The NSA Is Hoarding Vulnerabilities

The National Security Agency is lying to us. We know that because data stolen from an NSA server was dumped on the Internet. The agency is hoarding information about security vulnerabilities in the products you use, because it wants to use it to hack others’ computers. Those vulnerabilities aren’t being reported, and aren’t getting fixed, making your computers and networks unsafe.

On August 13, a group calling itself the Shadow Brokers released 300 megabytes of NSA cyberweapon code on the Internet. Near as we experts can tell, the NSA network itself wasn’t hacked; what probably happened was that a “staging server” for NSA cyberweapons—that is, a server the NSA was making use of to mask its surveillance activities—was hacked in 2013.

The NSA inadvertently resecured itself in what was coincidentally the early weeks of the Snowden document release. The people behind the link used casual hacker lingo, and made a weird, implausible proposal involving holding a bitcoin auction for the rest of the data: “!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies cyber weapons?”

Still, most people believe the hack was the work of the Russian government and the data release some sort of political message. Perhaps it was a warning that if the US government exposes the Russians as being behind the hack of the Democratic National Committee—or other high-profile data breaches—the Russians will expose NSA exploits in turn.

But what I want to talk about is the data. The sophisticated cyberweapons in the data dump include vulnerabilities and “exploit code” that can be deployed against common Internet security systems. Products targeted include those made by Cisco, Fortinet, TOPSEC, Watchguard, and Juniper—systems that are used by both private and government organizations around the world. Some of these vulnerabilities have been independently discovered and fixed since 2013, and some had remained unknown until now.

All of them are examples of the NSA—despite what it and other representatives of the US government say—prioritizing its ability to conduct surveillance over our security. Here’s one example. Security researcher Mustafa al-Bassam found an attack tool codenamed BENIGHCERTAIN that tricks certain Cisco firewalls into exposing some of their memory, including their authentication passwords. Those passwords can then be used to decrypt virtual private network, or VPN, traffic, completely bypassing the firewalls’ security. Cisco hasn’t sold these firewalls since 2009, but they’re still in use today.

Vulnerabilities like that one could have, and should have, been fixed years ago. And they would have been, if the NSA had made good on its word to alert American companies and organizations when it had identified security holes.

Over the past few years, different parts of the US government have repeatedly assured us that the NSA does not hoard “zero days” the term used by security experts for vulnerabilities unknown to software vendors. After we learned from the Snowden documents that the NSA purchases zero-day vulnerabilities from cyberweapons arms manufacturers, the Obama administration announced, in early 2014, that the NSA must disclose flaws in common software so they can be patched (unless there is “a clear national security or law enforcement” use).

Later that year, National Security Council cybersecurity coordinator and special adviser to the president on cybersecurity issues Michael Daniel insisted that US doesn’t stockpile zero-days (except for the same narrow exemption). An official statement from the White House in 2014 said the same thing.

The Shadow Brokers data shows this is not true. The NSA hoards vulnerabilities.

Hoarding zero-day vulnerabilities is a bad idea. It means that we’re all less secure. When Edward Snowden exposed many of the NSA’s surveillance programs, there was considerable discussion about what the agency does with vulnerabilities in common software products that it finds. Inside the US government, the system of figuring out what to do with individual vulnerabilities is called the Vulnerabilities Equities Process (VEP). It’s an inter-agency process, and it’s complicated.

There is a fundamental tension between attack and defense. The NSA can keep the vulnerability secret and use it to attack other networks. In such a case, we are all at risk of someone else finding and using the same vulnerability. Alternatively, the NSA can disclose the vulnerability to the product vendor and see it gets fixed. In this case, we are all secure against whoever might be using the vulnerability, but the NSA can’t use it to attack other systems.

There are probably some overly pedantic word games going on. Last year, the NSA said that it discloses 91 percent of the vulnerabilities it finds. Leaving aside the question of whether that remaining 9 percent represents 1, 10, or 1,000 vulnerabilities, there’s the bigger question of what qualifies in the NSA’s eyes as a “vulnerability.”

Not all vulnerabilities can be turned into exploit code. The NSA loses no attack capabilities by disclosing the vulnerabilities it can’t use, and doing so gets its numbers up; it’s good PR. The vulnerabilities we care about are the ones in the Shadow Brokers data dump. We care about them because those are the ones whose existence leaves us all vulnerable.

Because everyone uses the same software, hardware, and networking protocols, there is no way to simultaneously secure our systems while attacking their systems whoever “they” are. Either everyone is more secure, or everyone is more vulnerable.

Pretty much uniformly, security experts believe we ought to disclose and fix vulnerabilities. And the NSA continues to say things that appear to reflect that view, too. Recently, the NSA told everyone that it doesn’t rely on zero days—very much, anyway.

Earlier this year at a security conference, Rob Joyce, the head of the NSA’s Tailored Access Operations (TAO) organization—basically the country’s chief hacker—gave a rare public talk, in which he said that credential stealing is a more fruitful method of attack than are zero days: “A lot of people think that nation states are running their operations on zero days, but it’s not that common. For big corporate networks, persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive.”

The distinction he’s referring to is the one between exploiting a technical hole in software and waiting for a human being to, say, get sloppy with a password.

A phrase you often hear in any discussion of the Vulnerabilities Equities Process is NOBUS, which stands for “nobody but us.” Basically, when the NSA finds a vulnerability, it tries to figure out if it is unique in its ability to find it, or whether someone else could find it, too. If it believes no one else will find the problem, it may decline to make it public. It’s an evaluation prone to both hubris and optimism, and many security experts have cast doubt on the very notion that there is some unique American ability to conduct vulnerability research.

The vulnerabilities in the Shadow Brokers data dump are definitely not NOBUS-level. They are run-of-the-mill vulnerabilities that anyone—another government, cybercriminals, amateur hackers—could discover, as evidenced by the fact that many of them were discovered between 2013, when the data was stolen, and this summer, when it was published. They are vulnerabilities in common systems used by people and companies all over the world.

So what are all these vulnerabilities doing in a secret stash of NSA code that was stolen in 2013? Assuming the Russians were the ones who did the stealing, how many US companies did they hack with these vulnerabilities? This is what the Vulnerabilities Equities Process is designed to prevent, and it has clearly failed.

If there are any vulnerabilities that—according to the standards established by the White House and the NSA—should have been disclosed and fixed, it’s these. That they have not been during the three-plus years that the NSA knew about and exploited them—despite Joyce’s insistence that they’re not very important—demonstrates that the Vulnerable Equities Process is badly broken.

We need to fix this. This is exactly the sort of thing a congressional investigation is for. This whole process needs a lot more transparency, oversight, and accountability. It needs guiding principles that prioritize security over surveillance. A good place to start are the recommendations by Ari Schwartz and Rob Knake in their report: these include a clearly defined and more public process, more oversight by Congress and other independent bodies, and a strong bias toward fixing vulnerabilities instead of exploiting them.

And as long as I’m dreaming, we really need to separate our nation’s intelligence-gathering mission from our computer security mission: we should break up the NSA. The agency’s mission should be limited to nation state espionage. Individual investigation should be part of the FBI, cyberwar capabilities should be within US Cyber Command, and critical infrastructure defense should be part of DHS’s mission.

I doubt we’re going to see any congressional investigations this year, but we’re going to have to figure this out eventually. In my 2014 book Data and Goliath, I write that “no matter what cybercriminals do, no matter what other countries do, we in the US need to err on the side of security by fixing almost all the vulnerabilities we find…” Our nation’s cybersecurity is just too important to let the NSA sacrifice it in order to gain a fleeting advantage over a foreign adversary.

This essay previously appeared on Vox.com.

EDITED TO ADD (8/27): The vulnerabilities were seen in the wild within 24 hours, demonstrating how important they were to disclose and patch.

James Bamford thinks this is the work of an insider. I disagree, but he’s right that the TAO catalog was not a Snowden document.

People are looking at the quality of the code. It’s not that good.

Tags: Cisco, DHS, Edward Snowden, essays, exploits, lies, national security policy, NSA, vulnerabilities, zero-day

Posted on August 26, 2016 at 5:56 AM • 125 Comments

Comments

keiner • August 26, 2016 7:02 AM

Maybe NOBUS includes also something else, i.e. HARDENING of vulnerable e.g. CISCO systems for US/Fed customers?

Remember the pic of this workspace used to open Cisco packages to tinker them? Maybe the same place is used to implement hardend soft-/hardware to firewall for certain institutions?

Just saying… 🙂

Jonathan Wilson • August 26, 2016 7:19 AM

Why aren’t big companies like Microsoft and Cisco and Oracle and Adobe and others who are most impacted by vulnerabilities being out there and not getting fixed (and especially by vulnerabilities being bought and sold on the open market) lobbying the US government for changes. I doubt any of the big software vendors like the idea that there software has major security holes out there that aren’t being fixed and that hackers could be exploiting.

Or would such a move backfire on the tech companies? (e.g. tech company starts lobbying for changes to prevent vulnerabilities being sold on the open market or being kept secret by the US government and its agencies and partners and the US government then retaliates by blacklisting the company and not buying their stuff anymore)

Or do the tech companies actually LIKE the fact that the US government knows about bugs in their code and wont tell them? (i.e. they are OK with it because “national security”)

Ben • August 26, 2016 7:23 AM

For those who like to measure the significance of things in dollars, the current cost of running vulnerable networks and injecting inbuilt weaknesses into operative systems runs at $445 billion per year in the USA alone, plus thousands of job losses.

http://www.nbcnews.com/tech/security/cybercrime-costs-businesses-445-billion-thousands-jobs-study-n124746

It seems kind of obvious, but if you don’t want people breaking into your house, don’t leave the doors and windows open.

kiwano • August 26, 2016 7:39 AM

What would be really damning is if the vulnerability exploited in the DNC hack were to be unearthed in one of these leaked stashes. One can only hope…

clint • August 26, 2016 8:04 AM

You should write an entry on Russia’s, China’s and other country’s vulnerability release processes that their intelligence agencies use. Oh wait…

yosemite sam • August 26, 2016 8:14 AM

@clint:

Yeah, cause if others shit in the pot it makes it ok for us to shit in it too. Bon appetit.

Sam • August 26, 2016 8:42 AM

@Clint
If all private systems in use in the States were secured from virtually all known vulnerabilitis, that would provide America a clear advantage.
If all US companies were more secure than non US software, because the government was searching for and applying updates, ditto
Even if updates applied here propogated out, the overall benefits to the good guys in other countries would outweigh any loss in attack surface.

Who? • August 26, 2016 9:01 AM

As I said before, the only hope right now is that someone will get access to the second tarball (eqgrp-auction-file.tar.xz.gpg) and release it to the world. Software developers should do the work NSA didn’t fixing these bugs. Only hope it is not too late to fix these “out of support” devices and software. As I said a lot of times in the past too, corporations should be required by law to fix bugs even on unsupported devices. If there is a device in use yet, it must be fixed.

NOBUS vulnerabilities do not exist, as proved no less than two times this month by both the National Security Agency and Microsoft. Only vulnerabilities exist, and must be fixed as soon as possible. There are no different vulnerability classes.

The NSA should release the rest of exploits so black hats will not get money for stealing government tools and/or use them to commit crimes. The NSA cannot say these tools are under its control anymore, so it is better disabling them. Forever.

Who? • August 26, 2016 9:05 AM

@Sam

What about devices outside the United States? Shouldn’t these be fixed? Sometimes I would wish that OpenBSD was not available in the United States… then we will talk about clear advantage.

I do not see the clear advantage for the United States if other countries remain vulnerable. The world is not only USA anymore. In fact, it never was.

Fred • August 26, 2016 9:06 AM

Is this what NSA is REALLY doing when they conduct pentesting and security audits?

Roger • August 26, 2016 9:08 AM

To play the devil’s advocate here – the NSA’s stated function is not to comprehensively review every piece of hardware and software used in the world and benevolently act as a newly-discovered vulnerability and/or exploit remediation agency.

It’s a SIGINT intelligence agency that collects and processes information ….what did you even think they did?

Abolishing the NSA is not a viable solution or one that will happen in our lifetimes without major political and intelligence upset.

I would much rather they continue to exist in this capacity, than cease to exist at all.

Again, it’s a freaking SIGINT agency, not a vulnerability patching workshop guys run on the weekends.

dcode • August 26, 2016 9:16 AM

Bruce,

There’s a significant problem in your dream to split up the NSA. Namely, you’re making some assumptions that you hold to be gospel. Your argument, as I read it, is that if we split the agency into something like NSA-D (Defense) and NSA-I (Intelligence) that the NSA-D wouldn’t be compelled to keep its vulnerabilities secret. I think that would be true. However, I will tell you that NSA-I finds and discloses far more vulnerabilities that NSA-D. By splitting the equities, you would lose out on all the NSA-I vulnerabilities that would be solely dedicated to intelligence gathering. Under the current arrangement, there is at least a pressure applied to disclose.

I agree that the argument of NOBUS is also a bit optimistic and probably more of a function of time than anything else. Perhaps a constraint could be applied that NOBUS 0days could be held for a specific amount of time, after which they must be retired for responsible disclosure. In the event of something that is particularly important or difficult, perhaps an extension could be filed, with term limits.

Just my 2 cents.

Wagu • August 26, 2016 9:17 AM

@Roger

How in the world did you interpret “break up the NSA” as “abolish the NSA”?

henry • August 26, 2016 9:19 AM

Under TTIP, would technology vendors be able to sue various US TLAs for actions which harm their customer base and thus profitability?

https://en.wikipedia.org/wiki/Transatlantic_Trade_and_Investment_Partnership#Democracy_and_national_sovereignty.2C_foreign_investor_protection

Wael • August 26, 2016 9:22 AM

@Roger,

it’s a freaking SIGINT agency

Call it FSA then. There! Everybody happy.

Thomas • August 26, 2016 9:23 AM

@Roger:

The aim of the NSA is ultimately to defend the interests of its people, not to break thinks for the sake of breaking them. If their “frigging SIGINT,” as you put it, does more harm than good in the broader scheme, the obvious conclusion is that someone is putting the cart in front of the horse (at a huge cost).

They Stooge to Conga • August 26, 2016 9:38 AM

What we’re talking about, in stilted thought-stopping official jargon, is sabotage, a type of illegal warfare. It was considered in the travaux préparatoires of the Geneva Conventions and treated as an activity prejudicial to state security, of sufficient gravity to suspend certain prisoner protections. Depending on the circumstances it may constitute illegal use of force or it may be a breach of the non-intervention principle. In both cases sabotage is a breach of peremptory norms of international law and a violation of state sovereignty. That means the entire international community shares the responsibility for stopping the criminal state. The victims of US sabotage are legally entitled to impose countermeasures, or to take the US to the World Court or arbitral panels, which would fix responsibility for reparations, restitution, compensation, or satisfaction including prosecution of offenders.

That’s how NSA saboteurs will be curbed. The civilized world will housebreak the Pentagon cavemen by rubbing their nose in their shit. The US government is unable to reform. Tinkering with org charts would just hide the crime and impunity someplace else. Congress will do nothing to get NSA saboteurs under control. Eunuch legislators will ask meek questions and get blown off with appropriate contempt.

Or maybe the CSO will sort it out in the war crimes tribunal after the USG loses their illegal undeclared war. Bunk Alexander with Lindsay Graham in Чёрный дельфин, let em play Kiss of the Spider Woman for ten years. He has evident J. Edgar Hoover type issues.

Allen • August 26, 2016 9:56 AM

I’m less worried that the NSA had zero days in 2013, and more concerned that those zero days still work in 2016. I’ve always been on the full disclosure side of “responsible” disclosure argument because I believe that “responsible” disclosure builds a walled garden around active vulnerabilities and takes a lot of social pressure off vendors to be proactive about vulnerability identification and remediation. (Yes, that social pressure comes in the form of angry customers and incident responders who just had a terrible overnight fire drill rushing to patch or reimage a hacked machine. But look at the progress that has been made when companies like Apple or Microsoft get enough pie on their face to make a commitment to improved security!).

“Responsible” disclosure has created a very stable market place for some vulnerabilities researchers to weaponize their findings and sell to the highest bidder. And now we’re surprised that spy agencies are stockpiling the weaponized vulnerabilities in support of their mission? As a defender of critical infrastructure I agree with your sentiments about these clandestine purchases making/keeping us more vulnerable, but I don’t think the security community should be shocked by the ecosystem we’ve created. Can we realistically expect an org like the NSA/MI6/MSS/FIS to sacrifice their strategic offensive capabilities in the name of defense?

We’re not going to be able to tame our offensive agencies, maybe the answer is to just equally fund a transparent vulnerability mitigation initiative.

Roger • August 26, 2016 9:59 AM

@Wagu Accurate determination in a difference of language. I was cross-pollinating another talking point about abolishing the NSA from a few weeks ago that stuck with me as particularly awful critical thinking. You are correct in asserting the differences there – my fault. Lack of coffee:)

@Wael That was good for a laugh.

@Thomas Of course. Again, I’m playing the advocate here – as a normal joe I have the same vested interest in privacy equally as much as anyone else (being ‘its people’ in this context!). Their mission is to collect and monitor data – I fault them not at all for doing that to the greatest extent operationally possible. To satisfy both parties, because TLAs/NSA do have a very serious and critical function, I don’t think anyone sanely denies this in most cases, there’s probably some discussion that needs to occur to define the very difficult grey area they operate in. Or, if such definition exists unknown to the common public, allow some modicum of understanding in to that process for further scrutiny. It’s a tough spot – they do their jobs exceptionally well, they are blasted. They do their jobs poorly or too constrained, their people can die in worst case (depending on who you ask).

Newfienet • August 26, 2016 10:02 AM

@Henry, come to think of it, Nortel would have a great case in FTAA dispute settlement. Despite Canada’s servile status as a US backwater NSA cutouts subjected Nortel to comically blatant industrial espionage and subversion.

Roger • August 26, 2016 10:03 AM

As an additional talking point, can anyone provide evidence of another major intelligence player providing this type of benevolent exposure with sufficient consistency to this context while still remaining an effective player in the SIGINT IC?

Dennis • August 26, 2016 10:18 AM

@Roger
As an additional talking point, can you explain why the NSA and the government keep denying that they stockpile toxic vulnerabilities if it is in fact such a central aspect of their role? Can you see any problems when it comes to checks and balances here?

@Thomas
“The aim of the NSA is ultimately to defend the interests of its people”
I guess the problem is that the NSA has spent too long “defending the interests of its people” instead of defending the interests of its people.

Who? • August 26, 2016 10:46 AM

@Roger

Ok, the NSA is a SIGINT agency. Fixing bugs is not their goal. That’s perfect to me.

What about the backdoor in ScreenOS? Is it ok for a U.S.-based SIGINT agency to break the product of a north-american corporation like Juniper Networks? Is it ok subverting standards? Weakening cryptography? Backdooring hardware and software? Are NSLs acceptable?

This one is another step to achieve a “clear advantage” for the United States. Let me outlike this advantage:

Some day we may found the United States banned from technical committees, as there is a risk of subverting standards for “technical advantage.” Don’t worry about current standards, they will be banned too and replaced by fresh ones developed without collaboration from the FVEY.
Some day, non-U.S. corporations may develop products competing with U.S. ones. No one will ask which product is better (the basis of our current market rules) if U.S. ones are at just a NSL from being backdoored. U.S. corporations will have no chance to sell their products.
Some day, non-U.S. corporations will stop sharing source code and knowledge with the United States. No development will take place in the United States, as there is a risk of code being analyzed looking for bugs that will be used to achieve that “advantage”.
Some corporations may even opt to leave the United States, forever.
Even open source and free source projects may leave the United States, as OpenBSD currently does prohibiting any U.S. citizen to work on cryptography for the project.

The cold war ended years ago. It is time for the United States to stop being so paranoid and behave as a team player again.

I feel ashamed each time I think we are at the beginning of a new Renaissance, a period where universal access to culture is a reality, where knowledge and technology evolve faster than ever, while states only think on ways to subvert security and do industrial espionage, people in ways to share child pornography and criminals in ways to make fraud.

We are in a world were we have access to the most impressive knowledge and resources known by human beings since Library of Alexandria from our handhelds while we only think on ways to subvert it. Isn’t it a shame?

ab praeceptis • August 26, 2016 10:46 AM

With all due respect for the author – and I do have lots of well earned respect for Bruce Schneier:

While I would, of course, like to hit on the nsa, some basic laws of logic dictate that I employ some minimal reasoning first.

So, that material had something like “(c) nsa, conceived, designed and implemented by nsa. Don’t your dare to steal it” in it? If not, what makes us so certain that we don’t fall for a ruse (not necessarily by the nsa) or are simply a victim of a misunderstanding?

(unless there is “a clear national security or law enforcement” use)
This must be a joke, right? Isn’t that very phrasing used for pretty everything? Isn’t that phrase what “allows” them to shoot innocent civilians, to brawl, to threaten, and to throw bombs at the other side of the globe (“national security”) and a lot more?

I take obamas statement to mean “There was a hiccup and I have to say something nice without actually giving in a micrometer”. What he said comes down to “we shall not anymore … unless we please to do it anyway”.

Also, could we please stop to just accept any stage setting they serve? For a starter: Why am I to assume that the “victims” really are victims rather than a common player with nsa & accomplices?

Or: What convinces us that it’s not the ever usefully “evil chinese” or “evil russian hackers” who created that stuff and made it look like nsa stuff. Yes, that’s unlikely but a) are we secret intelligence experts? What makes us think we can judge that? and b) Oh, come on, we have other standard bullsh*t patterns that we just blindly believe, no matter how ridiculous. Example? “Russian hackers”. Probably clinton could walk around and shoot people in downtown new york and could get away with it uttering about “evil russian hackers”.

Yes, nsa – seen from some perspective – is often evil. They, for instance, tainted major nist standards. But in the end, a) it’s their bloody job to do (much of) what they do and b) they are a state agency and I do not see any reason to assume that nsa is different from other state agencies; their ranks are not filled only with classy professionals but also with losers, bureaucrats, and idiots and chances are that, like any other state agency, if nsa happens to do something right it’s probably not the result of professional work but of happy coincidence.

Which brings us to what imo is the real take away here: playing those games and playing with the safety of your citizens and companies is a necessary consequence of ineptitude.
Would Bruce schneier visit people and basically hold a gun at their head so as to not spill out his secrets? No, of course not. But then, Bruce Schneier actually masters security and crpyto – he doesn’t need to blackmail and shackle people. He can simply properly encrypt sensitive stuff.

But the nsa needs to. That should make us think.

Sasparilla • August 26, 2016 10:50 AM

I’ve often wondered if there is a different calculation going on in the surveillance leadership with regards to vulnerabilities and the cyber-security of their local country overall – and that is if the NSA etc. can do their spying, they don’t care if the Russians or anyone else can also spy on us – as long as they (the people making the decisions) have back doors, everything is good. The security of the country is secondary (which really means its much less than that), since attack / surveillance is the primary concern of our cyber operations. Like the prime mortgage industry driving itself toward the cliff a decade ago, its a self serving bankrupt strategy, but one that looks good, right now to the people inside making these decisions.

This also divides the world into the surveillors and the surveiled – and there isn’t a place for making everyone secure in that by the surveillance organizations (as we’ve seen here).

Baghdad Rog • August 26, 2016 10:51 AM

Roger’s here with the NSA sockpuppet propaganda line! Set up, as always, with fake objectivity, ‘To play the devil’s advocate…’ and posing as a ‘normal Joe’ except for all the little verbal tics that ass-kissing government office drones pick up from one another (cross-pollinating. coffee jokes. Mission.) We get the whole bag of tricks. Unsubstantiated slogans for morons to parrot: Abolishing the NSA is not a viable solution. They have a very serious and critical function (like spying on diplomats instead of just asking them what they think when it’s their frickin job to tell you.) They do their jobs exceptionally well (nice work cleaning up that staging server, ace!) If they do their jobs poorly, people can die (like when you [profanity deleted by moderator] bricked critical communications infrastructure in Syria, compounding a humanitarian crisis.)

Roger shakes his sock around to try to slip some indoctrination in, providing good indications of how they brainwashed him. Pay lip service to privacy but stay ignorant of its legal content, which states surveillance of correspondence should be prohibited. Talk about data instead. Wave your hands about ‘some discussion,’ emote about a ‘very difficult gray area’ that isn’t difficult at all, you just obey the [profanity deleted by moderator] law, or in your case not. Patronize the ‘common public.’ This is some of the stupidest propaganda ever. No wonder the SCO pwns you tools with epic luls.

NSA’s a cancer like the Stasi, a big pointless suck on our taxes. No one needs you.

ab praeceptis • August 26, 2016 10:53 AM

Who?

About standards bodies I don’t know and I doubt. But I do know that there are companies which – with their (nato) state agencies knowing and benevolently looking the other way – are creating security related products expressely and vigorously excluding any and everything from across the ocean.

In one concrete case I happen to know about (not hearsay but knowing) any and everything even vaguely from across the ocean is considered tainted and untouchable.

For what it’s worth, I consider that a promising and sound approach.

Today all that happens quite silently. Soon, however, that may be the basis of de jure or de facto standards.

nsa- and/or nist-free is taken as a sign of quality by increasingly many.

Sasparilla • August 26, 2016 11:08 AM

@Jonathan Wilson

Or do the tech companies actually LIKE the fact that the US government knows about bugs in their code and wont tell them? (i.e. they are OK with it because “national security”) <<

I think another way to look at this is to put the question this way. If you are a worldwide vendor of software / hardware etc., which is a more profitable / less risky strategy – Work with the security agencies of every country and give them back doors (which is kept secret for the most part) and not have your market access (and orders) threatened or give them all the finger and go for security while risking market access and orders?

Obviously the least risky choice and probably most profitable is to be in bed with the different country’s intelligence agencies – this is the choice nearly all U.S. software / hardware companies have made (as well as most foreign vendors), Microsoft is the headliner for the group. Apple is a single outlier in the world and nobody is moving to follow them on their privacy / security strategy (at top level hardware / software vendor level). This is a bad thing long term, but completely logical from a corporation (profit matters most) point of view. JMHO…

Roger • August 26, 2016 11:16 AM

When my offspring’s offspring are asking what it was like in my day, I will say my favorite part of the internet was being accused of being a shill for/working at the NSA on a blog post about the NSA for discussing the NSA.
Yeah, that was me in that chair in Switzerland just hacking away at the world’s firewalls while frequenting unimportant comments on blogs in my RSS feed. Aggressive posturing is a waste of everyone’s time, go sit somewhere and be disgruntled, quietly.

@ Who?

You provided the best talking points on this page thus far. Your concerns about long term global repercussions are the kind of definitions I referred to earlier. How they should go about doing their job, while also expanding what I guess could be called proper diplomacy in this context. I would read your blog too ha..

Baghdad Rog • August 26, 2016 11:43 AM

A new cheap JTRIG trick from our sockpuppet: sucking up to particular commenters! And more government verbal tics, disgruntled. And feckless paramilitary imperatives, beloved by grunts who take lots of orders.

No Rog, it’s blindingly obvious you’re not cut out to be a 1337 TAO cyber warrior, you’re just some wannabe. Still, you clearly yearn to vicariously experience the thrill of Cyber. So, Rog, what was your proudest moment, in your NSA daydreams? Letting China swipe 20 million sensitive adjudication files from OPM? Destroying 12B in JSI market cap? Letting 9/11 happen? Randomly directing the botched extrajudicial killing of this guy because some poor bastard borrowed a phone? Blowing Shakira’s little button nose off? Pitching in to target innocent mooks for systematic and widespread torture?

Let’s bear in mind why NSA went to the trouble of wrecking critical infrastructure: ‘We track em, you whack em.’ They did it to help US death squads murder and torture at random to justify the highest crime, aggression. Sure, you’re clowns, but John Wayne Gacy was one too.

Who? • August 26, 2016 11:43 AM

@ab praeceptis

It all looks promising.

I am an OpenBSD user since 2003. Security is important to me, of course, but as I wrote some years ago to Theo de Raadt I do not like OpenBSD because it is secure, I like it because it is the best written and documented operating system I know (and it remains being the best for my goals yet!). The United States have decades of experience developing hardware and software, but other countries have comparable experience and quality standards and are more ethical.

The NSA should act responsibly now and close the bugs exploited by the tools stolen to them. They must accept the tools being auctioned are not under their control anymore and will be used soon (apart of the “free” tarball being used right now by not-so-cute script kitties –yeah, script kitties, but armed with government-grade tools now–). It is just a matter of time. Now the NSA must demonstrate they really understand what “national security” means, closing these bugs so they cannot be exploited in the United States or other countries anymore.

One can be in the intelligence business and fair play at same time.

It is nice that you know some changes are happening. I hope these changes described in your post become a reality very soon.

Liam • August 26, 2016 11:45 AM

@Roger:
“As an additional talking point, can anyone provide evidence of another major intelligence player providing this type of benevolent exposure with sufficient consistency to this context while still remaining an effective player in the SIGINT IC?”

Maintaining a position of dominance in an area that makes us more vulnerable every time we exercise our dominance is no dominance at all. In other words, we’re patting ourselves on the back over how well we shoot ourselves on our own foot.

Moderator • August 26, 2016 11:51 AM

@Baghdad Rog, please curb the hostility, profanity, and speculative accusations of shilling and sockpuppetry.

Roger • August 26, 2016 11:58 AM

@Baghdad

Lot of very angry babbling from someone with no alternative solutions presented anywhere at all here. Honestly, you’re all bark man, in the worst way. I am discussing the issues, you’re simply …intensely complaining…maybe whining?…, while tossing around random intelligence slang not coming off as learned or capable but really more pedantic. Again…way too hostile to have a practical discussion with. It’s blog dude, not a war room. Lastly, speaking of those breaches and attacks, some of the events mentioned directly affected myself and probably others here personally. Assuming I had a hand in dumping my own information is fairly absurd if not outright manic. You’re of course free to determine your own opinions even if outwardly aggressive, but my line of rational discussion is a few steps back from where you’re treading. Glad you can articulate your distrust/distaste in the USG, but focusing that on an individual is frankly ignorant for logical reasons and practical applicability reasons. Enjoy your social disfunction.

Roger • August 26, 2016 12:04 PM

Appreciate the moderation. Feel free to remove my previous comment if necessary as it adds nothing of substance to the conversation Mod.

ab praeceptis • August 26, 2016 12:07 PM

Who?

I think, we are risking to get stuck in perception and premisse error.

Security isn’t something to consume. If we, for instance, do non neglegible communication over facebool assuming that security is somehow taken care of, we risk to make a grave error. One important aspect is that security is developped with interests in mind and incurring often considerable cost. Security, for instance, in the eyes of facebook (I use that just as a variable. Insert anything similar …) might be very diiferent from we users define. Who is paying for it? facebook and possibly advertisers – hence it will be their definition of security (and implementation of their interest which might be very different from ours).

Yet major political and social movements (at least in europe) basically run exclusively via facebook. Meanwhile some have learned the bloody way that their operation can simply be muted or even de facto shut down. Similarly, I expect, many many people will very bloodily learn that “security” != “my security”. (I keep telling people for a reason that they might as well ask nsa to provide service to them or to CC any communication directly which would have the advantage that they at least know and understand that they and their communication are not at all protected.)

I hope these changes described in your post become a reality very soon.

I’m very much limited to talk about that more specifically. But I think I might be able to report more quite soon, maybe even a concrete product (some of the stuff is absolutely not built for public use, but some is).

Who? • August 26, 2016 12:12 PM

@Roger

Sorry I have no blog, Gmail account (I had one years ago but closed it soon), Twitter, Facebook, Whatsapp (no instant messaging at all) or even mobile phone. In fact, never owned a mobile phone. Nothing related to the NSA, I just do not like the loss of privacy and control over our own data related to these tools.

I am not in the intelligence business either, but if you ask me how should the NSA do their job I would say that:

Programs like PRISM look acceptable to me. If you read Google’s terms of service you understand that Google reads our email (they did when offered me a job in 2006 because an employee read my email and considered my work valuable). Giving access to these resources to the NSA is a natural step. Not very different to found something worrying about a terrorist threat and contact the NSA.
The NSA should be able to do some domestic work monitoring networks to find (and fix) vulnerabilities on critical infrastructures, stopping cyberattacks against the United States, and so on.
The NSA should develop secure software and (why not?) fix bugs in both commercial and open/free source tools. It is a way to improve not only national security, but also security in general.
The NSA should improve information flow between government agencies, train government staff and provide advice to government agencies. It can run too some centralized databases shared by agencies to avoid duplication of information and minimize the risk of data being stolen.

However The NSA should not weaken security. It is against common sense and ethics.

Developing attack tools based on zero days that remain open is like running a centralized temporary storage facility to store high level radioactive waste. It may sound ok, but time will demonstrate it is a bad idea that has bad consequences.

Quentin Coldwater • August 26, 2016 12:13 PM

So, now we know that the NSA hoards 0days, and surveillance is more important to them than securing our national infrastructure.

To those that will get legalistic about it, sure it’s not NSA’s job to secure the national infrastructure, but they still have some ethical responsibility to do that, and as a rising tide lifts all boats, the DoD would be more secure if enterprises are more secure. So don’t bother with that line of thought.

The question left unanswered is why is surveillance so dreadfully important? They have to classify the results of the surveillance and limit their output to specific people so that sources and methods aren’t revealed. Information from surveillance has limited use.

We also know that the NSA is dragnet surveilling pretty much the entire US populace. Don’t get legalistic about this either, friends, it’s almost certainly true.

That only makes the “why is surveillance so important” question even more important. Is someone profiting from this? Is someone or some group using it to win friends, influence enemies and get the girl? I wouldn’t want to be caught short in a grey flannel suit, a buzzcut and an NSA badge when the lid blows off this.

Roger • August 26, 2016 12:18 PM

Liam
ab praeceptis

I think both you’re close to hitting the nail on the head – the question should be publicly asked that if communications are being intercepted en masse or, more examining with more granularity, that the exploits that have recently gone public the question is do the ends justify the means? Is the mission so critical and the fruits of which so bountiful that incurring more weakness and more surveillance is really warranted.

If they’re dragging in world landscape altering information – potentially keep on rocking on. If not, the ends are not justifying the means and weakening both privacy and the integrity of various softwares/hardware/etc could actively be doing damage now and later (as per the global repercussions discussed above a few posts).

Douglas • August 26, 2016 12:46 PM

@Roger: Is SIGINT the entire mission of the NSA, or does the NSA also have other obligations?

Don • August 26, 2016 1:01 PM

@Roger:
“If they’re dragging in world landscape altering information – potentially keep on rocking on. If not, the ends are not justifying the means”

The premise behind this statement is Machiavellian and untenable. I refuse to accept that, as long as the NSA leads the world in exfiltration and NITs, it’s OK to throw >$400 billion a year down the drain, risk cyberattacks against systems that are made vulnerable by design, mess up the lives of thousands of people who lose their jobs and income as a result of these attacks, undermine the credibility and growth of American businesses, hinder technological advancement, and erode the usefulness of one of the most awe-inspiring inventions of humanity, ie the internet. The end does _not justify the means.

Baghdad Rog • August 26, 2016 1:10 PM

Ah so. Claiming International Man of Mystery mystique now, are we? Personal involvement, being vaguely ‘affected.’ So much for normal Joe. Actually what you’re shilling for was clear when you avoided (and continue to avoid) the questions of NSA’s catastrophic ineptitude and crime for ‘issues,’ whatever they are.

So Rog Q. Public, what is your totally independent man-on-the-street opinion on NSA officials suspected of crimes in universal jurisdiction? Prosecution or extradition? As you know, as a fellow who sticks purely to The Issues, those are the only two options.

Rog is trying to to make you treat your privacy rights and corporations’ property rights as cost/benefit problems. If it’s worth it to him to stomp on your rights, he’ll try to do it. Government drones are brainwashed to think that’s how rights work. That’s why your constitution’s down the toilet, because of apparatchiks like Rog betraying their country and their oath.

clint • August 26, 2016 1:16 PM

Saying a nation’s SIGINT agency should give up its offensive weapons is like saying it should give up its offensive military capabilities. It is not how the real world works.

Clive Robinson • August 26, 2016 1:20 PM

@ Roger,

It’s a SIGINT intelligence agency that collects and processes information ….what did you even think they did?

Err there’s one thing for certain, you are either playing dum or you are not aware that they have TWO roles. Which are to put it bluntly conflicting in this day and age, and why the NSA appears schizophrenic quite often.

Oh as for disbanding the NSA, it took only a couple of seconds for a president to ink the bottom of the letter that gave rise to their charter, it therefore would only take the same length of time to ink a paper of abolition…

As for effecting the IC, not realy even the neo liberals know that their maxim about reducing Government does not apply to either the military or Intelligence organisations of which there are many. All that would happen would be a bidding war between the remaining agencies.

Like a hydra, you have to cut lower and deeper than giving the NSA a hair cut. But watch out for the dragons teeth effect the army of the dead will rise and march again in different bodies or agencies…

J • August 26, 2016 2:06 PM

What’s the big issue here?
Is it that the NSA occasionally lies to the American people. Is that really a surprise?
Or is it that the NSA would rather Americans be exposed to spying by our enemies if they (and others) can also be exposed to spying by the NSA? That is a calculated decision made by the NSA weighing the pros and cons as it affects their mission. Many people — especially those reading Bruce, including myself — will take the side of closing the vulnerabilities. But can we all agree that there’s clearly a trade-off to be weighed – that there are some ‘pros’ here? So they made what amounts to a business decision. The NSA’s decision would be different if it had the same mission as the EFF, but it doesn’t.

jK • August 26, 2016 2:23 PM

Haha, you sound like J.F. Kennedy clamoring to break up the CIA… but nothing is going to happen to you, of course. The NSA being very different from the CIA, I would guess you wouldn’t be assassinated if you ran for public office.

We just would suddenly find a lot of dirt on you and find that in fact, all along, Schneier belonged to an evil secret society 🙂

I very much doubt there’s a lot of use going on regarding these 0days (by the NSA). The NSA could theoretically use them to penetrate airgaps. But to penetrate public networks wired to the Net and not behind a steel fence(and copper :), there’s just no incentive.

There are many other more quiet methods the agency can use on high value targets that will leave less of a trace.

So it boils down to this: the NSA wants to corner the exploit black market. They must have an alchemist’s mill capable of producing gold, or oil. Or maybe their budget for cornering operations just doesn’t dry up considering the amount of dirt they must have on Senators, etc.

Why “corner”? Because they don’t actually actively exploit these vulnerabilities in day-to-day operations. It’s hoarding in the hoarding sense. A stockpile of cyberweapons they rarely ever use.

Could they prove to those in charge of oversight that their automated systems can detect these vulnerabilities being exploited in the wild? If they can prove to their oversight that their automated systems can detect these stockpiled vulnerabilities being exploited in the wild, raise a flag and THEN they disclose it… well, basically it covers their ass.

If they prove they have very good monitoring systems in place, all these arguments break down and this will be all swept under the rug.

I guess you just can’t expect transparency and full disclosure from the NSA. They are actively playing war games and monitoring for when a vulnerability they know of becomes active in the wild. That’s their excuse. They’re studying hackers in the wild.

You MUST call that Intelligence Gathering, you know, as much as you hate the practice.

The Snowden show is just a big PR thing for the NSA. Makes them look stupid when in fact they are 70 years ahead of present technology.

jK • August 26, 2016 2:30 PM

J, no, because the NSA doesn’t really need to actually exploit these vulnerabilities except VERY, VERY, rarely. And when they absolutely NEED TO, it’s for airgapped networks, NOT public networks connected to the ‘Net.

So it is obvious they use these as a pattern to track talented hackers exploiting 0days and study them. That’s the CATCH. It’s their RADAR for talented hackers.

But we can’t rule out the possibility that said hacked server was a honeypot.

soulman • August 26, 2016 2:32 PM

Not to mention the question of what “finds” means. Does it refer to “discovers through its own research capabilities”, or the broader definition to include “purchases” or “acquires via other means”?

yup • August 26, 2016 2:33 PM

Programs like PRISM look acceptable to me. If you read Google’s terms of service you understand that…
- Regardless of the ELUA you’ve accepted, CISA ensures that your (meta)data can ‘selectively’ be shared amongst any third parties, with legal impunity (and could also have been for quite some time in the retrospective)
The NSA should be able to do some domestic work monitoring networks to find (and fix) vulnerabilities…
- Be careful with the lingo there – (and fix) could have multiple meanings

Some corporations may even opt to leave the United States, forever.
- All part of the plan! Most of these companies already stash their cash oversees – why not their valuable keys too? Arms length away from the NSA, but the backchannels don’t go right away…

jK • August 26, 2016 2:36 PM

Clive, not schizophrenic. Well, maybe they appear schizophrenic some TIMES (HA,HA,HA!) but in fact what you are referring to is that the agency looks like it has DID (Dissociative Identity Disorder). That’s the correct diagnostic.

And in fact, all intelligence agencies have some lighter form of DID at least from the perspective of those not on top of the Organizational Pyramid. Just because of all the Chinese Walling and Compartmentalization. The NSA is of course just extra Dr. Jekyll and Mr. Hyde.

yup • August 26, 2016 2:46 PM

I guess you just can’t expect transparency and full disclosure from the NSA. They are actively playing war games and monitoring for when a vulnerability they know of becomes active in the wild. That’s their excuse. They’re studying hackers in the wild.

(emphasis added)

You MUST call that Intelligence Gathering, you know, as much as you hate the practice.

No, I MUSTn’t. That sounds a lot more like picking off a bunch of kids, rather than gathering intelligence from the fearsome ‘hackers’ that nobody could ever plausibly and publicly identify

jK • August 26, 2016 2:59 PM

yup,

You call it whatever you want, call it bullshit if you must, I’m just speculating on what kind of defense the NSA would give to e.g. the Senate.

But it is smart to study hackers. You get to know whether they are kids, Military Intelligence for other countries, or whatever.

Dirk Praet • August 26, 2016 3:44 PM

Security researcher Mustafa al-Bassam found an attack tool codenamed BENIGHCERTAIN…

Now here’s a really cool kid from Iraqi descent. 21 years old. Stuck it to HBGary Federal and some other high-profile outfits at 16, when he was better known under his handle TFlow, core member of a band of merry man called LulzSec. Kind of a short-lived hacker version of the Ramones.

They lie all the time. Is there even one person in the whole of infosec who still believes a single word of what these people are saying ?

Ross Snider • August 26, 2016 4:01 PM

@Bruce

You use the term “security” very differently than the NSA, DoD, etc do though. Take the US definition of National Security (as outlined by National Security Presidential Directive 1): their term means something along the lines of “winning” or “competitiveness” whereas yours means something along the line of “defensibility”.

For the US military, the term security inherently means attacking at least as much – if not more than – defending, as the widespread understanding in military is that if you disrupt, destroy, discredit and demoralize adversaries before they can become enemies – you’ve prevented the United States from ever having to face a peer competitor. Such a competition would not only be uncertain, but also extremely costly.

This is WHY there is different terminology for Homeland Defense and National Security. Homeland Defense means protection. National Security means anything to take an advantage and prevent future disadvantages – including persistent attack.

wayne • August 26, 2016 4:14 PM

@Clint
“Saying a nation’s SIGINT agency should give up its offensive weapons is like saying it should give up its offensive military capabilities.”

Your analogy is wrong. You talk about 0-days as if they were sniper rifles, providing highly selective, surgical precision. The use of 0-days is closer to spraying anthrax in a closed room to spite the guy sat opposite you. You’re all f*cked and you can’t even be sure whether it’s hit you yet.

Not a Gullible Fatman • August 26, 2016 5:52 PM

Sad how many comments still fall into the patriotic charade. Security is a worldwide issue. If you live in the biggest IT nation, you’re not part of the elitist group that wants to oen whole internet communications, you’re just another victim…

Also, recent CISCO Vulns have been modified to work on current verisons of ASA.

Skeptical • August 26, 2016 6:24 PM

The evidence you cite is insufficient to sustain your two key conclusions – that the NSA is “hoarding” vulnerabilities, and that the VEP isn’t working.

First, if you want to show that the USG has been “hoarding” exploitable vulnerabilities, more numbers are needed.

How many exploited vulnerabilities were actually disclosed by SD’s curious dump? How many of those have either been patched or are applicable only to products which have not been supported in years? At least one appears to have been remedied by Cisco in 2011.

The Cisco PIX not only hasn’t been sold since 2009, it hasn’t been supported by Cisco in three years. Jumping ahead to the VEP question, if you have to prioritize a queue of vulnerabilities to be considered for disclosure, then this one must be placed fairly far back.

There are others of greater contemporary relevance, but a handful does not “hoarding” make.

Second, without knowing the costs of non-disclosure versus the benefits, we cannot ascertain whether the VEP is working or not.

At best, all that seems to be known at present is that some number of exploits that seem to be derived from data pilfered in 2013 and that seem to have been in use by the NSA were disclosed.

In other words, we learned a few specifics – actual vulnerabilities and exploits – but little about the bigger picture.

Which is strikingly similar to some of the disclosures made by another collector of classified information in 2013.

As to the Russian Government as Shadow Brokers thesis… my skepticism on this point abounds, but if so, that tends to tilt the scales in the direction of these particular vulnerabilities NOT being very important to adversaries – which means, had any weighing of the equities occurred in these instances, that the cost of non-disclosure may have been judged to be quite low. And we do not know what the benefits were.

Organization Names Matter • August 26, 2016 6:46 PM

It’s a SIGINT intelligence agency that collects and processes information ….what did you even think they did?
[…]
Again, it’s a freaking SIGINT agency, not a vulnerability patching workshop guys run on the weekends.

Hmm, let’s try and spell it out- N for National, S for Security, and A for Agency. It sounds a little to me like a government department (agency), whose purpose is to secure the nation. Every attitude from Schneier and commenters that you are dissing, is merely about thinking that maybe, just possibly, the NSA could make it its business to like- provide an environment the size of a nation, where it’s citizens feel they have security. All these attitudes are based in the post-Snowden observation that the actual NSA seems to be taking the steps and strategy to do exactly 180 degrees the opposite. Their tactics have in effect woven insecure-by-design into the mass communication tools of the nation they allegedly serve to secure.

FEARSOMEBOZO • August 26, 2016 8:44 PM

In which Skeptical sets the remnants of his cred on fire to convince you that the teaser dump is useless old crap. Delightfully, Skeptical does not know that you can get EXTRABACON working on any ASA out there in two minutes with nano. I just did it! It’s so simple, even Skeptical could do it!! Imagine a breach of such catastrophic import that it could transform Skeptical from a cruel joke to a cyber-threat. NSA’s public humiliation just gets funnier and funnier.

nigel portent • August 26, 2016 8:47 PM

Since US CyberCommand is, in reality, a subordinate element of NSA at Fort Meade, you are slightly inaccurate in your list of choices for Utopia.

I find it particularly humorous how individuals and governments either want to “break everything up” or “throw more money at it”. Black or white solutions, when there are so many more shadows of gray to delve into, parse, and use.

jK • August 26, 2016 9:10 PM

Interesting counterpoint, Skeptic.

But the bigger issue is the NSA does not NEED exploits, or needs them very rarely, as I said, for penetrating airgaps.

It’s third world nations who still rely on exploits as their main penetration tools… I should know.

They are just cornering the exploit black market. But then why not patch, if they’re just cornering? As I posited, they may be studying the use of exactly the exploits they know of, putting exploit use under their microscope so to say

That’s the worst part of the Snowden show: it makes the NSA looks average when in fact they are light years ahead of the competition.

Just listen: https://www.youtube.com/watch?v=VRU6Io8NA8k

And for those who like John Carpenter, his Apocalypse Trilogy is a study on epidemics. You have The Thing (the lost continent of Antarctica), the Green Cilinder who eats bad boys who don’t believe in God and the Bad Book and Bad Movie (In the Mouth of Madness) which makes people kill…

John Carpenter was a master memeticist.

gordo • August 26, 2016 9:13 PM

NSA Looks to IT Industry to Harden Vulnerable U.S. Nets
July 6, 2016 by George Leopold

The spy agency has traditionally built and certified government systems according to strict design and implementation criteria to protect sensitive and classified data. That process remains time-consuming and unable to keep up with evolving cyber threats.

http://www.enterprisetech.com/2016/07/06/nsa-looks-industry-harden-vulnerable-u-s-nets/

Articles and an org chart on the NSA’s reorganization:

http://fedscoop.com/nsa-reorganization-nsa21-august-2016

https://www.nsa.gov/news-features/initiatives/nsa21/assets/files/nsa21-org-chart.pdf

http://fortune.com/2016/02/03/nsa-reorg-combine-offense-defense/

https://fcw.com/Articles/2016/01/26/nsa-iad-lyngaas.aspx?p=1

nigel portent • August 26, 2016 9:25 PM

NSA has multiple elements, yet it is most easily defined as the National Security Agency/Central Security Service, or NSA/CSS. It is a branch subordinate element of the Department of Defense.

NSA is intelligence (NSA), and CSS is protection. They both work hand-in-hand for the U.S. government and for the citizens of the United States, regardless of what you read in the press in the past several years.

A secure country cannot exist in the 21st century digital world without a robust SIGINT collection effort to defend it, and a robust cryptologic information assurance system to protect it.

It seems that many posts talk about individual or corporate concerns. Without a larger (and silent) umbrella, your corporate entities would not exist. Chatting about personal interests and surfing concerns is very egocentric, when a democratic nation has bigger fish to fry, so you can eat your picnic in peace.

jK • August 26, 2016 9:38 PM

This is ridiculous nigel.

This post isn’t about the NSA prying open your privacy and checking out what kind of porn you’re into. It’s about the NSA making EVERYONE ELSE insecure when they hoard into exploits they don’t even use that much nowadays. If they do in fact hoard.

Nobody is questioning whether the work NSA does is essential. Schneier is just poiting out that EVERYONE ELSE is insecure when NSA hangs onto exploit. Considering they have more advanced ways to hack than ye olde school exploits… it begs the question… why the fuck would they make EVERYONE ELSE including ESSENTIAL INFRASTRUCTURE vulnerable?

Unless they were studying the wild?

But regardless your comment looks like PR drone, nigel.

Apuzzle • August 26, 2016 9:47 PM

Jesus and his Decyphers, all ate from the same table as Judas Iscariot.

We all eat from the same tables, it’s time to examine the wine we are all drunk on.

Surface Tension • August 26, 2016 10:51 PM

https://medium.com/@jeffreycarr/nsa-unit-8200-and-malware-proliferation-dd6e075ce26e

More background on various proliferation.

Clive Robinson • August 27, 2016 1:38 AM

@ Who?,

We are in a world were we have access to the most impressive knowledge and resources known by human beings since Library of Alexandria from our handhelds while we only think on ways to subvert it. Isn’t it a shame?

Yes it is, but it is also very very human. In that there will always be a few who will selfishly ruin, corrupt, and destroy things “because they can”. Some because they are compleatly stupid and any excuse will do, others not quite as stupid because they find someone to pay them to be that way, then there are those that pay others to do the destruction because they see profit in it, and have no morals or scruples about what they do. Be they politicians, bankers, MIC, IC or corporate raiders, they prey on society just like any other criminal.

Real Hacker • August 27, 2016 2:23 AM

@Allen

Hah, i know you. Havent seen you in awhile… I recommend dave gourmet scorpion hot sauce, and frequent reading of ARS. Sucks in Israel since hamas took over, i watched it unfold in a hotel bar in dc….

@above

hah, amusing to see some posters as crazy as me and know their shit, lol.

But no, the cia did not kill jfk, lol…

@topic

I say as much and have for years. Here. But… I also would point out, they have to stockpile to do their job.

So, I mean, sure, discuss, but reality is, this behavior is mandatory.

….

Clive Robinson • August 27, 2016 2:34 AM

@ Bruce,

There are probably some overly pedantic word games going on.

Yes, it would be easy to argue, that these vulnerabilities are “in active use” –or were at the time– thus they were not “stockpiled”.

Thus that 91% release/advise industry figure suddenly becomes very much smaller, under the “use it or lose it” principle.

The logic is simple, and typicaly politically weasely. You find or aquire a new “zero day”, whilst you “evaluate it” it’s not “stockpiled”, thus you eventually decide if it is of use of not. If not it becomes a disclosure candidate and still not stockpiled, whilst that process continues.

If however the zero day is of potential use, whilst you weaponise it, it is still not “stockpiled”. Once weaponised it goes into “field testing” it’s still not “stockpiled”.

You then have other decisions to make, but if you put the weapon into service it’s still not “stockpiled” because it’s “deployed”. Likewsise if you look into developing internal defenses for it, it’s back under “research” not “stockpiled”.

Thus as long as the zero day can be said to be in some program in some way no matter how slow or drawn out, that zero day is “in active use” and thus it is not “stockpiled”.

Thus I suspect the only stockpile of cyber weapons the NSA have are those so usless as not to be worth drawing anybodies attention to. Because as such even some one who was not sufficiently clever to be a “script kiddy” would call them lame…

But as we know politicians, especialy those in “oversight” are not where they are because of their technical abilities. So even the totally useless and “sub-lame” zero days have value if you give them “sexy names” like oh “Terminate Stalker” because you can tell the sworn to secrecy politicos you do have this “to dangerous to use” cyber-weapon stockpiled (neglecting to mention that the reason it’s “to dangerous to use” is it will get anyone who uses it caught quickly).

It is almost as though the standard reading material in the NSA TAO managment is not “The Art of War” but “Our Man in Havana”,

https://en.m.wikipedia.org/wiki/Our_Man_in_Havana

Who? • August 27, 2016 5:18 AM

@Roger

On the NSA offensive branch.

There is no need to use dangerous zero days. Most networks have weaknesses that can be exploited (unwanted ports open, old software releases, wrong configuration settings on firewalls, weak encryption…). There is no need for the NSA to store a collection of zero days. I am sure, TAO staff is clever. They are able to find ways into remote systems without NSA weakening standards, operating systems or tools. Rob Joyce, NAS’s TAO chief, gave an excellent talk at USENIX Enigma 2016. I agree with his points on this talk.

There are few networks really secure. This is the way to go for TAO.

V • August 27, 2016 7:57 AM

Given the data was stored by the US Government and released as a result of Government negligence (de facto) the answer to what the NSA is legally obliged to do may come in the courts.
Let’s take a simplistic view:
Person made copies of my house keys without my knowledge/permission (having conducted research into my locks intrinsic weaknesses);
person stores keys (insecurely);
thief steals keys and
a) breaks into my house or
b) knowing my locks are now worthless I buy new locks before I’m broken into.

Do I have a case against the person who made the keys?
Does the company that made the locks?

Skeptical • August 27, 2016 8:43 AM

@Fearsome: Yes, which is why I said that some have more contemporary relevance.

And as I also said, holding knowledge of a vulnerability, or a handful, is as consistent with the NSA NOT “hoarding” vulnerabilities and with the proper functioning of the VEP as it is with the negation of those claims.

@jK: I agree, but it’s difficult to weigh the value – intelligence, counterintelligence, or otherwise – of non-disclosure (I have no idea, but it seems plausible that non-disclosure could be combined with selective advisories of required practices or configurations that would mitigate risk for certain assets) against the cost without knowing a lot of information that, for obvious reasons, no government could responsibly release.

I’ve yet to see any analysis showing the number of vulnerabilities described or utilized in SB’s dump that were not public knowledge in 2013, or the number of those that have been discovered or otherwise mitigated since then.

Even that would not allow us to make a reasonable guess at questions of hoarding or whether the VEP is working well, but we’d be somewhat closer to doing so.

If the actor were the Russian Government, perhaps the dump was an attempt to complicate and thereby blunt discussion of a US response to Russian interference in the American presidential election. Such discussion in the US, which was strongly unified in theme, necessarily cast the NSA – whether intended or not – and the offensive capabilities of the USG in a positive light. As such, it was directly contrary to the objectives pursued for years by the Russian Government via various but rather similar information operations. It also provided the USG with the political cover and thereby perhaps newly viable options to seize the initiative in various ways, which the Russian Government may regard as a weakness that it is seeking to remedy.

Normally I would expect to see more such efforts as the election approaches, particularly if Clinton is perceived as especially hostile to Russian interests. But they’re in danger of being thrown if they push too hard – judo isn’t an unknown art in the US.

FEARSOMEBOZO • August 27, 2016 11:08 AM

Our own dear slow child Skeppy hastens to affirm that he did know about that gaping security breach in critical communications infrastructure, he just mendaciously tried to elide it in one of his eye-glazing generalities. And anyway, the point is, Skeppy’s down with NSA sitting on critical communications vulnerabilities until they need them for bureaucratic brownie points (like when Hillary needed to assess the strategic threat of UNICEF.)

And why not? Skeppy also thinks it’s fine that NSA sat on intercepted communications between official-cover Saudi spooks Fahad al-Thumairy and Omar al-Bayoumi; chained calls linking Saudi NOC Abdulazzi al-Hiijjii, Mohammed Atta, and Saudi princeling Esam Ghazzawi; and call chains linking, inter alia, Israeli NOCs Menachem Atzmon, Yaron Schmuel, Dominic Suter, Daniel Lewin, Dahan Eldad, and Ophir Baer.

r • August 27, 2016 6:23 PM

@Clive,

Why not? 🙂

Truth IS stranger THAN fiction, right?

Scott "SFITCS" Ferguson • August 28, 2016 8:08 AM

nigel portent

NSA has multiple elements, yet it is most easily defined as the National Security Agency/Central Security Service, or NSA/CSS. It is a branch subordinate element of the Department of Defense.

NSA is intelligence (NSA), and CSS is protection. They both work hand-in-hand for the U.S. government and for the citizens of the United States, regardless of what you read in the press in the past several years.

A secure country cannot exist in the 21st century digital world without a robust SIGINT collection effort to defend it, and a robust cryptologic information assurance system to protect it.

It seems that many posts talk about individual or corporate concerns. Without a larger (and silent) umbrella, your corporate entities would not exist. Chatting about personal interests and surfing concerns is very egocentric, when a democratic nation has bigger fish to fry, so you can eat your picnic in peace.

Even if I was a resident of the USA I’d be dangerously naive to believe your opinion is completely truthful – and anything less than the complete truth is not the truth. As a citizen of a so-called ally country (keep the USA close) I have every reason to consider the mission of the NSA is a threat to any non-USA business that competes with a USA based business.

Your biggest mendacity if forgetting to mention how much of the data processing done by the NSA is outsourced to private companies (as with the rest of Five Eyes). If you have some defence for that please present it along with some academic evidence that there is a mechanism that would prevent a company, e.g. Dell, from using that “critical national security” information to further the interests of the their share holders.

I very much doubt you convince me that private security tender information would not be of interest to senator representing, say, Blackwater, and that those senators who have influence with the NSA would not seek to exert it.

P.S. you seem to have the precedence of national security and business interests inverted, but perhaps I’ve failed to sufficiently factor in your outstanding ability to let patriotism triumph over history.

Joshua • August 28, 2016 8:12 AM

@ Sam wrote, “If all private systems in use in the States were secured from virtually all known vulnerabilitis, that would provide America a clear advantage.”

What if those “private systems” in the States were used by foreign entities who operate in the States?

I’m sorry but I just don’t buy the teaching that Americans are always looking out for other Americans, when in real life most would screw the next for menial monetary or personal gains.

Joshua • August 28, 2016 8:20 AM

@ r wrote, “Truth IS stranger THAN fiction, right?”

If by fiction you meant Lies then you are probably correct.

That, and a lot of people confuse public announcements as Truths.

Randy • August 28, 2016 10:15 AM

Wait, you still have a PIX and you are concerned about security? And you think it’s a government responsibility to find and patch the bugs in a product that hasn’t been sold in roughly 7 years? How about some responsible behavior by operators to do some basic HW lifecycle management?

r • August 28, 2016 6:03 PM

@Randy,

Just putting this out there:

Recycle what? old hardware with old software to be replaced with new hardware with legacy code running inside of it?

🙂

yoshi • August 29, 2016 10:57 AM

Interesting topic.

The article seemed alright but I think it’s a bad idea to insinuate blame regardless of whether or not having technical discusssions or ethical discussions. Insinuating blame makes it harder for people to think intellectually and interact without hostility or tension or confusion.

None of these forum discussions are occurring in a vacuum. It’s best not to exaccerbate tensions nor cause misunderstandings.

While it might not be practical to communicate in E-Prime, it might be valuable to consider thinking in E-Prime to reduce the amount of logical fallacies and assumptions. An exception to the English dialect known as E-Prime is that it is actually EXTREMELY IMPORTANT to think about EXISTENCE and to have actions that assure mutually assured SURVIVALS of multiple relationships. But one of the values of E-Prime is that it encourages thinking in ways that discourage casual assumptions.

No group is unanimous. These are my opinions of course, but I was lucky enough to have had some education and luckily I’m not 100% a fool.

Thanks for the enlightenment. This message was not written in E-Prime. Peace is not an afterthought.

Clive Robinson • August 29, 2016 11:42 AM

@ yoshi,

None of these forum discussions are occurring in a vacuum. It’s best not to exaccerbate tensions nor cause misunderstandings.

Hopefully you are being silly, because that translates to “Put your head in the sand and keep it there whilst the man gives it to you from behind…”.

Wael • August 29, 2016 11:49 AM

@Clive Robinson,

Put your head in the sand […] from behind…

Lol:) Ouch! Another expression to add to my collection. I hoard expressions 🙂

WhiskersInMenlo • August 29, 2016 2:32 PM

@Who?
@Roger

Ok, the NSA is a SIGINT agency. Fixing bugs is not their goal. That’s perfect to me.

Historically SIGINT did close flaws or deprecate codes and
ciphers.

Signal intelligence listens to both friend & foe.
Their allegiance is obviously friend.

However today we have a vast global interconnect of nations,
corporations and individuals all using virtually the
same methods.

The historic cracks in Fish, Purple and Enigma were one sided.
i.e. the US did not use these methods.

Today the internet uses a short list of methods
that inter-operate and put all at equal risk.
Not just a double edged knife but a double edge blade
where the sharp bits extend deep under the fragile(?) handle.

This global difference may be the flaw in splitting the NSA
and the source of foolish policies.

And yes all US .gov to .gov traffic should use an undisclosed
TCP/IP secured stack set Gateways would allow citizen interaction.

Arnold • August 29, 2016 8:12 PM

GOOD GOD STOP CALLING BUGS WEAPONS!!!!

It means it will become illegal to report bugs and get them fixed, due to weapons trafficking bans…

r • August 30, 2016 2:32 PM

A couple weeks ago, I saw a recent article claiming there were 4~ dozen vulnerabilities in their possession.

Maybe 1-2 months back, I haven’t been able to find out again. The gist was that 4 dozen “isn’t that much”.

Dennis • August 30, 2016 8:01 PM

@ yoshi,

While it might not be practical to communicate in E-Prime, it might be valuable to consider thinking in E-Prime to reduce the amount of logical fallacies and assumptions.

You must really hate reading newspapers and anything spouted by the AP, then.

Have fun navigating their altered reality… may the E-Prime be with you. 🙂

ab praeceptis • September 2, 2016 10:46 AM

FiguresEh

You must be uninformed. At any given point in time there is an official definition of the source of any attacks. After China it is now since quite a while Russia. (They did get one point wrong, though. It is not “some russian hackers” but it is Putin himself doing the hacking or, more precisely, some of his many clones (all of them billionaires)).

That, btw, also helps to explain why the us-american media didn’t fall for the trap to report unimportant details like the whole system and the elections being rigged but wisely focussed on the really important issue, namely that Russia has hacked the email servers. In fact, I’m certain that all those emails were, in fact, written by Putin himself but super-serious and professional as the media are, they didn’t tell us that yet because they still lack some evidence (some brain-dead lobotomized “witness” for example). Probably evil Putin used an oldstyle typewriter for those email so as to thwart the nsa defense systems.

agent rng • September 2, 2016 2:44 PM

@FiguesAte

IllumiNazi*

agent rng • September 2, 2016 11:29 PM

@FiguresAye?

I’m not big on anonymous particularly, anyways more to the point:

Since when is ignorance and complicity equivalent to innocense?

Also, links please.

agent rng • September 2, 2016 11:33 PM

@FigureEights

Also, I believe you just flattened the device tree a smidge, unless you’re considering google some sort of international hosting backbone for kernel.org you have linux and android confused.

agent rng • September 3, 2016 12:25 AM

@FiguresAye

Sometimes, but everything does happen for a reason.

agent rng • September 3, 2016 12:42 AM

@Figures,

I have a couple chrome books, nothing spectacular but I feel you mine boots off of an sdcard – that was a pain in the S.

Why /dev/random? you like depleting your entropy like your gene pool?

agent rng • September 3, 2016 12:58 AM

@FiguresOi!

The next thing I would ask myself, IF I was in your situation of course is: did you compile the replacement boot loader yourself? did you simply download it? did you confirm the source? the binary? your compiler? YOUR MEDIA?

It’s the whole chicken and the egghead problem, it’ll make your head -n 5 spin like top.

agent rng • September 3, 2016 1:24 AM

@FiguresOi!

Maybe I’m about to take a drastic step and assume that I’m 2x more secure than you being within the states, at least vs the NSA. Assuming you’re not in the United States then I suppose you don’t realize how saturated our market is with both retired and modern low end hardware like chromebooks and p3’s. Maybe you don’t realize I can just pop onto craigslist in any number of 1000 cities and pick up a foogle device for ~$50 bucks from someone hard pressed for afghani tar. Easy Peazy. You on the other hand? Do you have the luxury of sourcing cheap devices outside of western europe or china? When’s the last time a major company outside of western europe, south korea or the united states contributed back source code to the branch you’re finessing? Who’s in better shape for evasion electronically? You or me?

I might be assuming ALOT, but it’s still f00d 4 thought.

Clive Robinson • September 3, 2016 9:46 AM

@ FiguresEh,

If the rest of these guys want to sit there peddling flaws and bugs thats there prerogative and they end up making themselves look like a complete arsehole for doing it!

The reason there is quite a difference in market take up between the lesser known OS’s and the non comercial *nixs is one that is going to realy wake a few people up in the very near future.

And that is hardware support, from the CPU guts downwards. If you have a look around Micro$haft has anounced in it’s mealy mouthed way, that from now onwards they will only support CPUs and other hardware current with the latest rolling release of Win10.

Thus when the hardware you use Win8 or less on dies you will have to switch to Win10 or die yourself.

The way Micro$haft have worded it you would believe that both Intel and AMD were going to make it a Win10 only world.

Whilst that is not entirely true, there were wispers going around a little while ago that the “secret sauce” microcode and other hardware go faster info/code the likes of Intel and AMD have will only be available under “bigish money payed for” NDA. Thus any FOSS OS or Driver code will automaticaly be “crippleware”.

Oh and the idea about this Intel / AMD pay for NDA apparently surfaced at the same time as Micro$haft started it’s latest “Embrace and propriety extend” with the idea Micro$haft will “share the love of Linux”.

The best conclusion you can draw from all of this is Win10 upgrading is still going not at all well for Micro$haft, thus “balls need to be twisted” and “eyes gouged” till people become as crippled as Micro$haft wants it’s mortal enemy of *nix in any form that they do not get revenue from obliterated from the face of the earth or so marginalised it is only used in backend Industrial Control Systems.

Oh and I would expect IoT announcments soon from Micro$haft as they work out a way to “Embrace and extend with pay through the nose proprietary patented extensions”.

I guess we are heading back to the days of “What ever the question Micro$haft is in no way the answer” and “Micro$haft purveyor of the worlds worst malware” with the new “Micro$haft is the FBI Front Door, no keys golden or otherwise needed”.

Which makes me wonder when Micro$haft will make Win10 home SaS or equivalent so you have to go online every few days to download “extended telemetry” or it will grind to a halt. Also when they will make Win10 “semi-suspend” only, such that you don’t have the option of realy turning it’s snooping off.

ab praeceptis • September 3, 2016 9:52 AM

FiguresEh

Bluebottle is not written in Pascal and Pascal is not derived from Oberon.

Oberon (the language) is derived from Pascal (via Modula) and Bluebottle is an incarnation of Oberon (the OS) written in Oberon (the language).

Moreover, some of of your posts seem to follow a tendency to consider not widely used processors and OSs as more secure. That is only partly true; mostly for cost/value issues, namely the fact that it’s (usually) more attractive for attackers to study and work on attacks against widely used OSs. Should a highly attractive target become known as using, say Oberon, in production that advantage would quickly be considerably minimized.

And: while, for instance, Oberon (due to its design and properties) is indeed inherently more safe than, say, linux it is not a secure OS per se.

Somewhat similar, to show another problem class, Limbo (of Plan 9) is a language that might justifiably be considered to be an evolution of C/C++ and offers some quite interesting features, it is also an interpreted language and one that has been designed and implemented at a time when some of todays problems were not yet known.

Finally, attacks can be considered to be just attempts in the wild that should have been considered in the lab in the first place. In other words, while painful they also have a useful side. To name a concrete example, microsoft has been driven and pushed towards proper design and engineering in large part due to plenty attacks. Today microsoft throws very considerable resources at the problems beneath and revealed by the attacks.

Yes, ultracapitalism is certainly a major culprit but so is plain stupidity and carelessness both in the labs and out there at user desks. And, I’d like to add, arrogance, for instance the arrogance to think that having millions and lots of PHDs somehow magically created quality software.

There are no magic bullets. There’s just math (in all its incarnations incl. proper reasoning) hand in hand with proper engineering, and there’s crap (possibly very nicely painted crap with cute blinkenlights but still crap).

agent rng • September 3, 2016 2:25 PM

@Figures,

Maybe this is an idealistic stance to be making, you’re right about the 1970’s structural developments of 9p and plan9 I’m not refuting that. What I am refuting is that anyone developing a homogenous exa scale cluster is going to be using OpenSSL for the interconnects. What you are simplifying is both the kernel and the interconnect, why do you think microkernels have been studied and fleshed out for so long? Yes large super computers some of them have a unix front end amid others, some of them are also running close to the metal work loads that preclude monolithic exercises in futility. If you want non-homogenous workloads go setup a botnet and worry about your SSL interconnect or run SETI@HOME.

There’s no reason large clusters are as dangerously reliant on that technology as you paint them. If properly interfaced and networked you can remove whole chunks of problematic slime trails left by interference. Now, as for the rest of us? Yes reliance on other’s codebases is dangerous, have you even tried developing your own OS or your own stdlib replacement? You’re still parroting other people’s code, as much are alot of us.

agent rng • September 3, 2016 2:32 PM

@Figures,

Is that an exact qoute?

If it is you should really look at it, if all you heard was blah blah blah you’re a fool. It proves coercion, it proves complicity (or a lack there-of depending on how it’s painted). You want us (the west) to give you a replacement to our own Operating Systems and Open Source constructs? Something that we haven’t touched? Something you can trust? WTF are you smoking? GET CODING WANKER, and don’t forget to build and test your a) own compiler, b) OS, c) stdlib, d) hardware, e) manuals & documentation

You’re complaining about the color of the rug you stand on in someone elses house, if our dogs are your problem GET OUT. 🙂

agent rng • September 3, 2016 2:43 PM

@Figures,

Here, I’ll offer my apologies for calling you a wanker wanker. Don’t you think that we’re upset too? The people on this site discuss the problems at hand, operating systems, encryption, implementation, secure coding, proofs and proof-ability. Clive talks about keeping magnetic media around so he can dd per sector output for differential comparison. We’re all concerned, you’re just mad you don’t have an environment you can trust – none of us do. I understand that, do you? This is the human rights aspect of it. You can’t however expect anyone to sell you a gun and them ask or expect you not to shoot them with it. If the internet didn’t lower the bar for terrorists and doomcoughs then maybe we’d have those secure solutions. You should thank god banks can make mistakes, if you have a problem with them go put their nose to the grindstone on swift and pray you’re far enough ahead of the curve to not get hidentified or phingered. But, maybe that’s the proof – maybe you’re here for humanity and not for yourself. I didn’t trust Ma Bell in the 80’s why the hell should the rest of us? You speak of plan9 but haven’t mentioned inferno. Are you a parrot who’s been spooked or someone with an arms to raise in class out of concern?

agent rng • September 3, 2016 2:44 PM

Magnetic media connected to an ISA bus*

agent rng • September 3, 2016 2:56 PM

@FiguresEh,

Alright then, I’ll make one final point.

Anyone anywhere with any sense isn’t going to trust (knowing the current environment) any developments at or near the public space. In my opinion, even developments like whonix (which are done partly in the dark) there exist questions of trust. But we have to factor in the dangers of development in the light in light of current not-so-best practices.

ab praeceptis • September 3, 2016 3:07 PM

FiguresEh

To make it short (and, yes, bloody): One may lament all day long but one should know well, what one is lamenting about and one should recognize that only working enhances the situation, not lamenting.

Yes, we need new OS’s – plus – a reasonable set of libraries along. To build that we need better tools. And a solid understanding of what we want to build, why we want to build it and how to build it, using which carefully chosen algorithms. Which translates to lots of knowledge of the theoretical underpinnings plus lots of hands on experience.

What do you bring to the table?

Talking about how languages, OSs, and compilers are so bad only goes so far. Do you know how to build a compiler? or even a good parser? Do you know how to wisely choose from all the variants and features? Classes, yes or no? And if yes, how? Maybe functional? If so, why and how? Or let’s look at “simple” things like control structures; is “for e in s” a good thing to have or not? And then the ugly and dark corners like memory; how to actually construct a mechanism that allows to really seperate and control access? Or formal spec; which tool do you suggest and why? And how to bring some of that work into the code to allow the compiler to make use of all that information? How to analyze, let alone formally check the code? Any sensible and well informed suggestions?

That’s not weirdo experts stuff. That’s the bloody innards of how to answer questions like how to actually build more safe, reliable and secure systems.

A handful of people capable to work on those answers weighs a lot more than a thousand “oh, everything is so bad and evil, too!” lamenters.

agent rng • September 3, 2016 4:05 PM

@Figures,

IF you can reverse engineer you can do whatever the hell you want to whatever you want, alot people get all bent out of shape when you eyeball their stuff – but it’s no different than a Mason walking into a house seeing that something’s off with the floor and realizing the entire western wall is caving in. Most people don’t think anything at all about that tree or gutter right outside their basement window pushing that wall in over 20 years time. Not a single thought, those same people when something breaks will toss out completely workable components and go out and immediately buy new. It’s a sad state of affairs but vultures stand to do very well with all of these carcasses thrown to the curb (gpl,bsd,mit,etc). We reverse engineer eveything with our eyes, we reverse engineer each other with our ears. I can’t implement quality cryptography myself, but I can splendidly walk through somebody elses and maybe pad an sbox here or there… Does that make it more secure? Likely not as I don’t fully comprehend what I’m modifying, cryptographers are the ultimate in the r/e field. They’re like a sniper on a foggy morning shooting you with a 1940’s rifle at 1000meters. I listen to their recommendations, or try to. I try to listen to every argument of computing and maybe I’m (more than) a little irritating but there’s “a reason for everything” like you said. We just have to keep our &10i up and listening to discern the signal to noise @ratio.

There’s good even in bad, we learn what not to do.

agent rng • September 3, 2016 4:09 PM

Did you try to figure out 1×0123’s twitter post[s]?

agent rng • September 3, 2016 4:17 PM

@Figures,

Yet your gentle push could lead someone down the problematic route of the (big smile, wait for it) the notoriously backdoored stunnel.

I’ll ask you the same thing I asked someone else: are you trying to cause a stampede?

agent rng • September 3, 2016 4:27 PM

@ShadowyFiguresEh,

What are you on Shore Leave?

agent rng • September 3, 2016 4:29 PM

Maybe you’re on Shore’s leaf, hrm?

agent rng • September 3, 2016 4:42 PM

@ShadowyFigure,

Please remember, if you have a security clearance I don’t believe you’re technically allowed to look at the contents if you actually gain possession of the zip.

Otherwise, enjoy and glad to be of minor fun/service.

Gerard van Vooren • September 3, 2016 4:51 PM

@ ab praeceptis,

“Talking about how languages, OSs, and compilers are so bad only goes so far. Do you know how to build a compiler? or even a good parser? Do you know how to wisely choose from all the variants and features? Classes, yes or no? And if yes, how? Maybe functional? If so, why and how? Or let’s look at “simple” things like control structures; is “for e in s” a good thing to have or not? And then the ugly and dark corners like memory; how to actually construct a mechanism that allows to really seperate and control access? Or formal spec; which tool do you suggest and why? And how to bring some of that work into the code to allow the compiler to make use of all that information? How to analyze, let alone formally check the code? Any sensible and well informed suggestions?”

What are your own answers to your questions? I think you have thought about these for a long time. And let me introduce some questions of my own. How do you make sure your own ideas don’t end up being “the next dead PL” and “the next dead OS”? Besides proper tools you need finance, advocates, papers, university support, cooperation, opinionated leaders with experience. I think that with a proper business case you can get a proper grant from the EU or EU nation states but you really need to have a serious case (think about the pqcrypto eu project for instance) but for developing a general purpose OS you need a lot more (think about compatibility, drivers, the networking stack).

Gerard van Vooren • September 3, 2016 5:21 PM

@ ab praeceptis,

I forgot 2 things: GUI (probably THE hardest thing to do) and how do you prevent corporate and political influence? Cory Doctorow wrote about this and that is, I am quite sure, very important when a project matures.

ab praeceptis • September 3, 2016 6:10 PM

Gerard van Vooren

Intelligent and knowledgeable questions and ones that point at a very major problem I like to call the frame problem.

Besides proper tools you need finance, advocates, papers, university support, cooperation, opinionated leaders with experience [+ the grants issue]

With all due respect I think, that this point of view is actually part of the problem. I know, those are important points to consider when going the usual routes. At the same time though they create trouble. Short version: Too many people, too many interests, too many compromises, too many wrong perspectives.
Btw: The “fun” perspective also doesn#t carry far.

Moreover, god didn’t create the world in one day and certainly humans must not create a proper IT universe in a day. Extending somewhat what I daid to FigureEh, 1 single existing good tool is gigantically better than none.

Having, for instance, a good language and compiler allowing to properly design and create software (and a good toolchain) is a step that then allows to create more (libs, OS, …).

Also: A PL is dead if noone uses it and if noone builds non-trivial programs with it. “dead” is not gefined by “not having a million users” or by “not being widely known all over the planet”.

As for the gui, yuck, there you put your finger into another wound. I personally think that that would be very desirable but at the same time I don’t care about it. First we need a solid basis, namely a language that a) forces one and b) makes it comfortable to write good code. Next come libs and an OS, maybe even “just” a reimplementation.

As for the answers to my questions … patience, sir, patience. Currently my professional workload is too big, so I’m limited to reasoning, tinkering, occasional model spec and verification and putting the outcome into paper drafts and formal specs. Quite soon though, I’ll be in an easier position.

Know what I find amazing again and again? 95% of what’s needed (in terms of knowledge, math, mechanisms) is out there since many, many years and the people having produce it usually have white hair.

Nick P • September 3, 2016 7:28 PM

@ ab praeceptis

“What are your own answers to your questions?” (Gerard van Vooren)

“As for the answers to my questions … patience, sir, patience. Currently my professional workload is too big, so I’m limited to reasoning, tinkering, occasional model spec and verification and putting the outcome into paper drafts and formal specs. Quite soon though, I’ll be in an easier position.” (ab praeceptis)

Oh, I disagree. Your comment size was over 300 words. Typical of many you’ve written here that collectively could fill a book. I’ve seen books and articles teaching how to use formal methods for compilers, the B method for railways, optimized SQL, secure-coded C, etc that are shorter than your total here. I’m sure you could answer specific questions like Gerard or I have with the amount of time you put in here. I also know that it takes little time to summarize and explain something if it’s something you understand well. That’s a huge chunk of my own posts here and on Hacker News. It would be well-spent if you’re an experienced engineer in development and formal verification. Instead, you put that time into a bunch of common statements about the industry and dismissals of other comments’ points. You did that in our conversation, too, with the main, actionable thing you said being a B tool you used.

It’s strange to me that you have no time to give brief, specific answers to questions you yourself ask other commenters but can write volumes on generalities about software and other comments you don’t agree with. Here, readers give most respect to those offering specific information that improves our knowledge of security, software, law, etc. Or tools that similarly benefit them. As with Gerard, I’m interested in knowing your answers to and justifications for those questions if you’re a professional, systems engineer. Rather than spending more time, I suggest just using the copious time you have been spending for those recommendations or lessons instead of dismissals or common knowledge. The impact of your comments on readers will increase if you do.

ab praeceptis • September 3, 2016 8:47 PM

Nick P

You obviously didn’t get me. My “patience” remark was hinting to something much better and more tangible as a verbal response.

…summarize and explain something if it’s something you understand well. That’s a huge chunk of my own posts here…

If that is how you perceive yourself, great.

It would be well-spent … … according to Nick P’s judgement. Which is fine as long as he judges himself or maybe subalternates. As for myself I don’t need your rules or criteria, thank you.

Instead, you put that time into a bunch of common statements about the industry and dismissals of other comments’ points.

That may indeed be one way to see it – among others. Else, you see, different people, different preferences. You like to mention 1.000 papers about 100 things while I have different preferences (said neutrally).

…main, actionable thing you said being a B tool you used

a) that’s not true (1 counter example: I also mentioned promela)
b) “actionable items” are 1 measure – among others. And you are certainly not setting my measures.
c) That’s unfair. Given the massive experience your posts seem to suggest you should know well that not everyone is free to speak about concrete items as he pleases.

I’m interested in knowing your answers to and justifications for those questions

Your post strongly suggests otherwise (and certainly doesn’t invite me to generously share).

The impact of your comments on readers will increase if you do.

… says Nick P (and again assumes that his criteria are the relevant ones for all professionals (and blabberers like myself as you seem to see me)).

Btw: My series of questions wasn’t meant to be answered (by the addressed person) but to make clear how difficult and complex it is to create what he postulated (albeit indirectly) and to help understand some of the questions and problems involved. Concrete example: I spent weaks to reason about control structures. Looks so simple but isn’t with a set of partly complex and sometimes even constradicting criteria (not exactly funny creating something that feels useable, even convenient yet has solid mathematical underpinnings and rigorousness)

Finally, just in case you happened to actually have any interest in the thinking and perspectives of others. You are someone who seems to read 1.000 papers (said neutrally, without any negative undertones) and who like to share some (or many) of them along with some remarks. I’m someone who has been focussed largely on one area for years and years and has put lots of efforts into it. That’s a major difference that naturally brings different attitudes with it.

layer7limit • September 3, 2016 9:10 PM

Assume for a moment that 100% assurance is possible at the 0th layer (I know, I know, it’s a hypothetical). Then, ignore layers 8+ and what do you have left?

@ab praeceptis

I offer a simple rhetorical question to you:

How do you define politics?

Nick P • September 3, 2016 9:18 PM

@ ab

“You obviously didn’t get me. My “patience” remark was hinting to something much better and more tangible as a verbal response.”

I read it. It was unclear if you intended that or were just avoiding specific answers again. We may see them eventually with your clarification. Meanwhile, I’m betting on more posts like I responded to.

“I’m someone who has been focussed largely on one area for years and years and has put lots of efforts into it. That’s a major difference that naturally brings different attitudes with it. ”

I run into such people all the time here, on HN, on SO, and so on. They usually answer questions like Gerard asked off the top of their head. Many of their posts have similar information content when they reference specifics due to the fact that they spend so much time working with them. They also almost always elaborate on request even time-constrained because it’s so easy given their years of specialization. You repeatedly avoid such answers despite quite a few asking from many different backgrounds. You also write volumes indicating you had the time and energy for the answers. What’s left is a personal preference to write a whole lot, including critiques of all kinds of things, without answering resulting questions relating to what you’re critiquing or claiming to know.

And, no, I don’t expect you to share confidential information when asked basic questions about languages or formal methods. It wasn’t necessary for most academics or industry professionals writing on these subjects even in brief posts. They were still more specific or addressed what they could in a given time frame. They didn’t create a thread then dodge or sweep away almost everything in it using similar time as providing some answers. That negates ability of a discussion to teach people things.

ab praeceptis • September 3, 2016 9:58 PM

Funny, I knew that my politeness to answer your post would be wasted and that you would simply ignore and pass over anything showing you wrong.

Whatever. Feel by all means free to consider me an incompetent blabberer. One thing, however, you should have learned by now: I don’t care about your rank here, and you will not impose any rules or criteria on me.

ab praeceptis • September 3, 2016 10:43 PM

layer7limit

How do you define politics?

In which context?

AP-PR • September 3, 2016 11:43 PM

In the context of:

Feel free to talk about whatever you like. I, however, take this to be an IT/security related place and intend to stay away from politics here.

Again, I'm not here for politics.

Due to my self-imposed rule of avoiding politics as far as any possible, I can't respond to all of your (not consistently fair) statements.

and the rest of your words

ab praeceptis • September 4, 2016 12:10 AM

AP-PR

Well, in that context there are/have been plenty posts here in this thread that have at least considerable political connotations.

While I’m personally not disturbed by them, posts, for instance, about low payment work are of a political nature in my mind.

Eliza • September 4, 2016 12:38 AM

Hmmm, that is interesting.

So you would like to know more in regards to the personal distancing of yourself from payment for policy?

Please tell me more about that which disturbs your slumber!

r / agent rng • September 4, 2016 12:58 PM

@Moderator,

I made another transitive(?) slip in the 2nd to last sentance.

It should read ‘your’ instead of ‘his’.

r / agent rng • September 4, 2016 1:13 PM

@FiguresEh,

Trolls have a right to an opinion also, they do not however have the right to violate potentially unprepared members of society and the public’s privacy and solace in their identities surreptitiously.

I summarized to avoid that specific scenario, and I informed you of recent events involving me. I have no doubt that just adding water to your remains will spout another replacement, I was merely being friendly.

ab praeceptis • September 4, 2016 2:51 PM

r / agent rng (and some others, it seems)

I don’t know what drives you and what this is all about. But I can see that you create considerable harm and damage.

I, for instance, don’t like the withhunt against Russia and so I occasionally mention it or make a joke about it. – which, so it seems, made some people think that I’m a part of some kind of troll operation.

Thanks to your gross disrespect for the rules and the people here now the waters are poisoned. And there are people (e.g. myself) on some kind of black list and stigmatized on pastebin. Unless you are the KKK or alike that can hardly have been your intention.

I’m particularly angry because I do not play name games. Which means that I have to either leave or to continue with a tarnished reputation and mistrust against myself.

I hope you are happy with what you’ve created. And it should be lots of happiness to balance all the problems you’ve created.

Moderator • September 5, 2016 8:32 AM

User FiguresEh/UnixSysOp are permanently banned, and all of his/her comments have been deleted.

Nick P • September 5, 2016 9:18 AM

@ Moderator

Appreciate the intervention. Place is looking so much better already. 🙂

Schneier on Security

The NSA Is Hoarding Vulnerabilities

Comments

Leave a comment Cancel reply