Here's what I've never understood despite following security for a number of years. How on earth can the NSA ever conclude "nobody but us" short of silicon level exploits at manufacturing? Do they really think they can do things that the Chinese or other governments with significant agencies and supercomputers can't?
No, it's not. I believe Schneier is simply abusing the term. As I've seen it deployed, "NOBUS" usually refers to capabilities protected cryptographically, not by kernel reference monitors that hide keys, but by actual secret keys.
I don't believe zero-day vulnerabilities are considered "NOBUS" by NSA. That would be silly, because every time they're used on public-sector IP networks (which is usually where they're used!), they're disclosed.
> ... every time they're used on public-sector IP networks (which is usually where they're used!), they're disclosed.
Could you explain what you mean by that? Do you mean that NSA discloses everything they use on public IP networks? If so, can you provide some references, because I have never heard of them doing so.
Or do you mean that every time the NSA does so, they get caught and exposed? That seems to be based on the idea that we never hear of them using exploits on public IP networks without getting caught, which, if you think for a second, you realize is a completely silly argument.
OK, so they're "disclosed" in the sense that "the information (in packet form) is released onto a public network". But that's potential discovery if someone is paying very close attention. And the point of a zero-day is that nobody's paying attention to that specifically, because nobody knows to do so yet. So, yes, somebody could have a packet capture of it, along with a billion other packets.
So you're using "disclosure" here in a very restricted sense. It more normally means something more like "sending an email to the vendor" or "making a press release".
To paraphrase someone smarter on these issues than I am: NSA's adversaries spend more on coffee than Cisco does on product security. When vulns like the ones we've seen are used on public networks, they are disclosed.
The question isn't whether they're disclosed to vendors. It's whether they're NOBUS flaws. Schneier is suggesting NSA views them as NOBUS. They do not.
you mean the NSA staff spends more on coffee than Cisco does on product security?
otherwise, the claim makes no sense. the NSA's adversaries include huge swaths of non-security-conscious users, and includes Cisco.
IMHO, they can't be sure but it's possible to estimate in the following scenario.
NSA finds some 0-day vulnerability in some router. To use it someone must send some specific data to a specific port, so that it causes some buffer overflow and leaks information.
NSA also might have all the traffic that is exchanged by some key points of the USA sites. They can monitor from now on, and also look the stored traffic, and try to find if that packed (attack) was ever used, is being used, or even activate some trigger if it shows up.
So, if others used it, warn the manufacturer. Not seen in the wild, save it in the "only ours" folder and use at will.
That's a very plausible bit of paranoia. And to add my paranoia to the mix: Then the "auction" of Equation Group stuff could be a way for the NSA to expose the vulnerabilities that others are starting to exploit.
Just because you're paranoid doesn't mean that's not exactly what they're doing ;)
Given what is becoming more apparent about the NSA on a day by day basis, anything you can think might be being done but write it off as needless paranoia is probably exactly what's being done... because "you're just being paranoid, we'd never do that to millions of innocent Americans." Yet somehow...
Sure... the underlying cause though isn't because of policy or issues though, it's trust in the agencies creating the policies, mandating them and enforcing them.
If we trusted them to adequately safeguard our information, and not to misuse it, then none of this would be an issue. But they've broken trust many times over and once that horse has bolted, you can't just close the stable door and expect people to just trust you again - especially not when you keep getting caught with your hand in the cookie jar, get caught lying about it or using smoke and mirrors to sidestep the consequences and then coming back and saying don't worry, not only can we be trusted with the cookie jar, but we must be the ones safeguarding you from the cookies because they make you fat. So it's for the good of everyone. Meanwhile, they're just sitting their eating the cookies. It's always a land grab for more cookies.
You wouldn't trust your six year old with that kind of behavior, you certainly shouldn't trust a Government agency that acts the same way.
This is a fine argument for not allowing NSA to help design things like key escrow, or to prevent them from involving themselves in crypto standards development. I'm not sure how it bears on vulnerability disclosure. NSA discovering and stockpiling vulnerabilities shouldn't impact other organizations discovering and then disclosing vulnerabilities.
> Here's what I've never understood despite following security for a number of years. How on earth can the NSA ever conclude "nobody but us" short of silicon level exploits at manufacturing? Do they really think they can do things that the Chinese or other governments with significant agencies and supercomputers can't?
They have a dual mandate and vast surveillance capabilities. I'm honestly not surprise at all by the behavior. I think the horrifying thing is people don't seem to care that this makes Government & Criminals equally dangerous to the security of our infrastructure. I'm just waiting for some massive, systemic compromise of a major bank from a combination of "NSA thinks they are the only ones with them" exploits as it seems like the only thing that would wake people up to the danger.
Those two mandates are in conflict so they are playing the logic of:
1) We have vast surveillance capabilities, so we would be able to detect 0-days sent over a network we have visibility into.
2) We don't care if non-US assets get cracked and we have near perfect visibility into US assets.
3) We have a duty to perform offensive operations. So we should retain any weapon we believe our enemies are unaware of.
I don't think Schneier established that NSA does consider zero-days NOBUS. I think he's conflating things like Dual_EC, which are cryptographically protected NOBUS capabilities, with zero-day vulnerabilities.
I do not understand this "they're making us less secure" argument. The only way that the NSA could be actively making systems less secure would be if they were putting vulnerabilities into the source code or silicon. The reality is that the NSA need not do that because these systems were already insecure and the NSA just had to figure out how they were insecure. They would have been insecure, even if the NSA had never scrutinized them.
The affected systems are ones that I had told others were likely insecure (by virtue of being closed source), but no one listened to me. If you care about network security, then you should use a properly configured software firewall/router running Linux or *BSD. This Cisco/Juniper/etcetera equipment is closed source, hard to scrutinize and almost certainly has horrible flaws that would never be allowed into a serious OSS project.
Of course, things like pfSense are not "enterprise grade", so people will continue to ignore advice to use them, put these vulnerable systems into production and then be surprised when it comes out that the security was terrible.
Bruce Schneier is well documented to equate failing to disclose vulnerabilities with making systems less secure, or as he put it in this interview, less safe:
To his credit, he was talking about weakening encryption standards, but then elaborated that simply looking for security vulnerabilities and not telling anyone what they found was also doing that. I find that latter position ridiculous. It would be like saying studying malaria and not reporting your findings makes people less healthy.
This isn't just "looking for security vulnerabilities". Tools were created to exploit the vulnerabilities. Both the archive of hoarded vulnerability knowledge and the archive of exploit tools is a valuable target... because it would be extremely useful for an attacker, thus making us less safe.
This isn't a hypothetical concern, because the Shadow Broker archive is an example of one - or more - of those archives falling into unknown hands. Hoarding vulnerability information concentrates risk which invites thieves.
Less safe than what? The tools could be developed by anyone who works long enough. These systems were always insecure and the idea that we should ignore that rather than replace them with systems that are less insecure by virtue of being developed with OSS best practices is ridiculous. People need to recognize bad decisions and start making good ones rather than find scapegoats to avoid the issue.
World A contains an archive of concentrated vulnerability information. World B doesn't. World A is strictly less safe than World B, because concentrating information creates a more attractive target. Without that concentrated archive, the vulnerabilities would have to be discovered on their own.
Do you really want to argue that allowing the archive of stolen tools recently released by the "Shadow Brokers" didn't make people less safe? Even though it contained attacks on various routers that were previously unknown? Is it really your assertion that those same tools were never used before the "action" announcement?
> the idea that we should ignore that
Nobody is saying that. Where did you get the idea that we should ignore vulnerabilities?
> could be developed by anyone who works long enough
Obviously, which is why I also discussed the hoarding of vulnerability knowledge.
Maybe all of those vulnerabilities would have been discovered independently, but stealing the archive from the NSA would have been a lot easier and faster. These are not traits you can simply brush off as irrelevant, as most security is not about perfection, but instead about how long the security features will delay an attacker.
> scapegoats
This isn't about finding a scapegoat. The NSA making us less safe is the "bad decision" that needs to be recognized.
My point is that research or even exploitation is not causation of security flaws.
The flaws themselves are what make people insecure and ignoring that by complaining about people researching them for whatever reason suggests that we should ignore security flaws and just blame anyone who looks.
The release of the concentrated archive will help security in the long term the same way that a fire that burns down a city improves fire safety in the long term by encouraging changes to building codes. Ideally, such things should have been done already, but people tend to only fix things after something catastrophic happens.
Hopefully, people will realize that they need to adopt solutions that are more resilient. That means equipment running fully open source solutions such as PFSense, OpenBSD, LEDE, etcetera.
PFSense is much easier to audit than the closed source stuff that the disclosed zero days targeted. Anything that they find in it is far more likely to be found by others and patched. It is a fundamental improvement that you only can get with OSS.
That being said, organizations doing what the NSA does will always exist. Making decisions based on that premise that will lead to a much better result than blaming them for flaws in the things people use ever will.
I definitely agree with your premise, that OSS can more easily be reviewed.
In reality, do you think/know that happens? (I'm genuinely intrigued). I know almost all major software shops generally have some kind of formalized process for internal and external security review; and often have automated tooling to also support that process. I'm not saying it's perfect, but it's there, and catches a lot of bugs.
Running with PFSense as our example, do they have regular codebase-wide and change-specific code reviews and security assessments? I'd be delighted to know they do, but haven't seen much about it.
That is a rather good tool provided to open source projects for free that finds bugs, including exploitable bugs. FreeBSD and pfSense by extension has the benefit of Clang's various tools for catching issues (e.g. its static analysis, address sanitizer, etcetera). I also know that there was a TrustedBSD hardening effort. You probably would want to ask the pfSense and FreeBSD guys for details.
There are better people than me to ask, but given that it is open source the people doing things are under no obligation to talk about it, it is hard for anyone to know everything being done.
Anyway, my point is that these sorts of things only happen with OSS. If a search researcher has an idea for a new way of catching bugs, he is likely going to use it on OSS code rather than closed source software by virtue of it being easier to do experiments on it. The same goes for non-profits devoting money to auditing code (which the Linux Foundation announced last year). You definitely will not see that happen with proprietary software. This gives OSS an intrinsic advantage.
>given that it is open source the people doing things are under no obligation to talk about it, it is hard for anyone to know everything being done.
Actually, by nature of being Open source there's 100% increased likeliness they'll talk about it - they simply can. It's the thousands of security consultants working under NDA doing code review for software companies that legally cannot talk about it, even if they did want to.
> Anyway, my point is that these sorts of things only happen with OSS.
That's not correct. Software companies have much bigger budgets for security tooling than open source projects. They've got access to clang and coverity as well as a host of other tools that cost hundreds of thousands of dollars.
> The same goes for non-profits devoting money to auditing code (which the Linux Foundation announced last year). You definitely will not see that happen with proprietary software. This gives OSS an intrinsic advantage.
This is really awesome, I'm loving seeing this happen. But For every 1x security review of say truecrypt, you do realize that Microsoft and Apple would've had those exact same experts audit their own implementations several times a year, right?
Are those the same experts that missed gotofail? Static analysis should have caught that. Just because they can does not mean that they do. Having many developers sharing code means that they all have an incentive to do auditing.
By the way, there are definitely people who do things with OSS code and never tell others. I cannot know what everyone is doing. I am neither God nor the NSA.
Malaria is more akin to an exploit than a vulnerability.
However, if we are to persist with your example, what you are trying to say is more akin to "Studying malaria and developing, or buying, a genetically engineered infectious disease that uses malaria's infection vector, and stockpiling it in a warehouse, and sometimes secretly using it, and not telling anyone about this isn't making people any sicker."
Most of those activities do not make people sicker. The hoarding part certainly does not. We ought to be realistic in identifying each action for what it is, rather than labeling it all as one thing.
> It would be like saying studying malaria and not reporting your findings makes people less healthy.
That isn't necessarily an absurd thing to say in some circumstances, but let's take a different angle.
A striking difference between information security and microbiology is that the information necessary to attack someone and the information necessary to defend against attacks are almost identical. (People can develop an exploit from a patch, or a patch from an exploit, in a matter of days or hours. And they expect to be able to do so; if we had a working exploit or a detailed vulnerability description, we'd be very critical if a vendor couldn't patch promptly solely on the basis of that information.)
In microbiology, there is a relationship between these two kinds of research or capability, and biomedical researchers sometimes produce more virulent pathogens as part of their research, but overall the relationship is dramatically more attenuated. There are pathogens that researchers have had samples of for decades that they still haven't produced a successful prophylaxis against. And just having drugs that treat infection, or vaccines, doesn't automatically allow someone to cause infections or epidemics.
Aren't they literally "making us less secure" by keeping records of vulnerabilities on computer systems but not disclosing them?
This means they can't be fixed by the software company but as this data dump shows, shady characters might be able to discover these vulnerabilities by (illictly) accessing computer systems used by the NSA.
Edit: Yes the shady characters might be able to independently discover the vulnerabilities if they are not "NOBUS" but this is another avenue.
> The reality is that these systems would have been just as insecure had the NSA never scrutinized them
In theory, sure. In practice, this is false. When the NSA finds a vulnerability it can exploit there is information created. As Snowden and the recent hack confirm: data is prone to leaking. Once data leaks, the systems that NSA attacks are fundamentally and operationally less secure than they would be had the NSA not attacked them. This is the very reason it is important that zero-days are reported and fixed.
There are three sides to the "making us less secure" argument.
1. If they would work with companies to get the vulnerabilities fixed, we would be more secure. The lack of action in this area doesn't make us less secure. It merely delays increasing security. Not the same thing so this argument is not logically sound. (It's like the RIAA saying that downloaded albums is directly lost revenue while there's no guarantee that the pirate would buy instead of download.)
2. Having a large cache of exploits that they cannot successfully secure creates a target for bad actors. If this cache is compromised then we all are actually less secure.
3. Other efforts by the NSA such as compromising RNGs and security protocols do actually make us all less secure.
#1 is a false equivalence. There really is no more secure here. The system is either secure or insecure. If it is insecure, then the only questions are how bad is it and how it could be made less insecure? If something is secure (e.g. seL4), then there is no room for improvement.
#2 is nonsense because the system is already insecure.
#3 is a straw man because we are talking about the NSA not contributing the results of their security research to the world. The other things that they do that actually making things less secure are not the subject here.
#1 "the system is either secure or insecure" - only according to the particular system's threat model. Your counter-argument falls flat because it assumes all computers share one universal threat-model. "more secure" refers to probabilities built into a particular threat-model. If you're going to make security a binary thing, then without absolute knowledge of the entire system...it is insecure and we're wasting our digital ink.
#2 depends on #1
#3 if the subject is "things the NSA does do to make us less secure" then it is the subject.
Security like temperature. It has an absolute limit. We are really only talking about how insecure a system is. That becomes obvious when reading about things like seL4.
While I agree with you in principal and am sympathetic to your position, it is not the case that security is "absolute" without taking threat model into account. As a specific example, SeL4 does not take timing channel vulnerabilities into account.
If you are doing formal verification, then you can make your own model, create software and attempt to prove that the software has issues within that model. seL4 is just one example of someone doing that.
Uh, I know. My point is that you won't always know all the security vectors you have to deal with. There's no way of just asserting that your model is free of side-channel attacks without (minimally) intimate knowledge of the hardware it's going to run on.
If they know of a vulnerability, not announcing it is simply hoping (or worse presuming) that others haven't found it. Not all vulns are found by people who make a nice blog post, claim their $2k, and move on - some will be keeping very quiet and actively exploiting for poltical or financial reasons.
Even with the most positive view, some small subset of those vulnerabilities will be known to others and some will be actively exploited. Hence making us less secure.
Security of a system is an intrinsic property that does not change upon scrutiny. Rather than accuse those not reporting the results of their researchers we should focus on building systems that are secure like seL4. This blame game is counterproductive and distracts from making secure systems.
I'm not suggesting accusation of researchers, but in the case of NSA isn't part of their mission improving network security? They founded SELinux after all.
It's not like vulnerabilities are rare or aren't going to be exploited if not revealed.
I do not think that it is feasible to expect a government agency to solve bad engineering. There is no pixie dust that the NSA can sprinkle on systems to make them secure, even if it dedicated all of its resources to trying.
If anything, by doing what they are doing, they are exposing the fallacy of such expectations and hastening the development of systems that are actually secure. By that measure, this is actually improving security in the long term far more than attempting to bolster the status quo ever could.
The NSA found vulnerabilities, built tools to exploit them, and then allowed those tools to leak. That made us less secure, QED.
The argument against that is going to be "they weren't supposed to leak". But that's dumb. This is the real world, and the best laid plans, etc. We need to build systems robust to what will happen, not just what we want or expect to happen.
The argument against that is that you are hopelessly insecure if your security strategy is to hope no one develops tools around vulnerabilities in proprietary systems. That is going to happen and they are going to leak whether the NSA does it or not.
The best bet is to aim to build systems like seL4 and use properly configured well engineered OSS solutions until solutions like seL4 become available.
That is an argument whose logical conclusion is that NSA can't do any SIGINT using vulnerabilities: that the "equities process" result should simply be "always disclose". But that's not on the table in any proposal, including the VEP proposal.
That is an argument whose logical conclusion is that NSA can't do any SIGINT using vulnerabilities
My argument shows that in some specific instances, we are less secure. There's probably still a "net global" argument to be made saying that although there do exist costs, they're outweighed by the overall benefits.
The problem with that, in turn, is that we're not allowed to know either of the arguments into the equation. They argue that the costs are zero (which is clearly false), and they won't tell us what the benefits are (other than the unsupported claim that they're immense).
"The only way that the NSA could be actively making systems less secure would be if they were putting vulnerabilities into the source code or silicon."
After seeing the Snowden revelations - who says they don't actually do this?
I think that the line is that if they're not fixing it, making us "more secure", then we're "less secure" (when, after all, we're just left in the same status we were before).
I believe he's referring to the argument Schneier is making, not to the entire notion of NSA's SIGINT mission. Dual EC was indeed an instance of NSA harming everyone's security (less, at least in the US, than is broadly supposed, but clearly and deliberately). But it's not an instance of NSA acquiring zero-day vulnerabilities and then using them to harm everyone's security.
>The affected systems are ones that I had told others were likely insecure (by virtue of being closed source), but no one listened to me. If you care about network security, then you should use a properly configured software firewall/router running Linux or *BSD. This Cisco/Juniper/etcetera equipment is closed source, hard to scrutinize and almost certainly has horrible flaws that would never be allowed into a serious OSS project.
You went wildly off the rails here; the OSS vs closed source security argument is foolish. If you think 'many eyes, shallow bugs' still has validity in 2016, you're not up to speed.
Well one way is that they are building tools that exploit those vulnerabilities, and leaving the tools on poorly protected "staging servers" where they can be stolen and revealed to the world.
Whoever stole the tools this time announced them to the public -- how many times have the tools been stolen in the past and kept quiet so they could be used?
> If there are any vulnerabilities that according to the standards established by the White House and the NSA should have been disclosed and fixed, it's these.
It's too bad -- there's really just no accountability for these espionage organizations. And it seems like it will never change.
1. It's not true that there's broad agreement among experts about how the government ought to handle vulnerabilities. In fact, that's close to the opposite of the truth. On the question of regulation, the field is riven over Wassenaar and the prospect of vuln research regulation. It's also divided between people with operational knowledge of how zero-day is used by the IC and people looking from the outside in, and also between privacy activists and security researchers, which is a Venn diagram with only partial overlap.
2. Schneier is showily beating up on the USG "vulnerability equities process", which supposedly determines whether or not the USG will publish vulnerabilities. It's fair game. But something that there is broad agreement on among practitioners is that the VEP is a PR farce. Nobody needed "Shadow Brokers" to confirm this; you can't have been paying attention over the last 10 years and not see that SIGINT roflstomps IAD. Read between the lines: even without specific NSA disclosures, to believe that NSA was serious about VEP, you'd have to believe that NSA is unique among all global intelligence agencies about protecting industry from vulnerabilities.
3. Schneier's perspective on whether, why, and how vulnerabilities should be disclosed is probably naive. The best account I've read on this so far is Aitel's Vulnerability Equities post on Lawfare. For a simple example: NSA SIGINT cannot necessarily disclose old vulnerabilities, even for products that have been discontinued, without revealing to its opponents a catalog of every machine they've compromised over the lifespan of the vulnerability. Take for instance the Cisco SNMP vulnerability: SNMP is so low-volume that even mid-sized US corporations maintain full packet logs of every SNMP request sent on their network. To premise operation decisions on the idea that FSB doesn't do that would be extremely poor tradecraft.
That's not dispositive! It could be the case that the USG should simply give up on computer-based SIGINT, unilaterally disarming and working instead to help industry defend against foreign SIGINT. That would be a radical change and it would come with tradeoffs, but it's a coherent position.
A far more straightforward argument to make is that NSA SIGINT should be entirely exempt from any equities process, but that NSA should be stripped of its IAD mission, and a separately funded and operated IAD capability should be spun up under DHS, with clear directives to disclose immediately to vendors.
4. I'm a little biased on this, not because I'm a vuln researcher (I am, but I don't do the kind of work that gets marketed to government, nor have I or will I ever work with governments) but because I think Bruce Schneier's track record on this subject is both bad and inconsistent, dating back to his use of his popular newsletter to vilify eEye for disclosing to the public vulnerabilities later used to build worms.
Indeed. It astonishes me that Schneier continues to be taken seriously about (non-crypto) computer security when he has the same expertise in it as a typical NYT journalist.
I think the primary benefit that IAD, specifically the vulnerability research wing, has as being part of NSA is that vulnerability researchers rotate between SID and IAD as their careers progress, keeping IAD credible.
Your DHS idea would work (DHS already has a cybersecurity mandate) if there was a mandatory career rotation between NSA SID and DHS Cybersecurity. In my opinion there is so much overlap between IAD and Defense Information Security Agency (DISA) that what remained could be merged into DISA.
The government already admitted that they are hoarding vulnerabilities:
...the Obama administration announced, in early 2014, that the NSA must disclose flaws in common software so they can be patched (unless there is "a clear national security or law enforcement" use)...
Obviously any valuable zero-day flaw has clear national security use to a national security agency that's tasked with breaking into "enemy" systems.
I don't follow. Could you make this argument more specific? Who's doing this attacking? What kinds of vulnerabilities?
Stated as vaguely as you have, that's a hard argument to rebut. I tend to agree: the world would be a safer place if everything was publicly disclosed immediately. But even NSA's opponents tend not to support that as a policy objective.
Their tasking, though, is to break into foreign ones. They see breaking into domestic ones as necessary to do that (and I can see why they might feel that way, even if I don't like the result), but I don't believe it's part of their core mandate.
Nobody in the IC believes allies aren't constantly spying on each other. Germany and France are notorious for doing it to support their state industries. Like it or not, in the intelligence arena, the US and Germany are rivals.
That the NSA is sitting on a zero-day stockpile is absolutely not a surprise for anyone in the industry. Of course they do. If you worked there, you'd to it too.
But it's good to make the public more aware that this, indeed, is happening, it's not just something out of a Dan Brown paperback.
Now that the code makers have run far beyond the code breakers, hacking is all entities like the NSA have left. So of course they are hording vulnerabilities. That's all they can do.
Cracking systems probably isn't going to lead to anything worthwhile. It isn't targeted enough. The thing that the NSA fears the most is the perception that they are not worth the money. It's a legitimate fear.
First, I think there's a lot of truth to the idea that NSA's primary motivation is headcount. I think that's an important and significant point that isn't raised often enough in these discussions. It has implications beyond vulnerability disclosure! (For instance: it's a very good reason to be wary of things like DNSSEC, that make it expensive but not intractable to attack Internet trust at its core).
But I don't know what you mean by your first paragraph, or by the notion that "cracking systems isn't going to lead to anything worthwhile".
Some would like to promote 'hacking' as screwing around with things for fun/learning and 'hacking' as digital breaking and entering. Seems like an uphill battle to me but its probsbly useful to have a distinction.
I think what would work best is the following. NSA alerts US companies of the vulnerabilities in their products with the understanding that the companies will not publicize that the vulnerability was fixed. This will let the NSA continue to exploit the vulnerabilities; most customers never update things like routers and other obscure pieces of the infrastructure.
85 comments
[ 3.0 ms ] story [ 144 ms ] threadI don't believe zero-day vulnerabilities are considered "NOBUS" by NSA. That would be silly, because every time they're used on public-sector IP networks (which is usually where they're used!), they're disclosed.
Could you explain what you mean by that? Do you mean that NSA discloses everything they use on public IP networks? If so, can you provide some references, because I have never heard of them doing so.
Or do you mean that every time the NSA does so, they get caught and exposed? That seems to be based on the idea that we never hear of them using exploits on public IP networks without getting caught, which, if you think for a second, you realize is a completely silly argument.
Or did you mean something else? If so, what?
So you're using "disclosure" here in a very restricted sense. It more normally means something more like "sending an email to the vendor" or "making a press release".
The question isn't whether they're disclosed to vendors. It's whether they're NOBUS flaws. Schneier is suggesting NSA views them as NOBUS. They do not.
NSA finds some 0-day vulnerability in some router. To use it someone must send some specific data to a specific port, so that it causes some buffer overflow and leaks information.
NSA also might have all the traffic that is exchanged by some key points of the USA sites. They can monitor from now on, and also look the stored traffic, and try to find if that packed (attack) was ever used, is being used, or even activate some trigger if it shows up.
So, if others used it, warn the manufacturer. Not seen in the wild, save it in the "only ours" folder and use at will.
Given what is becoming more apparent about the NSA on a day by day basis, anything you can think might be being done but write it off as needless paranoia is probably exactly what's being done... because "you're just being paranoid, we'd never do that to millions of innocent Americans." Yet somehow...
If we trusted them to adequately safeguard our information, and not to misuse it, then none of this would be an issue. But they've broken trust many times over and once that horse has bolted, you can't just close the stable door and expect people to just trust you again - especially not when you keep getting caught with your hand in the cookie jar, get caught lying about it or using smoke and mirrors to sidestep the consequences and then coming back and saying don't worry, not only can we be trusted with the cookie jar, but we must be the ones safeguarding you from the cookies because they make you fat. So it's for the good of everyone. Meanwhile, they're just sitting their eating the cookies. It's always a land grab for more cookies.
You wouldn't trust your six year old with that kind of behavior, you certainly shouldn't trust a Government agency that acts the same way.
I absolutely agree
They have a dual mandate and vast surveillance capabilities. I'm honestly not surprise at all by the behavior. I think the horrifying thing is people don't seem to care that this makes Government & Criminals equally dangerous to the security of our infrastructure. I'm just waiting for some massive, systemic compromise of a major bank from a combination of "NSA thinks they are the only ones with them" exploits as it seems like the only thing that would wake people up to the danger.
Those two mandates are in conflict so they are playing the logic of:
1) We have vast surveillance capabilities, so we would be able to detect 0-days sent over a network we have visibility into.
2) We don't care if non-US assets get cracked and we have near perfect visibility into US assets.
3) We have a duty to perform offensive operations. So we should retain any weapon we believe our enemies are unaware of.
The affected systems are ones that I had told others were likely insecure (by virtue of being closed source), but no one listened to me. If you care about network security, then you should use a properly configured software firewall/router running Linux or *BSD. This Cisco/Juniper/etcetera equipment is closed source, hard to scrutinize and almost certainly has horrible flaws that would never be allowed into a serious OSS project.
Of course, things like pfSense are not "enterprise grade", so people will continue to ignore advice to use them, put these vulnerable systems into production and then be surprised when it comes out that the security was terrible.
I take this to mean we are less secure than we would be if we could fix the issues (obviously).
I don't think this means the same thing as saying it "makes us less secure".
https://www.technologyreview.com/s/519336/bruce-schneier-nsa...
To his credit, he was talking about weakening encryption standards, but then elaborated that simply looking for security vulnerabilities and not telling anyone what they found was also doing that. I find that latter position ridiculous. It would be like saying studying malaria and not reporting your findings makes people less healthy.
This isn't a hypothetical concern, because the Shadow Broker archive is an example of one - or more - of those archives falling into unknown hands. Hoarding vulnerability information concentrates risk which invites thieves.
World A contains an archive of concentrated vulnerability information. World B doesn't. World A is strictly less safe than World B, because concentrating information creates a more attractive target. Without that concentrated archive, the vulnerabilities would have to be discovered on their own.
Do you really want to argue that allowing the archive of stolen tools recently released by the "Shadow Brokers" didn't make people less safe? Even though it contained attacks on various routers that were previously unknown? Is it really your assertion that those same tools were never used before the "action" announcement?
> the idea that we should ignore that
Nobody is saying that. Where did you get the idea that we should ignore vulnerabilities?
> could be developed by anyone who works long enough
Obviously, which is why I also discussed the hoarding of vulnerability knowledge.
Maybe all of those vulnerabilities would have been discovered independently, but stealing the archive from the NSA would have been a lot easier and faster. These are not traits you can simply brush off as irrelevant, as most security is not about perfection, but instead about how long the security features will delay an attacker.
> scapegoats
This isn't about finding a scapegoat. The NSA making us less safe is the "bad decision" that needs to be recognized.
The flaws themselves are what make people insecure and ignoring that by complaining about people researching them for whatever reason suggests that we should ignore security flaws and just blame anyone who looks.
The release of the concentrated archive will help security in the long term the same way that a fire that burns down a city improves fire safety in the long term by encouraging changes to building codes. Ideally, such things should have been done already, but people tend to only fix things after something catastrophic happens.
Hopefully, people will realize that they need to adopt solutions that are more resilient. That means equipment running fully open source solutions such as PFSense, OpenBSD, LEDE, etcetera.
That being said, organizations doing what the NSA does will always exist. Making decisions based on that premise that will lead to a much better result than blaming them for flaws in the things people use ever will.
In reality, do you think/know that happens? (I'm genuinely intrigued). I know almost all major software shops generally have some kind of formalized process for internal and external security review; and often have automated tooling to also support that process. I'm not saying it's perfect, but it's there, and catches a lot of bugs.
Running with PFSense as our example, do they have regular codebase-wide and change-specific code reviews and security assessments? I'd be delighted to know they do, but haven't seen much about it.
https://www.google.com/#q=coverity+pfsense https://www.google.com/#q=coverity+freebsd
That is a rather good tool provided to open source projects for free that finds bugs, including exploitable bugs. FreeBSD and pfSense by extension has the benefit of Clang's various tools for catching issues (e.g. its static analysis, address sanitizer, etcetera). I also know that there was a TrustedBSD hardening effort. You probably would want to ask the pfSense and FreeBSD guys for details.
There are better people than me to ask, but given that it is open source the people doing things are under no obligation to talk about it, it is hard for anyone to know everything being done.
Anyway, my point is that these sorts of things only happen with OSS. If a search researcher has an idea for a new way of catching bugs, he is likely going to use it on OSS code rather than closed source software by virtue of it being easier to do experiments on it. The same goes for non-profits devoting money to auditing code (which the Linux Foundation announced last year). You definitely will not see that happen with proprietary software. This gives OSS an intrinsic advantage.
Actually, by nature of being Open source there's 100% increased likeliness they'll talk about it - they simply can. It's the thousands of security consultants working under NDA doing code review for software companies that legally cannot talk about it, even if they did want to.
> Anyway, my point is that these sorts of things only happen with OSS.
That's not correct. Software companies have much bigger budgets for security tooling than open source projects. They've got access to clang and coverity as well as a host of other tools that cost hundreds of thousands of dollars.
> The same goes for non-profits devoting money to auditing code (which the Linux Foundation announced last year). You definitely will not see that happen with proprietary software. This gives OSS an intrinsic advantage.
This is really awesome, I'm loving seeing this happen. But For every 1x security review of say truecrypt, you do realize that Microsoft and Apple would've had those exact same experts audit their own implementations several times a year, right?
By the way, there are definitely people who do things with OSS code and never tell others. I cannot know what everyone is doing. I am neither God nor the NSA.
However, if we are to persist with your example, what you are trying to say is more akin to "Studying malaria and developing, or buying, a genetically engineered infectious disease that uses malaria's infection vector, and stockpiling it in a warehouse, and sometimes secretly using it, and not telling anyone about this isn't making people any sicker."
That isn't necessarily an absurd thing to say in some circumstances, but let's take a different angle.
A striking difference between information security and microbiology is that the information necessary to attack someone and the information necessary to defend against attacks are almost identical. (People can develop an exploit from a patch, or a patch from an exploit, in a matter of days or hours. And they expect to be able to do so; if we had a working exploit or a detailed vulnerability description, we'd be very critical if a vendor couldn't patch promptly solely on the basis of that information.)
In microbiology, there is a relationship between these two kinds of research or capability, and biomedical researchers sometimes produce more virulent pathogens as part of their research, but overall the relationship is dramatically more attenuated. There are pathogens that researchers have had samples of for decades that they still haven't produced a successful prophylaxis against. And just having drugs that treat infection, or vaccines, doesn't automatically allow someone to cause infections or epidemics.
This means they can't be fixed by the software company but as this data dump shows, shady characters might be able to discover these vulnerabilities by (illictly) accessing computer systems used by the NSA.
Edit: Yes the shady characters might be able to independently discover the vulnerabilities if they are not "NOBUS" but this is another avenue.
In theory, sure. In practice, this is false. When the NSA finds a vulnerability it can exploit there is information created. As Snowden and the recent hack confirm: data is prone to leaking. Once data leaks, the systems that NSA attacks are fundamentally and operationally less secure than they would be had the NSA not attacked them. This is the very reason it is important that zero-days are reported and fixed.
1. If they would work with companies to get the vulnerabilities fixed, we would be more secure. The lack of action in this area doesn't make us less secure. It merely delays increasing security. Not the same thing so this argument is not logically sound. (It's like the RIAA saying that downloaded albums is directly lost revenue while there's no guarantee that the pirate would buy instead of download.)
2. Having a large cache of exploits that they cannot successfully secure creates a target for bad actors. If this cache is compromised then we all are actually less secure.
3. Other efforts by the NSA such as compromising RNGs and security protocols do actually make us all less secure.
#2 is nonsense because the system is already insecure.
#3 is a straw man because we are talking about the NSA not contributing the results of their security research to the world. The other things that they do that actually making things less secure are not the subject here.
#2 depends on #1
#3 if the subject is "things the NSA does do to make us less secure" then it is the subject.
Even with the most positive view, some small subset of those vulnerabilities will be known to others and some will be actively exploited. Hence making us less secure.
It's not like vulnerabilities are rare or aren't going to be exploited if not revealed.
If anything, by doing what they are doing, they are exposing the fallacy of such expectations and hastening the development of systems that are actually secure. By that measure, this is actually improving security in the long term far more than attempting to bolster the status quo ever could.
The argument against that is going to be "they weren't supposed to leak". But that's dumb. This is the real world, and the best laid plans, etc. We need to build systems robust to what will happen, not just what we want or expect to happen.
The best bet is to aim to build systems like seL4 and use properly configured well engineered OSS solutions until solutions like seL4 become available.
My argument shows that in some specific instances, we are less secure. There's probably still a "net global" argument to be made saying that although there do exist costs, they're outweighed by the overall benefits.
The problem with that, in turn, is that we're not allowed to know either of the arguments into the equation. They argue that the costs are zero (which is clearly false), and they won't tell us what the benefits are (other than the unsupported claim that they're immense).
After seeing the Snowden revelations - who says they don't actually do this?
I just wanted to point out that the NSA does that.[1][2]
[1]http://www.nytimes.com/interactive/2013/09/05/us/documents-r...
[2]https://www.grahamcluley.com/2013/12/nsa-bribe-rsa-encryptio...
You went wildly off the rails here; the OSS vs closed source security argument is foolish. If you think 'many eyes, shallow bugs' still has validity in 2016, you're not up to speed.
Whoever stole the tools this time announced them to the public -- how many times have the tools been stolen in the past and kept quiet so they could be used?
It's too bad -- there's really just no accountability for these espionage organizations. And it seems like it will never change.
1. It's not true that there's broad agreement among experts about how the government ought to handle vulnerabilities. In fact, that's close to the opposite of the truth. On the question of regulation, the field is riven over Wassenaar and the prospect of vuln research regulation. It's also divided between people with operational knowledge of how zero-day is used by the IC and people looking from the outside in, and also between privacy activists and security researchers, which is a Venn diagram with only partial overlap.
2. Schneier is showily beating up on the USG "vulnerability equities process", which supposedly determines whether or not the USG will publish vulnerabilities. It's fair game. But something that there is broad agreement on among practitioners is that the VEP is a PR farce. Nobody needed "Shadow Brokers" to confirm this; you can't have been paying attention over the last 10 years and not see that SIGINT roflstomps IAD. Read between the lines: even without specific NSA disclosures, to believe that NSA was serious about VEP, you'd have to believe that NSA is unique among all global intelligence agencies about protecting industry from vulnerabilities.
3. Schneier's perspective on whether, why, and how vulnerabilities should be disclosed is probably naive. The best account I've read on this so far is Aitel's Vulnerability Equities post on Lawfare. For a simple example: NSA SIGINT cannot necessarily disclose old vulnerabilities, even for products that have been discontinued, without revealing to its opponents a catalog of every machine they've compromised over the lifespan of the vulnerability. Take for instance the Cisco SNMP vulnerability: SNMP is so low-volume that even mid-sized US corporations maintain full packet logs of every SNMP request sent on their network. To premise operation decisions on the idea that FSB doesn't do that would be extremely poor tradecraft.
That's not dispositive! It could be the case that the USG should simply give up on computer-based SIGINT, unilaterally disarming and working instead to help industry defend against foreign SIGINT. That would be a radical change and it would come with tradeoffs, but it's a coherent position.
A far more straightforward argument to make is that NSA SIGINT should be entirely exempt from any equities process, but that NSA should be stripped of its IAD mission, and a separately funded and operated IAD capability should be spun up under DHS, with clear directives to disclose immediately to vendors.
4. I'm a little biased on this, not because I'm a vuln researcher (I am, but I don't do the kind of work that gets marketed to government, nor have I or will I ever work with governments) but because I think Bruce Schneier's track record on this subject is both bad and inconsistent, dating back to his use of his popular newsletter to vilify eEye for disclosing to the public vulnerabilities later used to build worms.
I think the primary benefit that IAD, specifically the vulnerability research wing, has as being part of NSA is that vulnerability researchers rotate between SID and IAD as their careers progress, keeping IAD credible.
Your DHS idea would work (DHS already has a cybersecurity mandate) if there was a mandatory career rotation between NSA SID and DHS Cybersecurity. In my opinion there is so much overlap between IAD and Defense Information Security Agency (DISA) that what remained could be merged into DISA.
Maybe DHS could get an actual CA-issued cert for https://www.iad.gov/ ?
...the Obama administration announced, in early 2014, that the NSA must disclose flaws in common software so they can be patched (unless there is "a clear national security or law enforcement" use)...
Obviously any valuable zero-day flaw has clear national security use to a national security agency that's tasked with breaking into "enemy" systems.
"Enemy" is a weird word ("adversary" is probably better), but however you slice it: NSA's mission includes real ones.
Stated as vaguely as you have, that's a hard argument to rebut. I tend to agree: the world would be a safer place if everything was publicly disclosed immediately. But even NSA's opponents tend not to support that as a policy objective.
https://www.theguardian.com/us-news/2015/jul/08/nsa-tapped-g...
But it's good to make the public more aware that this, indeed, is happening, it's not just something out of a Dan Brown paperback.
Of course they do. Of course there is military research. Of course there is spying research. It's just the way it works.
The day the chinese of the russians are able to discover more of those vulnerabilities, they will all get fixed.
It's a simple arms race. Simple as that.
Cracking systems probably isn't going to lead to anything worthwhile. It isn't targeted enough. The thing that the NSA fears the most is the perception that they are not worth the money. It's a legitimate fear.
But I don't know what you mean by your first paragraph, or by the notion that "cracking systems isn't going to lead to anything worthwhile".