Tuesday, March 07, 2017

Only lobbyist and politicians matter, not techies

The NSA/CIA will only buy an 0day if they can use it. They can't use it if they disclose the bug.

I point this out, yet again, because of this WaPo article [*] built on the premise that the NSA/CIA spend millions of dollars on 0day they don't use, while unilaterally disarming tiself. Since that premise is false, the entire article is false. It's the sort of article you get when all you interview are Washington D.C. lobbyists and Washington D.C. politicians -- and no outside experts.


It quotes former cyberczar (under Obama) Michael Daniel explaining that the "default assumption" is to disclose 0days that the NSA/CIA get. This is a Sean Spicer style lie. He's paid to say this, but it's not true. The NSA/CIA only buy 0day if they can use it. They won't buy 0day if the default assumption is that they will disclose it. QED: the default assumption of such 0day is they won't disclose them.

The story quotes Ben Wizner of the ACLU saying that we should patch 0days instead of using them. Patching isn't an option. If we aren't using them, then we aren't buying them, and hence, there are no 0days to patch. The two options are to not buy 0days at all (and not patch) or buy to use them (and not patch). Either way, patching doesn't happen.

Wizner didn't actually say "use them". He said "stockpiling" them, a word that means "hold in reserve for use in the future". That's not what the NSA/CIA does. They buy 0days to use, now. They've got budgets and efficiency ratings. They don't buy 0days which they can't use in the near future. In other words, Wizner paints the choice between an 0day that has no particular value to the government, and one would have value being patched.

The opposite picture is true. Almost all the 0days possessed by the NSA/CIA have value, being actively used against our adversaries right now. Conversely, patching an 0day provides little value for defense. Nobody else knew about the 0day anyway (that's what 0day means), so nobody was in danger, so nobody was made safer by patching it.

Wizner and Snowden are quoted in the article that somehow the NSA/CIA is "maintaining vulnerabilities" and "keeping the holes open". This phrasing is deliberately misleading. The NSA/CIA didn't create the holes. They aren't working to keep them open. If somebody else finds the same 0day hole and tells the vendor (like Apple), then the NSA/CIA will do nothing to stop them. They just won't work to close the holes.

Activists like Wizner and Snowden deliberate mislead on the issue because they can't possibly win a rational debate. The government is not going to continue to spend millions of dollars on buying 0days just to close them, because everyone agrees the value proposition is crap, that the value of fixing yet another iPhone hole is not worth the $1 million it'll cost, and do little to stop Russians from finding an unrelated hole. Likewise, while the peacenicks (rightfully, in many respects) hate the militarization of cyberspace, they aren't going to win the argument that the NSA/CIA should unilaterally disarm themselves. So instead they've tried to morph the debate into some crazy argument that makes no sense.


This is the problem with Washington D.C. journalism. It presumes the only people who matter are those in Washington, either the lobbyists of one position, or government defenders of another position. At no point did they go out and talk to technical experts, such as somebody who has discovered, weaponized, used an 0day exploit. So they write articles premised on the fact that the NSA/CIA, out of their offensive weapons budget, will continue to buy 0days that are immediately patched and fixed without ever being useful.

3 comments:

HitsThings said...

I get that the NSA and CIA are not agencies that would buy a 0day just to patch it - that's not their purpose. But do you not think it would be extremely valuable for the US government to basically have a "bug bounty" for any of it's own systems/software it's using?

Similarly, is there not value in the NSA/CIA disclosing the vulnerability _after_ using it? If they wouldn't buy it unless they need to use it in the "near future", how about when they no longer will need to use it in the "near future"? Isn't there value in disclosing it then? I understand this must be weighed against the impact in some cases of their hack/use of the vulnerability becoming known.

Bame said...

"being actively used against our adversaries right now"
As if the NSA & US Gov had perfectly clean slates. As if there was not another recent scandal of innocent man (political adversary ?) targeted by the spying with Trump.
No, the tools are used against the enemies of the NSA, and in violation of the laws.
Your sentence is misleading.

"Nobody else knew about the 0day anyway (that's what 0day means), so nobody was in danger, so nobody was made safer by patching it."
But everybody is made weaker against the NSA, and the US governament in general.

"the NSA/CIA is "maintaining vulnerabilities" and "keeping the holes open". This phrasing is deliberately misleading."
No, this phrasing is factually true. The NSA/CIA are paying for 0-days, that means they feed or even create a market for 0-days. Now your next argument would be "all governments are doing this", which is 1/ not true, not all governments have reached this paranoid & bloated, and 2/ US gov is the only one pursuing this with so many resources.
If they are not misleading, it's you who is.

"They aren't working to keep them open."
They are. If they leak the 0-day, it will be corrected. So they have to keep it sealed, hence they have strong secret procedures. That does cost effort / money.

"Activists like Wizner and Snowden deliberate mislead on the issue because they can't possibly win a rational debate."
No, they propose their arguments in a transparent manner, and YOU can't object the facts, so you make some non factual comment : "deliberate mislead".
Here is a factual comment : US authorities only responded to Snowden revelations with death threats. NSA and CIA do spy and disrespect laws, and they expand their budget and reach.
As someone who works in the field, you like that. All the rest of the population don't.

"Likewise, while the peacenicks (rightfully, in many respects) hate the militarization of cyberspace, they aren't going to win the argument that the NSA/CIA should unilaterally disarm themselves."
Yeah yeah the same argument you can take to abandon all hope against any tyrant.
The problem is, not only you support evil, but you attack those who don't.

Bradley Abbott said...

Do you need a loan? If so, we rented at low interest rate offer by 3% and no credit check, we offer personal loans, debt consolidation loans, venture capital, business loans, education loans, loan or “loan for any reason. However, our method provides the opportunity to explain the loan amount required and you can afford the time to Email us at(bradleyabbottloanfirm@gmail.com)