Be serious. That's only true if you presume the only appropriate time for disclosure is when your bugs are literally advertised on the internet by the Shadowbrokers. Take at look at the age of the exploits, then contrast it to the age of the disclosure.
-
-
Replying to @Snowden
I understand your point, and I agree that this would be a preferable scenario. But what I am saying is that as soon as the vulnerability was known to have been leaked, the NSA disclosed it responsibly - exactly according to the VEP process.
1 reply 1 retweet 8 likes -
Replying to @VessOnSecurity @Snowden
You can say that the VEP process has flaws - but you can't blame the NSA for not following it in this case.
9 replies 1 retweet 6 likes -
Replying to @VessOnSecurity
Respectfully, I disagree. That policy permits a thing does not by itself establish its propriety. NSA willfully concealed a catastrophic vulnerability for *years* -- in a manner demonstrably harmful to general welfare. They focused on what they *could* do rather than *should* do.
3 replies 9 retweets 41 likes -
Replying to @Snowden @VessOnSecurity
You may be misreading my contention as "NSA doesn't comply with the VEP." My argument (see original tweets) is that the VEP is broken.
1 reply 6 retweets 19 likes -
Replying to @Snowden
I see; that's a valid point and I don't disagree with it. I'm not saying "I agree", either, because, honestly, I don't see how it can be improved. We can't know in advance which vulns will be stolen and published, and we can't realistically expect powerful vulns not to be kept.
2 replies 2 retweets 7 likes -
Replying to @VessOnSecurity
The most conservative solution is a strict limit on length of retention: if it's older than 90 days (some argue 180), it's time to roll over to a new vuln and patch the previous. When replacements can no longer be produced, that's not a loss; it means defense has finally matured.
1 reply 11 retweets 21 likes -
Replying to @Snowden @VessOnSecurity
So NSA would mass exploit all of their target within 90 days and then "throw" away the vulnerability? That would encourage them to infect massively targets, which isn't a good option either. What do you think about that?
3 replies 2 retweets 15 likes -
Replying to @x0rz @VessOnSecurity
Exploits aren't necessary for every target every 90 days, only for installing the original implant. Implant survive long after the exploit is dead. And don't forget NSA has far more than 1 exploit at any given time.
3 replies 11 retweets 27 likes -
Everybody, even the exploit broker (who get to sell more bugs), benefits from a faster turnover. When lazy RCEs becomes too hard, offense simply returns them to traditional mechanisms (social, proximity, supply chain, human compromise) that never stopped working.
3 replies 10 retweets 24 likes
And the idea that NSA judiciously limits the scope of targets is simply not persuasive on the evidence: we had something close to 200,000 implants active on just the systems I could see. FBI routinely does 8000+ in one go:https://motherboard.vice.com/en_us/article/53d4n8/fbi-hacked-over-8000-computers-in-120-countries-based-on-one-warrant …
-
-
Fascinating discussion.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.