Journalists writing up the VEP plan today: most important revelation was enormous loophole permitting digital arms brokers to exempt (via routine NDAs used when proliferating bugs to >1 buyer) critical flaws in US infrastructure from disclosure no matter the cost to our security.
-
Show this thread
-
The percentage of vulnerabilites the government discloses to vendors is largely PR: The public harm of maintaining 10 high severity flaws far outweighs the benefit of disclosing 90 low severity ones. We need to know the severity of disclosed vulnerabilities, not just the number.
22 replies 297 retweets 682 likesShow this thread -
That government is finally opening up about the Vulnerabilities Equities Process is positive, but Joyce's refusal to acknowledge, confront, and discuss remediating the problems highlighted by NSA's ETERNAL suite knocking out US & UK hospitals shows we have a long way to go.
23 replies 219 retweets 524 likesShow this thread -
Replying to @Snowden
Uhm, by the time these hospitals were hit, the NSA had (allegedly) informed Microsoft about the vulnerabilities and Microsoft had (definitely) issued patches for them.
1 reply 1 retweet 7 likes -
Replying to @VessOnSecurity @Snowden
You can blame the NSA for letting their shit get stolen, or The Shadowbrokers for releasing it to the public, or the hospitals for not patching - but not the NSA for not disclosing responsibly.
6 replies 2 retweets 9 likes -
Replying to @VessOnSecurity
Be serious. That's only true if you presume the only appropriate time for disclosure is when your bugs are literally advertised on the internet by the Shadowbrokers. Take at look at the age of the exploits, then contrast it to the age of the disclosure.
1 reply 11 retweets 38 likes -
Replying to @Snowden
I understand your point, and I agree that this would be a preferable scenario. But what I am saying is that as soon as the vulnerability was known to have been leaked, the NSA disclosed it responsibly - exactly according to the VEP process.
1 reply 1 retweet 8 likes -
Replying to @VessOnSecurity @Snowden
You can say that the VEP process has flaws - but you can't blame the NSA for not following it in this case.
9 replies 1 retweet 6 likes -
Replying to @VessOnSecurity
Respectfully, I disagree. That policy permits a thing does not by itself establish its propriety. NSA willfully concealed a catastrophic vulnerability for *years* -- in a manner demonstrably harmful to general welfare. They focused on what they *could* do rather than *should* do.
3 replies 9 retweets 41 likes -
Replying to @Snowden
Again, I agree with you on these points. But the vulnerability was very powerful, so they retained it - exactly according to what VEP permits. And once it was out, they disclosed it - again following VEP. They couldn't know in advance that it would be stolen and published.
2 replies 0 retweets 1 like
Edward Snowden Retweeted Edward Snowden
See https://twitter.com/Snowden/status/930850061256359936 …. I don't think we have a disagreement; what you're saying is what I'm arguing is *exactly the problem.* The problem isn't the X weeks of warning. That's great. The problem was the Y years of silence.
Edward Snowden added,
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.