unwittingly helping the Russians, the Chinese and "the terrorists".

  19. Anonymous Coward
    Anonymous Coward

    So what makes anyone think that the NSA is going to reveal the fact it has a zero day vuln?

    Surely as a "secret" service agency it's primary goal is to hide them.

    This doesn't make it right it just makes this request for legislation like using a chocolate kettle.

    1. Richard 12 Silver badge

      Without law there's nothing

      There has been precious little enforcement of the law with regards to the NSA, but it does occasionally happen.

      1. amanfromMars 1 Silver badge

        Re: Without law there's nothing

        Richard 12, Hi,

        It is wrong to think that there will ever be law and order for justice whenever there is only laws and disorder in the executive administration of chaos, madness and mayhem with CHAOS .... Clouds Hosting Advanced Operating Systems.

        Or perhaps you do not recognise the virtualised services in exclusive command and remote global control of media presented future realities/Great Game Plays?

  20. anonymous boring coward Silver badge

    If the vuln isn't exploited, then NSA doesn't have to report the vuln.

    If the vuln is exploited, then we'll all know about it and how it works. Then NSA won't need to report it.

    Seems like a totally useless bill. What a surprise.

    1. Prst. V.Jeltz Silver badge

      knee jerk reaction by some electoral type who knows nothing.

      If they did know anything they'd expand it outside the snoopy services dept.

      dont they know there are other people who find vulns?

      The NSA isnt in charge of cyber security testing!

  21. John Smith 19 Gold badge
    Unhappy

    Congratulations NSA you have found a new vuln in an OS

    You may well be the first to find it.

    But you also presume you're the last.

    History says you're wrong.

  22. Clive Galway
    FAIL

    "The bill is a response to last week's WannaCry ransomware outbreak"

    "It's designed to force the US intelligence agencies to pass on vulnerabilities to developers and hardware makers if there is evidence other people are exploiting them."

    So it isn't a response to WannaCry then.

  23. Tikimon Silver badge
    FAIL

    Utterly toothless, without time limits

    They can establish any review process they like. Simply make sure that - not hard for government agencies - it takes a year or so for any vulnerability to trundle through the review process. It's as old as time, if you don;t want to do something, drag it out forever.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019