Journalists writing up the VEP plan today: most important revelation was enormous loophole permitting digital arms brokers to exempt (via routine NDAs used when proliferating bugs to >1 buyer) critical flaws in US infrastructure from disclosure no matter the cost to our security.
-
-
I understand your point, and I agree that this would be a preferable scenario. But what I am saying is that as soon as the vulnerability was known to have been leaked, the NSA disclosed it responsibly - exactly according to the VEP process.
-
You can say that the VEP process has flaws - but you can't blame the NSA for not following it in this case.
-
Respectfully, I disagree. That policy permits a thing does not by itself establish its propriety. NSA willfully concealed a catastrophic vulnerability for *years* -- in a manner demonstrably harmful to general welfare. They focused on what they *could* do rather than *should* do.
-
You may be misreading my contention as "NSA doesn't comply with the VEP." My argument (see original tweets) is that the VEP is broken.
-
I see; that's a valid point and I don't disagree with it. I'm not saying "I agree", either, because, honestly, I don't see how it can be improved. We can't know in advance which vulns will be stolen and published, and we can't realistically expect powerful vulns not to be kept.
-
The most conservative solution is a strict limit on length of retention: if it's older than 90 days (some argue 180), it's time to roll over to a new vuln and patch the previous. When replacements can no longer be produced, that's not a loss; it means defense has finally matured.
-
So NSA would mass exploit all of their target within 90 days and then "throw" away the vulnerability? That would encourage them to infect massively targets, which isn't a good option either. What do you think about that?
-
Exploits aren't necessary for every target every 90 days, only for installing the original implant. Implant survive long after the exploit is dead. And don't forget NSA has far more than 1 exploit at any given time.
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.