Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.

Submission Preview

Link to Story

EFF Uncovers New Details of U.S. Zero-Day Vulnerability Offensive Use

Accepted submission by takyon at 2016-01-19 18:48:27
Digital Liberty

takyon [soylentnews.org] writes:

+Security

The Electronic Frontier Foundation has discovered more information about the U.S. government's policy on zero-day vulnerabilities [eff.org], known as the Vulnerabilities Equities Process:

Until just last week, the U.S. government kept up the charade that its use of a stockpile of security vulnerabilities for hacking was a closely held secret. In fact, in response to EFF's FOIA suit [eff.org] to get access to the official U.S. policy on zero days, the government redacted every single reference to "offensive" use of vulnerabilities [eff.org]. To add insult to injury, the government's claim was that even admitting to offensive use would cause damage to national security. Now, in the face of EFF's brief marshaling overwhelming evidence [eff.org] to the contrary, the charade is over.

In response to EFF's motion for summary judgment, the government has disclosed a new version of the Vulnerabilities Equities Process, minus many of the worst redactions [eff.org]. First and foremost, it now admits that the "discovery of vulnerabilities in commercial information technology may present competing 'equities' for the [government's] offensive and defensive mission." That might seem painfully obvious—a flaw or backdoor in a Juniper router is dangerous for anyone running a network, whether that network is in the U.S. or Iran. But the government's failure to adequately weigh these "competing equities" was so severe that in 2013 a group of experts appointed by President Obama recommended that the policy favor disclosure "in almost all instances for widely used code." [whitehouse.gov] [.pdf].

The newly disclosed version of the Vulnerabilities Equities Process (VEP) also officially confirms what everyone already knew: the use of zero days isn't confined to the spies. Rather, the policy states that the "law enforcement community may want to use information pertaining to a vulnerability for similar offensive or defensive purposes but for the ultimate end of law enforcement."

Original Submission