EFF sues NSA over snoops 'hoarding' zero-day security bugs Intelligence agencies are among the most prolific buyers of zero-day computer security flaws that can be used to spy on enemies foreign and domestic, or so it's claimed – and the Electronic Frontier Foundation (EFF) has launched a lawsuit to find out what exactly they are doing with them. "Since these vulnerabilities …
With all due respect to Mr Daniel how would he know?
His job is security of their systems not penetrating other peoples.
Now if the head of the NSA department that collects these sorts of things said that (under oath and connected to a polygraph) I might believe them.
Given that polygraphy is, at best, a pseudo-science, and that polygraphs can be fooled by a cool and calm demeanor, I wouldn't even trust him then.
Threatening to slam his testicles between 2 bricks if we think his lying would be a more effective way to obtain the truth from cretins such as this.
"Now if the head of the NSA department that collects these sorts of things said that (under oath and connected to a polygraph) I might believe them."
I'd only even consider believing him if the polygraph was a brand new model he couldn't have had a chance to learn how to beat, and he was made aware that with any "lie" detected by the detected by the device he would be covered in petrol and set on fire, to die screaming in unendurable agony.
Even then, however, I would still have trouble believing him. Sociopaths are pretty good at defeating lie detectors.
But this is a bit much. The NSA doesn't have any responsibility for eliminating Zero days - they are a comms spy agency for gawds sake.
Its perfectly reasonable for them to collect exploits to use as part of their toolkits and its perfectly reasonable not to disclose which ones they have.
What's not reasonable is to use those exploits against the general public or anyone who doesn't meet a reasonable definition of threat to the US or its allies.
So no usage of them to create botnets within the general internet population.
To stretch an analogy to breaking point - I don't mind the army (or police) having guns - I object to them being pointed (much less fired) at me when they don't have reasonable suspicion that my behavior or actions warrant it.
No. The NSA are charged with protecting the USA. That includes the government IT infrastructure. So, they are supposed to do all they can to do that - which means they should not be finding and hiding zero day exploits but should be telling the software manufacturers so they can be repaired, which would then mean US govt IT systems would be patched and secure.
>>"But this is a bit much. The NSA doesn't have any responsibility for eliminating Zero days - they are a comms spy agency for gawds sake."
I get what you're saying but the basis of the charges is not that the NSA are failing to protect something that isn't in their remit, but that they're actively causing harm. Stimulating a black market in exploits and trading in illegal goods is not a positive thing. Much like when the CIA funded their activities by drug dealing (still do for all that I know). It wasn't a problem because the CIAs job was to reduce the drug trade. It was a problem because they were trading drugs.
The main issues with "hoarding" zero-day security flaws are these:
1) They will be kept secret and won't get fixed by the vendors.
2) You and I will never know whether our systems are vulnerable to these security flaws, until it is too late.
3) There is no guarantee these flaws won't be exploited by others, particularly if they are being sold on the black market.
All in all, an extremely irresponsible position to be taken by any government agency. They may have the power to penetrate a few bad guys, but the whole world is at risk of being pnwed.
Not any different the CDC cultivating, creating and keeping dangerous virus and bacterial cultures just in case we ever need to develop an antidote.
In fact, it is very different. The CDC collect and cultivate virii and bacteria in order to develop treatments for them. The NSA collect and cultivate exploits in order to develop weapons based on them.
If the CDC spent their time developing weaponised Ebola, then sure, it's exactly the same.
My view of the NSA / Snowden thing is that it is becoming bogged down arguing about smaller details.
If you take the view that the NSA need to spy on some people, and the NSA very much have that view, then they need a tool kit to do it. That will involve exploiting weaknesses in everything from locks through to operating systems, and will also involve exploiting people.
The debate had more chance of producing a useful outcome (whichever side of the hero/traitor fence you sit) when it was focussed on the scale and direction of the spying rather than the minutiae of how it is done.
You can actually consider this a separate issue to the general NSA spying debacle. Supporting an illegal trade in something demonstrably harmful to security just because you have a need in common with the criminals, is a problem regardless of the use for it the NSA intend.
<i>Supporting an illegal trade in something demonstrably harmful to security just because you have a need in common with the criminals, is a problem regardless of the use for it the NSA intend.
</i>
I'd be amazed if it was actually illegal for the NSA to buy or build exploits.
It's not the toolset that is the problem, its the use towards which it is put. A hammer is just a hammer if all you hit with it are nails...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
