Journalists writing up the VEP plan today: most important revelation was enormous loophole permitting digital arms brokers to exempt (via routine NDAs used when proliferating bugs to >1 buyer) critical flaws in US infrastructure from disclosure no matter the cost to our security.
-
-
You may be misreading my contention as "NSA doesn't comply with the VEP." My argument (see original tweets) is that the VEP is broken.
-
I see; that's a valid point and I don't disagree with it. I'm not saying "I agree", either, because, honestly, I don't see how it can be improved. We can't know in advance which vulns will be stolen and published, and we can't realistically expect powerful vulns not to be kept.
-
The most conservative solution is a strict limit on length of retention: if it's older than 90 days (some argue 180), it's time to roll over to a new vuln and patch the previous. When replacements can no longer be produced, that's not a loss; it means defense has finally matured.
-
So NSA would mass exploit all of their target within 90 days and then "throw" away the vulnerability? That would encourage them to infect massively targets, which isn't a good option either. What do you think about that?
-
Exploits aren't necessary for every target every 90 days, only for installing the original implant. Implant survive long after the exploit is dead. And don't forget NSA has far more than 1 exploit at any given time.
-
Everybody, even the exploit broker (who get to sell more bugs), benefits from a faster turnover. When lazy RCEs becomes too hard, offense simply returns them to traditional mechanisms (social, proximity, supply chain, human compromise) that never stopped working.
-
And the idea that NSA judiciously limits the scope of targets is simply not persuasive on the evidence: we had something close to 200,000 implants active on just the systems I could see. FBI routinely does 8000+ in one go:https://motherboard.vice.com/en_us/article/53d4n8/fbi-hacked-over-8000-computers-in-120-countries-based-on-one-warrant …
- 2 more replies
New conversation -
-
-
Again, I agree with you on these points. But the vulnerability was very powerful, so they retained it - exactly according to what VEP permits. And once it was out, they disclosed it - again following VEP. They couldn't know in advance that it would be stolen and published.
-
See https://twitter.com/Snowden/status/930850061256359936 …. I don't think we have a disagreement; what you're saying is what I'm arguing is *exactly the problem.* The problem isn't the X weeks of warning. That's great. The problem was the Y years of silence.
End of conversation
New conversation -
-
-
Uncle Sam only cares about profits nowadays I guess in Amerika.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.