Inferring the NSA's MO from a short clip of Joel Brenner on BBC
I want to preface this message with a disclaimer: I am in no way defending the actions of the NSA. I am merely attempting analysis of their motivations and their MO. https://www.youtube.com/watch?v=H33r2weM6Zc Joel Brenner says, "There is in all the intelligence agencies a tension between doing offense better and doing defense better" ...and, "but unless you think 0days are finite" Ok let's talk about this issue for a moment. - In the CTF world, it has been widely accepted that given a red team and a blue team of equal abilities, the red team always wins. - Academics say there is no way to create provably secure software. - Developers have a phrase, "there is no such thing as bug free software." - CISOs are using the term "risk" to describe pen test findings: a recognition that pen tests have become a measure of the risk that someone will find an exploitable flaw. Suppose that the NSA gave up on securing software because they view it as impossible. In fact, we know they view it as impossible because they have called it a Sisyphean Task. If there are diminishing returns from reporting software vulnerabilities to the vendor, then doing so is a losing battle. I hear people say that the NSA undermines the security of software by not releasing the vulnerabilities, but we know that historically companies have been very bad at actually fixing the vulnerabilities they are given. In some cases, a new product is released before a vulnerability is even looked into, thus rendering the effort useless. So, is defense dead? Is that an accepted fact these days? If offense is a type of defense, is the NSA perhaps aiming to use 0day for their offensive capabilities to effect a kind of defense? How would they accomplish this? Have any of you been to the Berlin Unterwelten? It is a tour of revision after revision of nuclear bomb shelters that could never possibly save the population they are tasked with saving. We are living in an age where there is an entire set of strategies that deal with war in a world with weapons so strong that no walls can possibly defend against them. Although the reach of nuclear weapons historically has been further reaching than so-called "cyber" weapons, that is changing. Despite the very many warnings from the infosec industry, that is changing. (Sometimes I think my Home Invasion 2.0 talk fell on deaf ears because smart home appliances are proliferating.) And in the future of smart homes, smart cities, even smart bodies, when everything is internet connected: everyone is vulnerable. Imagine cities that can be invaded without physical armies. If you were the NSA, and you believed these things to be true, what would you be doing? -Jen
Jen, I don't see anyone answering, so I will try a bit with the disclaimer, if one need be given, that Joel Brenner is a friend of mine. His book, _America the Vulnerable_ is worth reading, and his blog entry on the subject you are raising, an entry crossposted on Lawfare, is germane to this discussion. See http://joelbrenner.com/n-s-a-not-so-secret-anymore/ If I may synthesize from the material you posted, in the digital world we are growing the attack surface faster than we can grow our defensive capacity. That being the fundamental dynamic, there are, as both you and Joel imply, a set of choices that might be properly called Hobbesian. Hobbes himself argued that "the only way to secure civil society is through universal submission to the absolute authority of a sovereign." What Hobbes could not envision is a sovereign that was a machine. I'm on the record in proposing to deliver a shock to the entire system of software vendors by using the Treasury of the United States to simply corner the world market in vulnerabilities and exploits and to concommitantly release them to the public -- the moral equivalent of administering an unproven chemotherapy for an otherwise terminal cancer. That proposal originally appeared in an article that I did for CNAS (www.cnas.org/cyber) but my presumption is that there will always be ready buyers (which there are), so the question is whether the buying and selling is to be a black market or a white. In truth, I was focusing on a side effect of the USG having an unassailable presence in a white market -- that there is some chance that we could collapse the black market, not by outbidding it but by implying that we had motivated the finding of vulnerabilities to such a level that even if one searcher was able to find a vulnerability it would not be long before some other searcher found it, too. By cutting the shelf-life of an unused but known vulnerability down to near zero, we would cripple the stockpiling of weapons. All of which, to repeat, comes with my ironclad requirement that vulns found be made public. Otherwise, and as one would certainly imagine, buying a lot of them at high prices only makes more get found such that in a black-only market those vulns will presumaby be both sold and re-sold to self-compartmentalized buyers. ["We" learned only this past week that the FBI is now buying for offensive purposes (www.securityweek.com/fbi-looking-buy-malware-security-vendors).] I am also on the record that Stuxnet was a Godsend insofar as it proved by demonstration that mutual assured destruction is possible, though one must quickly acknowledge that, unlike a missile with the Kremlin's name on it, cyberweapons with understood-in-advance collateral damage do not grow on trees. (Website on which it originally appeared has disappeared; a mirror is at geer.tinho.net/geer.dsbox.18xi10.txt) In October, 2012, I spoke with a recently retired gentleman who had been at the top of NSA's threat evaluation wing. I asked him then what he would be worrying about if he were still on the job. He said "Today I'd be worrying about the maker community and especially the drone crowd. Tomorrow I'd worry about do-it-yourself bio." These are by no means crazy answers. All of which comes back to your Home Invasion 2.0 work (I broke discipline and turned on Javascript just to get it). There is an enormous attack surface growing there, just as you say. Electric meters that report back everything are quintessential privacy destroying even if they are being mandated for "green" reasons. And so forth -- I'll restrain myself from enumerating all the things of that sort, though a cpunks dictionary of such would be an useful thing jointly to build. Which brings us back to the NSA. Their job description is to never miss a needle in any haystack. Haystacks are bigger than ever, and those who control the needles are ever more powerful -- both being side effects of the growth in power that is buried in cyberspace. If you are obliged to miss nothing while the cardinality of the things you might miss is growing at an accelerating rate, your only choice is to capture everything. Only when you have total surveillance is it possible to say that the absence of evidence is the evidence of absence. What "we" need to do is tell our leaders that we do not want their protections, that we will bloody well take care of ourselves even if down that path lies the occasional loss of a major city. One is again reminded of Dostoyevsky's Grand Inquisitor, is one not? --dan
dan you're my favorite source of signal on this list.
On Fri, Feb 14, 2014 at 10:37 AM,
... If I may synthesize from the material you posted, in the digital world we are growing the attack surface faster than we can grow our defensive capacity.
o/~ ... your attack surface is a wonderland, ... o/~ [to the tune of J. Mayer]
I'm on the record in proposing to deliver a shock to the entire system of software vendors by using the Treasury of the United States to simply corner the world market in vulnerabilities and exploits and to concommitantly release them to the public -- the moral equivalent of administering an unproven chemotherapy for an otherwise terminal cancer.
good first step! then provide blanket legal immunity to security activities. then provide educational support for vulnerability discovery and remediation. then provide material assistance in term of compute, storage, bandwidth toward security efforts. ... why don't people like this idea? i love it! ;)
participants (3)
-
coderman -
dan@geer.org -
Jen Savage