NSA Uses Vulnerabilities Before It Discloses Them, Keeps Some To Itself

An anonymous reader writes: The NSA, perhaps seeking to repair its reputation, has started talking about how it handles vulnerabilities in computer software. But in doing so, they've only confirmed their own questionable behavior. The agency says it discloses zero-day flaws about 91% of the time. This means, of course, that they hold back about 9% of the flaws for their own use. They also don't mention when they disclose these flaws — which is damning, given statements from several current and former government officials indicating the NSA frequently waits and takes advantage of the vulnerabilities before notifying the companies who make the compromised software. This is the NSA's argument: "[T]here are legitimate pros and cons to the decision to disclose vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."

Same as Jailbreaking iPhones

[sanf780]

You want to keep some vulnerabilities for yourself just in case. You never know what will happen in the future.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mrclevesque]

: )

Re:

[davester666]

It's just a little anal probing. You probably won't even notice...much.

Re:

[JustAnotherOldGuy]

It's just a little anal probing.

As long as it's just a little. Because after what the IRS has done to me, "just a little" sounds downright neighborly.

Re:

[account_deleted]

Comment removed based on user account deletion

Biased summary

[GlobalEcho]

...confirmed their own questionable behavior...

I am a US citizen as frustrated about unauthorized domestic surveillance as anyone. But this summary goes too far. Finding, keeping and using vulnerabilities is exactly what the NSA is supposed to do, and there is nothing questionable about that behavior.
If the submitter wants the government to have a group that finds and discloses vulnerabilities as part of its remit, then make a case for creating such a group. Don't saddle the NSA with the job.

Re:

[Anonymous Coward]

Wrong the NSA's goal is surveillance, the DISA (Defense Information Systems Agency) is digital security. That the NSA can assist the DISA is only a second thought.

Re:Biased summary

[Anonymous Coward]

i don't agree that we should be funding an agency to spy on our own citizens and undermine
our digital security.

so if you agree that thats part of the role of government, for the children, then sure, nothing wrong
with what the NSA is doing

however, a lot of us disagree, and furthermore, we never had an opportunity to express our
opinion as to whether or not we wanted to live in a police state.

so this is us weakly trying to say no. try to pretend we have a right to our opinon so your
mind doesn't collapse from all the cognitive dissonance from supporting a 'police state democracy'

Re:Biased summary

[TWX]

The foreigners use the same technologies as the citizens, and are thus vulnerable to the same sort of exploits.

I guess I feel much the same way as GlobalEcho does. I actually do not have a problem, in of itself, with the concept of attempting to discover the real criminal plots that are used to attack people. What I have a problem with is when the number of persons being subject to scrutiny is far too many generations removed from the original subject, when the scrutiny is applied to things that aren't criminal acts or should otherwise be protected-speech (ie, counter-political groups, peaceful civil rights groups, and other such organizations that did not advocate violence or even equip themselves with the tools for violence), and when the checks and balances to ensure that overzealous application of the surveillance is curtailed are ignored or violated (ie, warrantless).

My problem with the idea is that there currently is no line between surveillance target and everyone else. If surveillance target == enemy, then that means everyone == enemy, or at least potential enemy. It leads to an us-versus-them mentality that is now prevalent in law enforcement at all levels of government. It works to destabilize the nature of our government being by us, for us, and starts resembling something out of 1984 or out of East Germany during its Stasi period. That is not healthy.

There need to be real rules covering investigation of people. There needs to be justification. There needs to be oversight. There needs to be the occasional criminal prosecution of a law enforcement official when they blatantly overstep their authority, and dismissal of charges from time to time through fruit-of-the-poisonous-tree legal concept, to remind law enforcement that if they ignore the law, those they attempt to prosecute can also ignore the law, and the only way to prosecute is to remain within its bounds.

It's not too far yet, but we need to continue to push for it to be corrected.

Re:

[Rujiel]

"There need to be real rules covering investigation of people. There needs to be justification. There needs to be oversight. "

There are effectively none of these, and you're still satisfied with the NSA anyway. Very telling about your priorities. Also almost no one on here lauds another user by name, let alone bolds it--comes off as sockpuppety.

Re:

[TWX]

I was referring to within the borders of the United States predominately. Internationally, nations, even friends, have spied on each other since the concept of the nation first formed.

Re:

[Anonymous Coward]

after everything thats happened these past 14 years, you really believe
there is a hard bright line between domestic and foreign operations?

do you even think it would be possible to define such a line?

Re:

[MyAlternateID]

That depends. If they're using them against Americans, then it's not what the NSA is supposed to do. The NSA has been caught spying on Americans before, so skepticism is IMO warranted.

Skepticism was warranted long before that happened because those in positions of power are never to be trusted.

Re:

[soap_and_dish]

This is the same logic that's applied to any military secrets - keeping information out of the hands of the enemy means also keeping it out of the hands of citizens. That sometimes makes sense. Sometimes. But it fails when withholding this information makes the country and its residents less safe.

The trouble is that we tend to forget that these organizations do not exist to attack, they exist to protect. Just as our penal system has gone over almost wholly to revenge and punishment rather than rehabilita

Re:

[Peter H.S.]

I am a US citizen as frustrated about unauthorized domestic surveillance as anyone. But this summary goes too far. Finding, keeping and using vulnerabilities is exactly what the NSA is supposed to do, and there is nothing questionable about that behavior.
If the submitter wants the government to have a group that finds and discloses vulnerabilities as part of its remit, then make a case for creating such a group. Don't saddle the NSA with the job.

Well, you are wrong in thinking that it isn't the job of NSA to disclose at least certain vulnerabilities.

NSA's job description also include counter intelligence. That means it should also do its best to protect US government servers, including the US military and potentially too, civilian US military contractors, who may have highly valuable knowledge on their servers.

So certain vulnerabilities affecting software that the US government uses, are circulated back into the software community, it is simply in

Re:

[penguinoid]

Much as I like to dump on the NSA, in this case they're doing things exactly right. If I were in their position, I'd use the zero day exploits against my targets, ensure we have a defense against it, maybe prepare a patch or workaround for publication, keep watch for others using that exploit. At some point I'd disclose the exploit to the developers, starting with the most obvious ones or the those which are already being exploited by others.

Much as it would be nice for all exploits to be disclosed immediat

Re:

[Joe NoBloggs]

Yes, because the NSA is really ever going to be about protecting citizens. How can people still believe that any "security" agency ever has the interests of the majority of citizens at heart is beyond me. They are there to protect the wealthy and powerful, not you. They will never ever be there for you.

Re:

[dunkindave]

I mean... technically the NSA's primary mission is to protect the warfighter (it's a DoD organization unlike the rest of the intelligence agencies).

I think DIA, ONI, NGA, AFISRA, Military Intelligence Corps, MCIA, a a couple others would disagree with the latter part of that statement.

Re:

[Anonymous Coward]

The NSA, and ultimately the US, re the enemies of the rest of the world.

Yeah, because you would fare much better under Vladimir Putin or perhaps you would prefer the Iranian mullahs or the hard-core Sunnis of ISIS? Take your head out of your hindquarters, grow a brain and come back when you have something to say that isn't completely ignorant and stupid.

Re:

[Anonymous Coward]

You pick examples from the middle east when every US intervention there turns the place into even more of a clusterfuck?

Re:

[dunkindave]

You pick examples from the middle east

I don't think Putin would consider Russia part of the Middle East. And to add to the anonymous coward's list, try living in North Korea, or in Somalia, or Sudan if you aren't Muslim, or Zimbabwe, or Burma, or Eritrea, or China if you are not wealthy or like to speak your mind, or ...

Iran

[ultranova]

The NSA, perhaps seeking to repair its reputation, has started talking about how it handles vulnerabilities in computer software. But in doing so, they've only confirmed their own questionable behavior.

Questionable perhaps, but the article also provides a pretty good answer by mentioning Stuxnet, which was used to halt Iran's enrichment of uranium. Surely being able to stop what's at best an oppressive theocracy from obtaining nuclear weapons with no casualties or collateral damage has some value?

Re:

[chipschap]

The NSA retains some offensive weapons. This is wrong?

You can answer that question as per your beliefs, and you're fully entitled to do that. But I could argue that if the NSA shouldn't have offensive weapons, neither should the Army or any other government entity. Again, you may be a pacifist and agree with that, too.

But there's practical reality at play here. Pacifism doesn't always work in the face of aggression.

Re:

[Chaos Incarnate]

The problem isn't the NSA having offensive weapons. The problem is the NSA knowing that some installations are built on quicksand but not informing the owners.

That's not helping national security, that's degrading it.

Re:

[Anonymous Coward]

But I could argue that if the NSA shouldn't have offensive weapons, neither should the Army or any other government entity.

And if the NSA shouldn't have nuclear bombs, neither should the Army or any other government entity. Oh, right, that's absurd. Honestly, the fact is the NSA has two very contradictory goals: the protection of government systems against penetration and network warfare and the collection of foreign communications by both passive and clandestine means. This story isn't really news prec

Re:

[Anonymous Coward]

There was a lot a collateral damage: a dramatic boost in the private zero-day industry. The NSA is boosting a cyber cold war, instead of shutting it down as much as possible. Now the country with the most to lose will lose, and that is the US. Remember, other countries now have access to the same information, meaning they could do the same thing to our infrastructure, and they already have: the stolen personnel files. Remember that the same argument against nuclear proliferation applies to zero-day prolifer

Re:

[radarskiy]

"what's at best an oppressive theocracy from obtaining nuclear weapons"

The Guardian Council is opposed to nuclear weapons. It was the secular authorities that were pursuing their development.

The only value nuclear weapons have for Iran are a) to prevent the USA from pre-emptively invading, and b) to trade away in a diplomatic deal. The latter did not even require actual weapons to have been developed.

There is no plausible way in which Iran represents a threat to the USA. The only people that the post-revolu

Re:Iran

[Anonymous Coward]

That's what happens when you allow religious nut jobs to roam free...

Please leave Texas out of this.

Re: Iran

[31415926535897]

Right, legacy means nothing to him. Nor does party momentum. Obama does everything from righteousness and virtue now.

Re:

[AK Marc]

The Republicans paid the Iranians to commit acts of war in 1980 to sway the election to the warmonger party, why would this time be any different? If Iran attacks, it's probably as paid stooges for the Republicans.

Re:

[AK Marc]

For 1980? That was admitted by the Republicans and Iranians. No conspiracy needed, just read the confessions. Why do you think that Ollie North went to jail? To protect The Party from the fallout of the illegal payments to Iran. Not only was the deal treason in 1980, but they followed through with the payment as a second treason. Just like G Gordon took one for the team for Watergate, the investigations into treason stop when someone goes to jail for a much lesser crime.

Water is wet

[gurps_npc]

Ice is cold. Lava is hot.

Spies use privacy vulnerabilities

Are we going to publicly announce that soldiers kill people next? Perhaps someone thinks it is noteworthy that a bank charges interest on loans! Or that boxers HIT each other.

Re:

[athe!st]

I've also heard scurrilous rumours the pope is a catholic

Deconstructing BS

[Anonymous Coward]

Here is the NSA's claim.

"Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."

a. The Terrorists. The Terrorists. Terrorism has been used by thugs throughout history to justify violations of rights. The TARGETED and use Intelligence in self-defense, on case-by-case basis lawf

Re:

[Opportunist]

The main problem here is that the NSA went away from a defensive position and is more and more used as an offensive tool in international (and domestic) espionage. Which by itself isn't so bad a thing, but using it indiscriminately not only on allies but on the own, domestic population without impunity is clearly stepping over the line.

Personally, I dare say international surveillance of alleged allies already does this. It damages the US' credibility far more than anything gained that way could compensate.

First Priority is to Protect the Innocent

[physicsphairy]

If the police failed to act on information a rape or murder was planned because they wanted to catch the perpetrator in the act, there would be outcry. You don't jeopardize the safety of the innocent to assail the (potentially) guilty. Collecting foreign intelligence is not more important than heading off immediate threats to domestic citizens. Clearly the NSA views it as all about "catching the bad guy" and has forgotten the reason the bad guys are considered bad. It's like SWAT leaving a bomb in a publi

Re:

[Opportunist]

Well, there is the "need of the many" counter argument. If you can catch a serial killer by sacrificing one target and ensure that way that he is being stopped and cannot kill dozen others, is it justified?

Is it justified to allow a terrorist plot to go ahead if that means the heads behind it have to expose themselves in a way that you can cut them off?

This game is rarely one painted in just black and white.

Re:

[Opportunist]

Such entities are not running on morality. By definition no group of people, unless governed explicitly by some moral codex, will waste a nanosecond pondering the moral implications.

For reference, see corporation.

And this is a surprise?

[QuietLagoon]

If so, why?

They have no duty to disclose

[cfalcon]

They are an intelligence agency. You'd EXPECT that they would hold onto some method to do their job, which absolutely involves electronic infiltration. This is neither controversial nor unexpected.

Don't mistake the fact that they reach out to industry to improve everyone's (worldwide) security most of the time, for that being their primary mission or charge. That's a nice bonus.

If you want to get worked up, get angry about the same shit Snowden did- the possible indiscriminate spying against US citizens, and the idea that they only way that the government can do its job is by casting a worldwide net that monitors everyone everewhere all the time. Not that they can hack systems, which is a huge part of why they fucking exist.

NSA?

[Dan East]

What do you think the NSA is for??? Free government funded penetration testing and reporting service? Sheesh.

Re:

[warm_warmer]

Free government funded...

Just to clarify, did you mean free or did you mean government-funded?

Nothing wrong with it per se

[Opportunist]

The NSA is a security service. Having tools to break and enter into the communication and data storage of potential enemies of the state is their business. That's what they do. Their whole reason to exist, to be blunt. If they can't do that, well, they can as well not exist at all. Which would not be beneficial for the US, in general, because, well, their enemies sure as fuck won't do away their version of the NSA. You'd deprive yourself of a valuable tool in international espionage.

What something like this needs, and what is sorely lacking today, is oversight. You needn't take away such powerful tools. You need to ensure they are not being abused. That's the real problem here.

Uhh... what?

[BronsCon]

If this is what passes for news in this crowd, I've been here too long and must be moving on.

Re:

[BronsCon]

And if that depressing insight is moderated as flamebait rather than insightful, perhaps I should consider that as confirmation. It's been a good run and my karma indicates that I will be missed; perhaps more than some of you realize.

National Security Agency

[GoodNewsJimDotCom]

Security Agency, completely against computer security. You know vulnerabilities can be used against US targets too right? Backdoors can be used by criminals.

Re: National Security Agency

[GoodNewsJimDotCom]

I love the USA. I just wish we didn't feel the need to promote malware vectors instead of patch them. I try and keep my Windows computers off the Internet anymore since there are so many viruses you can get just by clicking a wrong link. You don't even need to run a file anymore to get a virus. Things are pretty bad now. I wonder if things will get worse or better for computer security.

It goes without saying

[dhaen]

The surprise is that they disclose so many. Invasion into personal privacy is only collateral damage at the moment, whilst there are relatively sane governments in power. Things might change in the future.

Kerfuffle

[Dunbal]

[T]here are legitimate pros and cons to the decision

No there are not. There is only the LAW. The decision has already been made, ratified and written down. It's not up to some bureaucrat to make things up as he goes along. Governments are compelled to act within the bounds set by law. When they stop doing this, they are no longer law abiding nations and lose the right to enforce law on the people.

To be fair, I do the same

[niks42]

Many, many times in my career I have found some vunerability and delayed disclosing it while enjoying it myself. I found a wonderful way of spiriting - nay, liberating - electronic components out of work that would have found their way into a dumpster. I found a way of accessing peoples' accounts on TSO and VM; I found ways of resetting the prepayment cards for lunch at work. I've keylogged PCs; I have tcpdumped and etherealed to find passwords to gain access to systems. I used I don't know how many exploits to get free Sky TV. I installed an FM transmitter in my manager's office about that time of year when salary plans were being discussed. I've picked many locks. I've used Apache and other exploits to break into systems where admins had long before forgotten root passwords. Not everything I have done has been legal. It's all contributed to me being who I am today, and having the skill set that I rely on to do my job.

If I think about it, I can't expect any different from the NSA. If they are going to learn the skills that they need to do their jobs, they do need to flex their muscles. We do need to have some level of trust in the agencies that have been put into place to protect our citizens.

Re:

[account_deleted]

Comment removed based on user account deletion

In other words, they're script kiddie wannabes.

[Chas]

This reminds me of an idiot who went on a zero day, full disclosure forum, advocating that they should "hold the best stuff back" so that they "look like gods" to the next, upcoming generation of hackers.

Let's just say that this silly jackass was laughed off the board, and is now enjoying his second stint in FPMITAP for unoriginal idiocy with a computer.

So the NSA is at the same basic intellectual (for lack of a better term) level...

Sigh.

An article with the proper use of zero-day?

[thogard]

I didn't think I would ever see another article with the proper use of the term zero-day. I expect when the NSA talks about zero-day they get the terminology right. An exploit the NSA discovers and doesn't use isn't a zero day until someone else start using it. Exploits they buy are most likely zero-day. Bugs found and reported to vendors but not used aren't zero-day if a patch arrives before an exploit. A real trick is knowing if a new exploit is being used and I think it is clear that the spooks might

NSA speak translated to English

[Required Snark]

NSA speak: Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks.

English: Disclosing a vulnerability can mean we forgo an opportunity to use the power of the state to spy on innocent people for no reason, crush legitimate political dissent, blackmail political figures to make

"Data and Goliath" by Bruce Schneier

[eric_harris_76]

Golly. I could have not read "Data and Goliath" and learned *one* of the appalling truths in it from Slashdot only a few wees later.

Surprise!

[Another Mouse Coward]

The only surprising thing about this would be if anyone were surprised!