I want to preface this message with a disclaimer: I am in no way defending the actions of the NSA. I am merely attempting analysis of their motivations and their MO. [1]https://www.youtube.com/watch?v=H33r2weM6Zc Joel Brenner says, "There is in all the intelligence agencies a tension between doing offense better and doing defense better" ...and, "but unless you think 0days are finite" Ok let's talk about this issue for a moment. - In the CTF world, it has been widely accepted that given a red team and a blue team of equal abilities, the red team always wins. - Academics say there is no way to create provably secure software. - Developers have a phrase, "there is no such thing as bug free software." - CISOs are using the term "risk" to describe pen test findings: a recognition that pen tests have become a measure of the risk that someone will find an exploitable flaw. Suppose that the NSA gave up on securing software because they view it as impossible. In fact, we know they view it as impossible because they have called it a Sisyphean Task. If there are diminishing returns from reporting software vulnerabilities to the vendor, then doing so is a losing battle. I hear people say that the NSA undermines the security of software by not releasing the vulnerabilities, but we know that historically companies have been very bad at actually fixing the vulnerabilities they are given. In some cases, a new product is released before a vulnerability is even looked into, thus rendering the effort useless. So, is defense dead? Is that an accepted fact these days? If offense is a type of defense, is the NSA perhaps aiming to use 0day for their offensive capabilities to effect a kind of defense? How would they accomplish this? Have any of you been to the Berlin Unterwelten? It is a tour of revision after revision of nuclear bomb shelters that could never possibly save the population they are tasked with saving. We are living in an age where there is an entire set of strategies that deal with war in a world with weapons so strong that no walls can possibly defend against them. Although the reach of nuclear weapons historically has been further reaching than so-called "cyber" weapons, that is changing. Despite the very many warnings from the infosec industry, that is changing. (Sometimes I think my Home Invasion 2.0 talk fell on deaf ears because smart home appliances are proliferating.) And in the future of smart homes, smart cities, even smart bodies, when everything is internet connected: everyone is vulnerable. Imagine cities that can be invaded without physical armies. If you were the NSA, and you believed these things to be true, what would you be doing? -Jen References 1. https://www.youtube.com/watch?v=H33r2weM6Zc