Re: The Russians ate my homework
>The US spooks were probably testing their exploits against various AV as they have to in order to use them in the wild
You've picked up a rather important point. I discover an exploit - how do I determine if it really is an undiscovered and thus viable zero day exploit?
There is only one way, to try the exploit on other computers running various security suites. In the (recent) past, such suites used a local DB, hence if my exploit isn't blocked and/or detected then I'm potentially good to go and I've not accidentially alerted anyone to my finding and work. I may rerun the tests at regular intervals, just to confirm the exploit is still 'undiscovered'.
Today however, with online security suites, the first thing a local AV will do is to obtain a hash of my expliot file and upload it, on discovering that it is new, the next action will be to upload the complete executable for deeper inspection.
Thus it would not surprise me, if it was discovered that various cloud services already contain hashes and perhaps archived example executables of "top secret" NSA exploits; just that there has been nothing to cause them to be flagged.
However, by combining metadata from the security upload, specifically IP address and system id, with metadata from other sources, I suspect it would be possible to identify through the known exploits many as yet unknown exploits and thus raise the flag on these currently hidden trojans...
I would assume that NSA would have thought of the above and more and hence it has influenced the final rationale for banning Kaspersky from government systems. Interestingly, it also means the US government can't use any security software who's cloud service is outside of the US and thus accessible to foreign agencies...