
US Navy Soliciting Zero Days - mo
https://threatpost.com/us-navy-soliciting-zero-days/113308
======
DickingAround
What exactly should we do with this information? It's clear there's a cyber
war heating up. Between Stuxnet, the US gov's OPM getting hacked, kaspersky
getting attacked, it's become pretty obvious. And since there's seemingly no
need to declare such a war before doing it, it'll only get hotter.

So what do we do? Is it time to just start running open-bsd? Should I just
assume my systems won't be a casualty because it won't get that hot? Air gap
the important part?

~~~
arca_vorago
Don't you get it. The cyberwar isn't "heating up", what "cyberwar" exists has
existed since the 90's. Yes technological pervasiveness is making
vulnerabilities being taken advantage of hit larger swaths of devices, but
that's not why you see the heating up of the arena.

The real reason is that we need a new boogieman to justify the level of
surveillance. The public, as deluded and propagandised as they are, is
starting to get tired of the same ol terrorism argument, so this is the new
communism/terrorism, etc.

The point is that it's never about what they say it's about. It's about
control. Inverted totalitarianism.

~~~
brador
Control for what purpose?

~~~
themeek
So many different purposes. Sometimes control is necessary for everyone's
benefit - government has a legitimate claim to power. Sometimes control is
self-interested - it does one party more good than it can do the other.
Sometimes control is about a brace for an uncertain future - the American
Empire right now is being seriously challenged for its global primacy.
Sometimes control is about self-benefit - it consolidates power specifically
to disadvantage the other power. Etc. Etc.

Power consolidation right now is a mixed bag. Those who want power for their
own purposes find a good partner with those who consolidate power for noble
purposes find a good partner with those who brace for the future, etc.

You can only pick voices from the cacophony if you train your ear in one
direction. They are all there and it takes every singer in the chorus to work.

------
smegel
I find it really strange the Navy is doing this. Does it actually have an
intelligence wing capable of taking advantage of this? And if you thought the
NSA was the cyber intelligence wing of the DoD, so did I.

~~~
modoc
The ONI (Office of Naval Intelligence) is the US's OLDEST Intelligence agency,
so yes.. :)

------
vaadu
This is why the mission of securing America's networks needs to be removed
from the NSA.

“What’s more noteworthy is how little regard the government seems to have for
the process of deciding to exploit vulnerabilities,” wrote Nate Cardozo and
Andrew Crocker of the Electronic Frontier Foundation. “As we’ve explained
before, the decision to use a vulnerability for ‘offensive’ purposes rather
than disclosing it to the developer is one that prioritizes surveillance over
the security of millions of users.”

~~~
jallmann
> This is why the mission of securing America's networks needs to be removed
> from the NSA.

And who should be responsible for this mission? Are you saying that the
offensive and defensive cyber capabilities should be split between different
agencies?

> “What’s more noteworthy is how little regard the government seems to have
> for the process of deciding to exploit vulnerabilities,”

The article mentions that the government itself acknowledges that there is a
delicate balance between disclosure and maintaining the ability to accomplish
other missions [1]. That dilemma never going away, no matter how the
responsibilities are organized.

> “As we’ve explained before, the decision to use a vulnerability for
> ‘offensive’ purposes rather than disclosing it to the developer is one that
> prioritizes surveillance over the security of millions of users.”

Haven't read the EFF paper yet (and I hold the EFF in high regard), but in the
context of zero-days, that quote is a bit of a strawman. You don't burn zero-
days by indiscriminately propagating exploits (eg, for mass surveillance), it
would be found out pretty quickly. You tap cables and get NSLs for mass
surveillance. Payloads attached to a zero-day would be used for more specific
purposes, rather than slurping up data en masse.

[1] [https://www.whitehouse.gov/blog/2014/04/28/heartbleed-
unders...](https://www.whitehouse.gov/blog/2014/04/28/heartbleed-
understanding-when-we-disclose-cyber-vulnerabilities)

~~~
Kalium
> And who should be responsible for this mission? Are you saying that the
> offensive and defensive cyber capabilities should be split between different
> agencies?

In theory, they already are. The Navy, Air Force, Army, and NSA all maintain
somewhat separate cyber capabilities.

------
BuildTheRobots
Site seems overloaded. Link for the lazy:
[https://web.archive.org/web/20150615233609/https://threatpos...](https://web.archive.org/web/20150615233609/https://threatpost.com/us-
navy-soliciting-zero-days/113308)

------
wahsd
Just to be clear, this is not really the Navy as most of you think of it that
is seeking this.

------
harkyns_castle
Give it some more time, all dissenting posts will be greyed out hehe.

------
themartorana
$27.5m fixed bid for a 24 month contract. That's extremely good work if you
can get it.

~~~
pmorici
It doesn't say that. the number $27.5 million is the cut off for a business to
be considered a "small business" which would receive special considerations
under the law.

~~~
themartorana
Ah. You're right. Thanks for that.

------
harkyns_castle
Didn't foresee all this nonsense when I started to enjoy IT back in the
younger days.

Wish I didn't see it now either. What a mess. Long live the petrodollar and
killing other humans for a fiat currency.

------
tempodox
Why not 0 seconds, instead of 0 days? I didn't think you can buy time
anywhere, but why the gratuitous use of the “days” unit when the quantity is
zero anyway?

Still, a gov't agency would surely pay plenty, even for nothing at all, so
what's the going rate for “no time at all” these days?

~~~
aric
Days convey immediacy and scale. "Today" and "same day" balance precision. If
time between an exploit becoming known and fixed consistently happened in 100
seconds or less, 0-sec might sound ok. Come to think of it, 0-sec is a fitting
pun.

~~~
bentcorner
"0-sec" isn't too bad, but the plural can make for awkward conversation.

~~~
nostrebored
0-sec is a terrible name if you're working in sec...

