You can say that the VEP process has flaws - but you can't blame the NSA for not following it in this case.
-
-
Replying to @VessOnSecurity
Respectfully, I disagree. That policy permits a thing does not by itself establish its propriety. NSA willfully concealed a catastrophic vulnerability for *years* -- in a manner demonstrably harmful to general welfare. They focused on what they *could* do rather than *should* do.
3 replies 9 retweets 41 likes -
Replying to @Snowden @VessOnSecurity
You may be misreading my contention as "NSA doesn't comply with the VEP." My argument (see original tweets) is that the VEP is broken.
1 reply 6 retweets 19 likes -
Replying to @Snowden
I see; that's a valid point and I don't disagree with it. I'm not saying "I agree", either, because, honestly, I don't see how it can be improved. We can't know in advance which vulns will be stolen and published, and we can't realistically expect powerful vulns not to be kept.
2 replies 2 retweets 7 likes -
Replying to @VessOnSecurity
The most conservative solution is a strict limit on length of retention: if it's older than 90 days (some argue 180), it's time to roll over to a new vuln and patch the previous. When replacements can no longer be produced, that's not a loss; it means defense has finally matured.
1 reply 11 retweets 21 likes -
Replying to @Snowden @VessOnSecurity
So NSA would mass exploit all of their target within 90 days and then "throw" away the vulnerability? That would encourage them to infect massively targets, which isn't a good option either. What do you think about that?
3 replies 2 retweets 15 likes -
Replying to @x0rz @VessOnSecurity
Exploits aren't necessary for every target every 90 days, only for installing the original implant. Implant survive long after the exploit is dead. And don't forget NSA has far more than 1 exploit at any given time.
3 replies 11 retweets 27 likes -
+1 whenever we're on a gig and we breach the perimeter, at some point we steal creds, and we end up moving around with stolen creds and exploits/hacks/etc arent needed anymore. I can't image similar tradecraft isn't employed.
3 replies 0 retweets 2 likes -
I can see why: 1) Initial access is hard; 2) Some operator may be lazy/unskilled. Of course they will do whatever they can to use *anything* but a 0day, so low risk techniques are employed (credential reuse, etc.), but if you want to go fast and deep, 0day is def your friend :-)
1 reply 2 retweets 3 likes -
no doubt! All I'm saying is that once you're in, you're in. the 0day has done its duty.
2 replies 1 retweet 4 likes
Yeah, can't speak for ROC, but NTOC had entire internal sites exclusively dedicated to storing notes on ops, tokens, credentials, etc we stole from our actors over time. For better or worse, NSA never forgets.
-
-
yeah - so its reasonable to accept that you dont have to sit on a 10 year old 0day, especially if its already served its purpose :D
0 replies 0 retweets 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.