Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday May 01 2014, @10:42PM   Printer-friendly [Skip to comment(s)]
from the who's-henhouse-is-being-guarded? dept.

The US National Security Agency (NSA) will not always disclose security vulnerabilities, such as Heartbleed, and said it assesses each case individually, according to a blog post on the White House website.

"Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks," government cyber security co-ordinator Michael Daniel explained. "We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This inter-agency process helps ensure that all of the pros and cons are properly considered and weighed."

The article continues with a list of factors used to assess disclosure:

  • How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
  • Does the vulnerability, if left unpatched, impose significant risk?
  • How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
  • How likely is it that we would know if someone else was exploiting it?
  • How badly do we need the intelligence we think we can get from exploiting the vulnerability?
  • Are there other ways we can get it?
  • Could we utilize the vulnerability for a short period of time before we disclose it?
  • How likely is it that someone else will discover the vulnerability?
  • Can the vulnerability be patched or otherwise mitigated?

Assuming these are the only factors they use, how reasonable do you think they are? What, if anything, would you change and why?

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by Angry Jesus on Thursday May 01 2014, @10:47PM

    by Angry Jesus (182) on Thursday May 01 2014, @10:47PM (#38670)

    Does anyone have a list of vulnerabilities that the NSA has disclosed before anyone else?

    Of course I expect the list to be tiny... So small that I couldn't easily find it in google.

  • (Score: 3, Insightful) by cnst on Thursday May 01 2014, @10:55PM

    by cnst (4275) on Thursday May 01 2014, @10:55PM (#38673)

    There you go, if anyone had any doubts on whether the OpenSSL team had acted responsibly by disclosing the heatbleed to the public on such a short notice as it did.

  • (Score: 4, Insightful) by frojack on Thursday May 01 2014, @10:55PM

    by frojack (1554) Subscriber Badge on Thursday May 01 2014, @10:55PM (#38674) Journal

    Sure, drive the last few customers that still buy American products elsewhere. Nice job guys.

    How long till they force Microsoft to only push patches to some people, and leave the rest of us twisting in the wind?

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 1) by albert on Friday May 02 2014, @05:31AM

      by albert (276) on Friday May 02 2014, @05:31AM (#38760)

      Other than pure spite, I don't see the point. You write as if you think the USA only finds holes in domestic software.

  • (Score: 5, Insightful) by Lagg on Thursday May 01 2014, @11:26PM

    by Lagg (105) on Thursday May 01 2014, @11:26PM (#38683) Homepage Journal

    "Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack [or] stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks," government cyber security co-ordinator Michael Daniel explained. "We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This inter-agency process helps ensure that all of the pros and cons are properly considered and weighed."

    It really shows how disgustingly arrogant they are now when they don't even try to hide this stuff. In order of emphasis: "an opportunity to crack someone who we deem a terrorist", "it's only 'industrial espionage' when other people do it", "security researchers or some random guy who ran across it", "we carefully decide what will be easy or hard to spin off as 'but teh terrorists!'".

    The unfortunate thing is that this quote will fool the majority of people. Too bad.

    --
    http://lagg.me [lagg.me] 🗿
    • (Score: 2) by LookIntoTheFuture on Thursday May 01 2014, @11:47PM

      by LookIntoTheFuture (462) on Thursday May 01 2014, @11:47PM (#38692)
      "The unfortunate thing is that this quote will fool the majority of people. Too bad."

      That's sad but true. When I RTBP, it came out as: "When President Truman created the National Security Agency in 1952, its very existence was not publicly disclosed. Earlier this month, the NSA sent out a Tweet making clear that it did not know about the [PR RECOVERY MODE ACTIVATED] lies, lies, lies, lies, lies, lies, lies, lies."
    • (Score: 3, Insightful) by mth on Friday May 02 2014, @12:25AM

      by mth (2848) on Friday May 02 2014, @12:25AM (#38698) Homepage

      The argument doesn't even make sense in the defensive case: if they don't disclose, the vulnerability won't get patched and it's only a matter of time before the bad guys find the same flaw, assuming they haven't found it already. Keeping a vulnerability secret is only useful if you plan to use it offensively; it's counter-productive for keeping friendly computers safe.

      • (Score: 3, Funny) by FatPhil on Friday May 02 2014, @09:16PM

        by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Friday May 02 2014, @09:16PM (#39084) Homepage
        It's an arrogance thing - them darn russkies aren't as smart as our guys!
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    • (Score: 1) by gidds on Friday May 02 2014, @12:53PM

      by gidds (589) on Friday May 02 2014, @12:53PM (#38882)

      How long will it be before we start assuming that anyone invoking the bogeyman of terrorism has automatically lost the argument?

      --
      [sig redacted]
      • (Score: 0) by Anonymous Coward on Friday May 02 2014, @07:33PM

        by Anonymous Coward on Friday May 02 2014, @07:33PM (#39052)

        s/Godwin's Law/Gidd's law

      • (Score: 2) by FatPhil on Friday May 02 2014, @09:14PM

        by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Friday May 02 2014, @09:14PM (#39083) Homepage
        In about -12 years.
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
  • (Score: 5, Insightful) by LookIntoTheFuture on Thursday May 01 2014, @11:36PM

    by LookIntoTheFuture (462) on Thursday May 01 2014, @11:36PM (#38687)
    Trust is a fragile thing. Once lost, it can be extremely difficult to get back. In the case of the NSA, where they have abused secrecy laws and LIED about spying on their own innocent people, trust in them will never return.

    We need protection online. But, it is a complete conflict of interest to have our protection come from the same people trying to undermine it. We need a separate group of people defending us from those that wish to cause us harm (harm that includes killing our privacy). A group that has the authority to even deny "lawful intercept".

    But, that is a utopia that will never happen the way things are.
    • (Score: 2) by FakeBeldin on Friday May 02 2014, @09:17AM

      by FakeBeldin (3360) on Friday May 02 2014, @09:17AM (#38815) Journal

      "Trust is a fragile thing. Once lost, it can be extremely difficult to get back."
      The lesson one can learn from politics (and corporate politics) in the US seems to be:
      "The object of this game is not to not lose trust. The object of this game is to make sure the public loses more trust in the other poor bastard."
      </Patton-Paraphrased>

  • (Score: 2) by Dunbal on Friday May 02 2014, @12:53AM

    by Dunbal (3515) on Friday May 02 2014, @12:53AM (#38705)

    "his inter-agency process helps ensure that all of the pros and cons are properly considered and weighed."

    Have faith in bureaucracy. It has never failed before in the entire history of the human race. Right? Right???

  • (Score: 2, Interesting) by Anonymous Coward on Friday May 02 2014, @01:11AM

    by Anonymous Coward on Friday May 02 2014, @01:11AM (#38710)

    If that's the case, how different are they from malicious groups which do the same thing? Don't we have laws in place for stuff like that?

    It seems the NSA wants to get branded as a criminal organization.

  • (Score: 3, Insightful) by kevinl on Friday May 02 2014, @01:13AM

    by kevinl (3951) on Friday May 02 2014, @01:13AM (#38711)

    "Using" a vulnerability is just another way of saying "knowingly exercising unauthorized access to a computer or network", which in many states is a felony.

  • (Score: 3, Funny) by redneckmother on Friday May 02 2014, @02:51AM

    by redneckmother (3597) on Friday May 02 2014, @02:51AM (#38728)

    Bullshit alert! Bullshit alert! Grab yer boots and put 'em on now!

    --
    Mas cerveza por favor.
  • (Score: 1) by GoonDu on Friday May 02 2014, @04:34PM

    by GoonDu (2623) on Friday May 02 2014, @04:34PM (#38955)

    Then again, I shouldn't have eaten the burrito. That aside, what the fuck? Isn't the NSA's job securing communication lines of the US? When will they realise the technology we use is ultimately used to drive USA's company?

  • (Score: 0) by Anonymous Coward on Saturday May 03 2014, @12:51AM

    by Anonymous Coward on Saturday May 03 2014, @12:51AM (#39135)

    seems in our parallel reality universe HYDRA won.
    If you know where Captain America is hidding .. don't tell!