A signals intelligence agency, holding on to undisclosed bugs that let it gather signals intelligence? Inconceivable.
This is nuanced. The NSA intends to gather intelligence, but also to prevent the gathering of intelligence by other intelligence agencies. It sounds like there’s a tension between leaving yourself at risk and keeping your enemies at risk. The question becomes whether the NSA does its job better when it gathers almost no intelligence with these kinds of exploits but also protects America from them by disclosing them, or by gathering lots of intelligence but leaving America at risk by not disclosing them, or through a mix of disclosure and non-disclosure. A mix is probably going to be the right answer, but negotiating where that line in the sand should be is a potentially scary matter to leave in the hands of the NSA, but also must necessarily be left there, since disclosing which zero-days it has would itself be a tool for both folks to protect themselves against, or for other actors to use against it.
I don’t know if there’s a good solution here. I guess we have to really hope that we’ve set up incentives correctly for the NSA.
Makes me wonder - what do the NSA do when they have a zero day that affects their own infrastructure? They want to hoard it for their own purposes but at the same time they leave themselves vulnerable because they don’t share with the vendor. Or do they have deals with vendors that give them source access (a lot of vendors will do that for government contracts - eg, it used to be possible to get access to the Windows source like that), allowing them to develop their own patches? Just a thought…
Patching at the binary level is an option. It may not be “easy” but the NSA presumably has plenty of people who would be more than good enough at the requisite skills, given that they exploit memory corruptions and drop altered firmware, etc.
DARPA’s “cyber challenges” have involved giving teams a bunch of vulnerable binaries and a period of time to study them for exploits + patch those exploits, then a period of time where teams do live offense and defense, each running their patched binaries on machines on a network, each trying to break into the machines.
I thought of that, but then they’re running the risk of breaking key infrastructure if the patch introduces further bugs (not to mention they won’t get vendor support with custom firmware and if they can’t rely on vendor support they might as well roll their own from commodity hardware and open source they support themselves?).
A silly question perhaps, but I’m curious about the practical aspects of how they manage their infrastructure.
If you’d like to get a tiny little flavor for what exploiting memory corruption bugs is like and thus some feel for what might be involved in patching one, microcorruption.com is fun.
I doubt any NSA employees will be doing a reddit AMA about their infrastructure management any time soon. :)
That is hard/impossible for hardware that has signed firmware. No idea what sort of percentage of business networking hardware that would be or what percentage of the NSA/government’s hardware that includes.
Avoid exposing vulnerable systems? If it’s something like the Cisco bug, it shouldn’t be exposed to a public net. Or monitor carefully? A lot of their toolbox seems to revolve around persistence (apt get pwn). Perhaps there’s a different disclosure timeline there. If it’s the break in exploit, use it and disclose. If it’s the persistence exploit, keep it forever.
I think a grace period could work well, compulsory disclosure of all bugs to the companies after a set period of say 3-6 months. It may be tricky to find a grace period that the NSA, Cisco and customers are happy with though.
In particular, you’ve got one Cisco exploit. It “expires” after six months and you disclose it. Now what do you do?
You could cry, wail, and wallow in despair for a while. You could attempt to find another Cisco exploit. You might just opt to try to find another way in, and perhaps Cisco isn’t that vital to you at this time (why did you have only one exploit anyway?). You could attempt to purchase another exploit if somebody is offering one. You might start a smear campaign against Cisco, get people to stop using what actually works well. Or you could put in an exception, if you only have less than n exploits, they don’t expire until you up your exploit numbers to what’s considered to be a “reasonable amount”.
Guessing they prefer options closer to the end of the list.
You pat yourself on the back for hacking into a few overseas government agencies to spy on their citizens (legally and for both government’s benefit you then exchange data later if within the five eyes), and for disclosing a bug within a reasonable timeframe to protect your citizens :)