
The NSA Is Hoarding Vulnerabilities - gexos
https://www.schneier.com/blog/archives/2016/08/the_nsa_is_hoar.html
======
Johnny555
The government already admitted that they are hoarding vulnerabilities:

 _...the Obama administration announced, in early 2014, that the NSA must
disclose flaws in common software so they can be patched (unless there is "a
clear national security or law enforcement" use)..._

Obviously any valuable zero-day flaw has clear national security use to a
national security agency that's tasked with breaking into "enemy" systems.

~~~
tptacek
Why the scare quotes around "enemy"?

~~~
CDRdude
Because the NSA breaks into US-based companies too.

~~~
tptacek
I'm sure that's happened, but there's a reason the EQ dump included lots of
vulnerabilities for Chinese products nobody in the US deploys.

"Enemy" is a weird word ("adversary" is probably better), but however you
slice it: NSA's mission includes real ones.

~~~
nitrogen
That is entirely irrelevant to people who are still getting hacked because of
these hoarded vulnerabilities.

~~~
tptacek
I don't follow. Could you make this argument more specific? Who's doing this
attacking? What kinds of vulnerabilities?

Stated as vaguely as you have, that's a hard argument to rebut. I tend to
agree: the world would be a safer place if everything was publicly disclosed
immediately. But even NSA's opponents tend not to support that as a policy
objective.

------
anexprogrammer
Here's what I've never understood despite following security for a number of
years. How on earth can the NSA _ever_ conclude "nobody but us" short of
silicon level exploits at manufacturing? Do they really think they can do
things that the Chinese or other governments with significant agencies and
supercomputers can't?

~~~
woliveirajr
IMHO, they can't be sure but it's possible to estimate in the following
scenario.

NSA finds some 0-day vulnerability in some router. To use it someone must send
some specific data to a specific port, so that it causes some buffer overflow
and leaks information.

NSA also might have all the traffic that is exchanged by some key points of
the USA sites. They can monitor from now on, and also look the stored traffic,
and try to find if that packed (attack) was ever used, is being used, or even
activate some trigger if it shows up.

So, if others used it, warn the manufacturer. Not seen in the wild, save it in
the "only ours" folder and use at will.

~~~
AnimalMuppet
That's a very plausible bit of paranoia. And to add my paranoia to the mix:
Then the "auction" of Equation Group stuff could be a way for the NSA to
expose the vulnerabilities that others are starting to exploit.

~~~
balabaster
Just because you're paranoid doesn't mean that's not exactly what they're
doing ;)

Given what is becoming more apparent about the NSA on a day by day basis,
anything you can think might be being done but write it off as needless
paranoia is probably exactly what's being done... because "you're just being
paranoid, we'd never do that to millions of innocent Americans." Yet
somehow...

~~~
tptacek
That's an understandable feeling to have, but you see how it sort of sucks all
the oxygen out of any discussion you might have about issues or policy.

~~~
balabaster
Sure... the underlying cause though isn't because of policy or issues though,
it's trust in the agencies creating the policies, mandating them and enforcing
them.

If we trusted them to adequately safeguard our information, and not to misuse
it, then none of this would be an issue. But they've broken trust many times
over and once that horse has bolted, you can't just close the stable door and
expect people to just trust you again - especially not when you keep getting
caught with your hand in the cookie jar, get caught lying about it or using
smoke and mirrors to sidestep the consequences and then coming back and saying
don't worry, not only can we be trusted with the cookie jar, but we must be
the ones safeguarding you from the cookies because they make you fat. So it's
for the good of everyone. Meanwhile, they're just sitting their eating the
cookies. It's always a land grab for more cookies.

You wouldn't trust your six year old with that kind of behavior, you certainly
shouldn't trust a Government agency that acts the same way.

~~~
tptacek
This is a fine argument for not allowing NSA to help design things like key
escrow, or to prevent them from involving themselves in crypto standards
development. I'm not sure how it bears on vulnerability disclosure. NSA
discovering and stockpiling vulnerabilities shouldn't impact other
organizations discovering and then disclosing vulnerabilities.

~~~
balabaster
> NSA discovering and stockpiling vulnerabilities shouldn't impact other
> organizations discovering and then disclosing vulnerabilities.

I absolutely agree

------
upofadown
Now that the code makers have run far beyond the code breakers, hacking is all
entities like the NSA have left. So of course they are hording
vulnerabilities. That's all they can do.

Cracking systems probably isn't going to lead to anything worthwhile. It isn't
targeted enough. The thing that the NSA fears the most is the perception that
they are not worth the money. It's a legitimate fear.

~~~
nickthemagicman
Whats the distinction between hacking and cracking?

~~~
mastax
Some would like to promote 'hacking' as screwing around with things for
fun/learning and 'hacking' as digital breaking and entering. Seems like an
uphill battle to me but its probsbly useful to have a distinction.

------
wyldfire
> If there are any vulnerabilities that ­ according to the standards
> established by the White House and the NSA ­ should have been disclosed and
> fixed, it's these.

It's too bad -- there's really just no accountability for these espionage
organizations. And it seems like it will never change.

------
tptacek
A bunch of thoughts:

1\. It's not true that there's broad agreement among experts about how the
government ought to handle vulnerabilities. In fact, that's close to the
opposite of the truth. On the question of regulation, the field is riven over
Wassenaar and the prospect of vuln research regulation. It's also divided
between people with operational knowledge of how zero-day is used by the IC
and people looking from the outside in, and also between privacy activists and
security researchers, which is a Venn diagram with only partial overlap.

2\. Schneier is showily beating up on the USG "vulnerability equities
process", which supposedly determines whether or not the USG will publish
vulnerabilities. It's fair game. But something that there _is_ broad agreement
on among practitioners is that the VEP is a PR farce. Nobody needed "Shadow
Brokers" to confirm this; you can't have been paying attention over the last
10 years and not see that SIGINT roflstomps IAD. Read between the lines: even
without specific NSA disclosures, to believe that NSA was serious about VEP,
you'd have to believe that NSA is unique among all global intelligence
agencies about protecting industry from vulnerabilities.

3\. Schneier's perspective on whether, why, and how vulnerabilities should be
disclosed is probably naive. The best account I've read on this so far is
Aitel's Vulnerability Equities post on Lawfare. For a simple example: NSA
SIGINT cannot necessarily disclose old vulnerabilities, even for products that
have been discontinued, without revealing to its opponents a catalog of every
machine they've compromised over the lifespan of the vulnerability. Take for
instance the Cisco SNMP vulnerability: SNMP is so low-volume that even mid-
sized US corporations maintain full packet logs of every SNMP request sent on
their network. To premise operation decisions on the idea that FSB doesn't do
that would be extremely poor tradecraft.

That's not dispositive! It could be the case that the USG should simply give
up on computer-based SIGINT, unilaterally disarming and working instead to
help industry defend against foreign SIGINT. That would be a radical change
and it would come with tradeoffs, but it's a coherent position.

A far more straightforward argument to make is that NSA SIGINT should be
entirely exempt from any equities process, but that NSA should be stripped of
its IAD mission, and a separately funded and operated IAD capability should be
spun up under DHS, with clear directives to disclose immediately to vendors.

4\. I'm a little biased on this, not because I'm a vuln researcher (I am, but
I don't do the kind of work that gets marketed to government, nor have I or
will I ever work with governments) but because I think Bruce Schneier's track
record on this subject is both bad and inconsistent, dating back to his use of
his popular newsletter to vilify eEye for disclosing to the public
vulnerabilities later used to build worms.

~~~
jessaustin
_...NSA should be stripped of its IAD mission, and a separately funded and
operated IAD capability should be spun up under DHS..._

Maybe DHS could get an actual CA-issued cert for
[https://www.iad.gov/](https://www.iad.gov/) ?

------
doggydogs94
I think what would work best is the following. NSA alerts US companies of the
vulnerabilities in their products with the understanding that the companies
will not publicize that the vulnerability was fixed. This will let the NSA
continue to exploit the vulnerabilities; most customers never update things
like routers and other obscure pieces of the infrastructure.

------
jokoon
I think that as long as the NSA can estimate they do have more of those cyber
weapons, they won't push for patching them, and it makes sense.

The day the chinese of the russians are able to discover more of those
vulnerabilities, they will all get fixed.

It's a simple arms race. Simple as that.

------
ryao
I do not understand this "they're making us less secure" argument. The only
way that the NSA could be actively making systems less secure would be if they
were putting vulnerabilities into the source code or silicon. The reality is
that the NSA need not do that because these systems were already insecure and
the NSA just had to figure out how they were insecure. They would have been
insecure, even if the NSA had never scrutinized them.

The affected systems are ones that I had told others were likely insecure (by
virtue of being closed source), but no one listened to me. If you care about
network security, then you should use a properly configured software
firewall/router running Linux or *BSD. This Cisco/Juniper/etcetera equipment
is closed source, hard to scrutinize and almost certainly has horrible flaws
that would never be allowed into a serious OSS project.

Of course, things like pfSense are not "enterprise grade", so people will
continue to ignore advice to use them, put these vulnerable systems into
production and then be surprised when it comes out that the security was
terrible.

~~~
CWuestefeld
The NSA found vulnerabilities, built tools to exploit them, and then allowed
those tools to leak. That made us less secure, QED.

The argument against that is going to be "they weren't supposed to leak". But
that's dumb. This is the real world, and the best laid plans, etc. We need to
build systems robust to what _will_ happen, not just what we want or expect to
happen.

~~~
tptacek
That is an argument whose logical conclusion is that NSA can't do any SIGINT
using vulnerabilities: that the "equities process" result should simply be
"always disclose". But that's not on the table in any proposal, including the
VEP proposal.

~~~
CWuestefeld
_That is an argument whose logical conclusion is that NSA can 't do any SIGINT
using vulnerabilities_

My argument shows that in some specific instances, we are less secure. There's
probably still a "net global" argument to be made saying that although there
do exist costs, they're outweighed by the overall benefits.

The problem with that, in turn, is that we're not allowed to know either of
the arguments into the equation. They argue that the costs are zero (which is
clearly false), and they won't tell us what the benefits are (other than the
unsupported claim that they're immense).

