Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Government Privacy Security

NSA Uses Vulnerabilities Before It Discloses Them, Keeps Some To Itself (reuters.com) 121

An anonymous reader writes: The NSA, perhaps seeking to repair its reputation, has started talking about how it handles vulnerabilities in computer software. But in doing so, they've only confirmed their own questionable behavior. The agency says it discloses zero-day flaws about 91% of the time. This means, of course, that they hold back about 9% of the flaws for their own use. They also don't mention when they disclose these flaws — which is damning, given statements from several current and former government officials indicating the NSA frequently waits and takes advantage of the vulnerabilities before notifying the companies who make the compromised software. This is the NSA's argument: "[T]here are legitimate pros and cons to the decision to disclose vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."
This discussion has been archived. No new comments can be posted.

NSA Uses Vulnerabilities Before It Discloses Them, Keeps Some To Itself

Comments Filter:
  • You want to keep some vulnerabilities for yourself just in case. You never know what will happen in the future.
  • Biased summary (Score:3, Insightful)

    by GlobalEcho ( 26240 ) on Saturday November 07, 2015 @12:45PM (#50883785)

    ...confirmed their own questionable behavior...

    I am a US citizen as frustrated about unauthorized domestic surveillance as anyone. But this summary goes too far. Finding, keeping and using vulnerabilities is exactly what the NSA is supposed to do, and there is nothing questionable about that behavior.
    If the submitter wants the government to have a group that finds and discloses vulnerabilities as part of its remit, then make a case for creating such a group. Don't saddle the NSA with the job.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Wrong the NSA's goal is surveillance, the DISA (Defense Information Systems Agency) is digital security. That the NSA can assist the DISA is only a second thought.

    • Re:Biased summary (Score:5, Interesting)

      by Anonymous Coward on Saturday November 07, 2015 @12:59PM (#50883857)

      i don't agree that we should be funding an agency to spy on our own citizens and undermine
      our digital security.

      so if you agree that thats part of the role of government, for the children, then sure, nothing wrong
      with what the NSA is doing

      however, a lot of us disagree, and furthermore, we never had an opportunity to express our
      opinion as to whether or not we wanted to live in a police state.

      so this is us weakly trying to say no. try to pretend we have a right to our opinon so your
      mind doesn't collapse from all the cognitive dissonance from supporting a 'police state democracy'

    • This is the same logic that's applied to any military secrets - keeping information out of the hands of the enemy means also keeping it out of the hands of citizens. That sometimes makes sense. Sometimes. But it fails when withholding this information makes the country and its residents less safe.

      The trouble is that we tend to forget that these organizations do not exist to attack, they exist to protect. Just as our penal system has gone over almost wholly to revenge and punishment rather than rehabilita
    • I am a US citizen as frustrated about unauthorized domestic surveillance as anyone. But this summary goes too far. Finding, keeping and using vulnerabilities is exactly what the NSA is supposed to do, and there is nothing questionable about that behavior.
      If the submitter wants the government to have a group that finds and discloses vulnerabilities as part of its remit, then make a case for creating such a group. Don't saddle the NSA with the job.

      Well, you are wrong in thinking that it isn't the job of NSA to disclose at least certain vulnerabilities.

      NSA's job description also include counter intelligence. That means it should also do its best to protect US government servers, including the US military and potentially too, civilian US military contractors, who may have highly valuable knowledge on their servers.

      So certain vulnerabilities affecting software that the US government uses, are circulated back into the software community, it is simply in

    • Much as I like to dump on the NSA, in this case they're doing things exactly right. If I were in their position, I'd use the zero day exploits against my targets, ensure we have a defense against it, maybe prepare a patch or workaround for publication, keep watch for others using that exploit. At some point I'd disclose the exploit to the developers, starting with the most obvious ones or the those which are already being exploited by others.

      Much as it would be nice for all exploits to be disclosed immediat

    • Yes, because the NSA is really ever going to be about protecting citizens. How can people still believe that any "security" agency ever has the interests of the majority of citizens at heart is beyond me. They are there to protect the wealthy and powerful, not you. They will never ever be there for you.
  • Iran (Score:3, Interesting)

    by ultranova ( 717540 ) on Saturday November 07, 2015 @12:57PM (#50883843)

    The NSA, perhaps seeking to repair its reputation, has started talking about how it handles vulnerabilities in computer software. But in doing so, they've only confirmed their own questionable behavior.

    Questionable perhaps, but the article also provides a pretty good answer by mentioning Stuxnet, which was used to halt Iran's enrichment of uranium. Surely being able to stop what's at best an oppressive theocracy from obtaining nuclear weapons with no casualties or collateral damage has some value?

    • The NSA retains some offensive weapons. This is wrong?

      You can answer that question as per your beliefs, and you're fully entitled to do that. But I could argue that if the NSA shouldn't have offensive weapons, neither should the Army or any other government entity. Again, you may be a pacifist and agree with that, too.

      But there's practical reality at play here. Pacifism doesn't always work in the face of aggression.

      • The problem isn't the NSA having offensive weapons. The problem is the NSA knowing that some installations are built on quicksand but not informing the owners.

        That's not helping national security, that's degrading it.

      • by Anonymous Coward

        But I could argue that if the NSA shouldn't have offensive weapons, neither should the Army or any other government entity.

        And if the NSA shouldn't have nuclear bombs, neither should the Army or any other government entity. Oh, right, that's absurd. Honestly, the fact is the NSA has two very contradictory goals: the protection of government systems against penetration and network warfare and the collection of foreign communications by both passive and clandestine means. This story isn't really news prec

    • by Anonymous Coward

      There was a lot a collateral damage: a dramatic boost in the private zero-day industry. The NSA is boosting a cyber cold war, instead of shutting it down as much as possible. Now the country with the most to lose will lose, and that is the US. Remember, other countries now have access to the same information, meaning they could do the same thing to our infrastructure, and they already have: the stolen personnel files. Remember that the same argument against nuclear proliferation applies to zero-day prolifer

    • "what's at best an oppressive theocracy from obtaining nuclear weapons"

      The Guardian Council is opposed to nuclear weapons. It was the secular authorities that were pursuing their development.

      The only value nuclear weapons have for Iran are a) to prevent the USA from pre-emptively invading, and b) to trade away in a diplomatic deal. The latter did not even require actual weapons to have been developed.

      There is no plausible way in which Iran represents a threat to the USA. The only people that the post-revolu

  • by gurps_npc ( 621217 ) on Saturday November 07, 2015 @01:02PM (#50883883) Homepage
    Ice is cold. Lava is hot.

    Spies use privacy vulnerabilities

    Are we going to publicly announce that soldiers kill people next? Perhaps someone thinks it is noteworthy that a bank charges interest on loans! Or that boxers HIT each other.

  • by Anonymous Coward

    Here is the NSA's claim.

    "Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."

    a. The Terrorists. The Terrorists. Terrorism has been used by thugs throughout history to justify violations of rights. The TARGETED and use Intelligence in self-defense, on case-by-case basis lawf

    • The main problem here is that the NSA went away from a defensive position and is more and more used as an offensive tool in international (and domestic) espionage. Which by itself isn't so bad a thing, but using it indiscriminately not only on allies but on the own, domestic population without impunity is clearly stepping over the line.

      Personally, I dare say international surveillance of alleged allies already does this. It damages the US' credibility far more than anything gained that way could compensate.

  • If the police failed to act on information a rape or murder was planned because they wanted to catch the perpetrator in the act, there would be outcry. You don't jeopardize the safety of the innocent to assail the (potentially) guilty. Collecting foreign intelligence is not more important than heading off immediate threats to domestic citizens. Clearly the NSA views it as all about "catching the bad guy" and has forgotten the reason the bad guys are considered bad. It's like SWAT leaving a bomb in a publi

    • Well, there is the "need of the many" counter argument. If you can catch a serial killer by sacrificing one target and ensure that way that he is being stopped and cannot kill dozen others, is it justified?

      Is it justified to allow a terrorist plot to go ahead if that means the heads behind it have to expose themselves in a way that you can cut them off?

      This game is rarely one painted in just black and white.

  • by cfalcon ( 779563 ) on Saturday November 07, 2015 @01:14PM (#50883953)

    They are an intelligence agency. You'd EXPECT that they would hold onto some method to do their job, which absolutely involves electronic infiltration. This is neither controversial nor unexpected.

    Don't mistake the fact that they reach out to industry to improve everyone's (worldwide) security most of the time, for that being their primary mission or charge. That's a nice bonus.

    If you want to get worked up, get angry about the same shit Snowden did- the possible indiscriminate spying against US citizens, and the idea that they only way that the government can do its job is by casting a worldwide net that monitors everyone everewhere all the time. Not that they can hack systems, which is a huge part of why they fucking exist.

  • What do you think the NSA is for??? Free government funded penetration testing and reporting service? Sheesh.

  • by Opportunist ( 166417 ) on Saturday November 07, 2015 @01:20PM (#50883981)

    The NSA is a security service. Having tools to break and enter into the communication and data storage of potential enemies of the state is their business. That's what they do. Their whole reason to exist, to be blunt. If they can't do that, well, they can as well not exist at all. Which would not be beneficial for the US, in general, because, well, their enemies sure as fuck won't do away their version of the NSA. You'd deprive yourself of a valuable tool in international espionage.

    What something like this needs, and what is sorely lacking today, is oversight. You needn't take away such powerful tools. You need to ensure they are not being abused. That's the real problem here.

  • If this is what passes for news in this crowd, I've been here too long and must be moving on.
    • And if that depressing insight is moderated as flamebait rather than insightful, perhaps I should consider that as confirmation. It's been a good run and my karma indicates that I will be missed; perhaps more than some of you realize.
  • Security Agency, completely against computer security. You know vulnerabilities can be used against US targets too right? Backdoors can be used by criminals.
    • I love the USA. I just wish we didn't feel the need to promote malware vectors instead of patch them. I try and keep my Windows computers off the Internet anymore since there are so many viruses you can get just by clicking a wrong link. You don't even need to run a file anymore to get a virus. Things are pretty bad now. I wonder if things will get worse or better for computer security.
  • The surprise is that they disclose so many. Invasion into personal privacy is only collateral damage at the moment, whilst there are relatively sane governments in power. Things might change in the future.
  • [T]here are legitimate pros and cons to the decision

    No there are not. There is only the LAW. The decision has already been made, ratified and written down. It's not up to some bureaucrat to make things up as he goes along. Governments are compelled to act within the bounds set by law. When they stop doing this, they are no longer law abiding nations and lose the right to enforce law on the people.

  • by niks42 ( 768188 ) on Saturday November 07, 2015 @01:39PM (#50884087)
    Many, many times in my career I have found some vunerability and delayed disclosing it while enjoying it myself. I found a wonderful way of spiriting - nay, liberating - electronic components out of work that would have found their way into a dumpster. I found a way of accessing peoples' accounts on TSO and VM; I found ways of resetting the prepayment cards for lunch at work. I've keylogged PCs; I have tcpdumped and etherealed to find passwords to gain access to systems. I used I don't know how many exploits to get free Sky TV. I installed an FM transmitter in my manager's office about that time of year when salary plans were being discussed. I've picked many locks. I've used Apache and other exploits to break into systems where admins had long before forgotten root passwords. Not everything I have done has been legal. It's all contributed to me being who I am today, and having the skill set that I rely on to do my job.

    If I think about it, I can't expect any different from the NSA. If they are going to learn the skills that they need to do their jobs, they do need to flex their muscles. We do need to have some level of trust in the agencies that have been put into place to protect our citizens.
  • Comment removed based on user account deletion
  • This reminds me of an idiot who went on a zero day, full disclosure forum, advocating that they should "hold the best stuff back" so that they "look like gods" to the next, upcoming generation of hackers.

    Let's just say that this silly jackass was laughed off the board, and is now enjoying his second stint in FPMITAP for unoriginal idiocy with a computer.

    So the NSA is at the same basic intellectual (for lack of a better term) level...

    Sigh.

  • I didn't think I would ever see another article with the proper use of the term zero-day. I expect when the NSA talks about zero-day they get the terminology right. An exploit the NSA discovers and doesn't use isn't a zero day until someone else start using it. Exploits they buy are most likely zero-day. Bugs found and reported to vendors but not used aren't zero-day if a patch arrives before an exploit. A real trick is knowing if a new exploit is being used and I think it is clear that the spooks might

  • NSA speak: Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks.

    English: Disclosing a vulnerability can mean we forgo an opportunity to use the power of the state to spy on innocent people for no reason, crush legitimate political dissent, blackmail political figures to make

  • Golly. I could have not read "Data and Goliath" and learned *one* of the appalling truths in it from Slashdot only a few wees later.
  • The only surprising thing about this would be if anyone were surprised!

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...