German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security

from the is-that-really-a-good-idea? dept

The newspaper Süddeutsche Zeitung reports that the German spy agency BND will spend €28 million on what it calls its ‘Strategic Technical Initiative’ (SIT) next year, and that it has asked the German government for a further €300 million (original in German). The German edition of the English-language site “The Local” explains how the money will be used:

The aim of the programme is to penetrate foreign social networks and create an early warning system for cyber attacks.

Government spokesman Steffen Seibert confirmed to dpa on Monday that the BND had worked with French computer security firm Vupen, which is known to sell details of security holes to governments, in the past.

Techdirt has written about Vupen a couple of times recently, and emphasized why buying such zero-day vulnerabilities to use for surveillance purposes without passing them on to be fixed makes the Internet much less safe for everyone. According to a related story in Der Spiegel (original in German), the BND hopes to apply zero-days to undermine the main encryption technology used to protect online communications, the Secure Sockets Layer (SSL) protocol. As The Local writes:

The programme to penetrate SSL, codenamed Nitidezza, would also target the HTTPS protocol which is the standard for many banks, online shops, webmail providers and social networks.

“Holes in SSL need to be patched [fixed] because it is ubiquitous and everyone depends on it for their security,” said Jim Killock of London-based digital rights NGO Open Rights Group.

“There is a real risk that failing to fix problems means criminal gangs will seek to obtain the same data using the same defects.”

SIT means that not only will the privacy of millions of people be at risk, but so will their economic activities and that of all the companies that use SSL to carry out online transactions.

The BND’s move is particularly worrying, since it could well encourage spy agencies in other nations to follow suit, thus starting a bidding war for serious software flaws. That, in its turn, will encourage even more people to find and sell zero-days, rather than report them, reducing security online. It’s probably too much to hope that government agencies would ever agree to give up acquiring and using software bugs in this way, but they should at least be required to limit their use so as to minimize the serious harm they could wreak across the entire Internet.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: , , , , , ,
Companies: vupen

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security”

Subscribe: RSS Leave a comment
27 Comments
Bergman (profile) says:

Re: Re: At the rate things are going

In a way they already do — under copyright law, it’s not just one-sided with the rights owners having rights and no one else, consumers have statutory rights too. But DRM frequently prevents the exercise of those rights, and it’s illegal to circumvent DRM.

Given the way DMCA violators are pursued, it’s not a very big step from there to terrorists.

Anonymous Coward says:

when you get some organisations, especially ones with paranoid and over the top beliefs, they are gonna try to do whatever they want, whatever they can to satisfy their particular issue(s). they do not think about the catastrophic damage that would come along with what they want and the way they want to do it. their ‘problem’, their ‘aim’ is the most important in the world and having medical and banking information running rampant, unchecked, all offer the internet means nothing to them, as long as they can SAY they stopped another terrorist plot! the real truth is that these people are creating more terrorist plots than the terrorists planned, so playing right into their hands. how ridiculous!!

Josh in CharlotteNC (profile) says:

Back to the 90s

Does anyone remember what e-commerce was like in the 1990s? Basically it was little to none. Because no one trusted putting their credit cards into some form on a computer. Do we really want to head back to the bad old days?

(disclosure: I work in information security at a major bank, so it could be bad for me if trust in being able to securely conduct financial dealings online was significantly disrupted)

This article is timed pretty well. Microsoft just 2 days ago issued a critical patch for vulnerabilities in their version of TLS (schannel or secure channel – update now if you haven’t yet, this one is important). And within the last year, every major implementation of TLS has had serious vulnerabilities – OpenSSL (Heartbleed), Apple’s SecureTransport, and GNUTLS.

tqk (profile) says:

Re: Who's paying for it.

All the world’s governments are spending enormous sums to attack the cyber security of their own (and others) citizenry.

When you put it that way, it makes a fairly compelling case in favor of encryption, and darknet/undernet/… instead of doing things out in the open. Anyone doing anything the way Teresa May suggests it be done is just setting themselves up to be roadkill. When you can’t trust the authorities and you can’t find any functional difference between cops and thugs, we’re back in the jungle. Everything you see is a potential predator whether it’s carrying a badge or not.

Welcome to the jungle. Be careful what you wish for, Teresa.

Anonymous Coward says:

Bidding war? Oh, heavens no

Bidding is tedious, potentially quite expensive, and well, you might lose. If you’re a spy agency, there are better ways.

How? Well, for starters, consider that not everyone who has their paycheck signed by spy agency X is working for spy agency X. There are, no doubt, British in the Kremlin, and Japanese in the CIA, and Iranians in GCHQ, and so on. Of course there are: it’s what they do. And some of them are very good at it.

So if I were running the Elbonian spy agency, I wouldn’t bother bidding on these: instead, I’d work on placing my people inside the agencies which are likely to be the winning bidders most of the time, let them fork over the cash, and then just lift it from them. Failing that — which I might, given limited budget and personnel — there are always the old ways: bribery and seduction, extortion and blackmail, and so on — all the things that have a long history of yielding successful results in the world of secrets.

So let the Americans and the Brits and the Germans knock themselves out competing for exploits: I’ll just sit back, watch, and wait for my chance to pick the pocket of the winner.

Anonymous Coward says:

Re: Re: Bidding war? Oh, heavens no

The seller might get away with this duplicitous tactic…for a while.

But the problem is that once it’s detected, the unhappy purchasers — who are, let’s remember, governments who possess enormous weapons stocks of all descriptions as well as military forces and clandestine assassins — may choose to express their dissatisfaction in ways that are very unpleasant. So yes, it might be tempting to make, let’s say, $2.5M three times instead of once…but it’s probably not good for one’s health.

Anonymous Coward says:

Re: Re: Re:2 Bidding war? Oh, heavens no

You do not understand. Of course the spy agencies won’t explicitly inform each other. (Unless they’re allies, but of course we can presume that anyone trying to scam intelligence services is bright enough to work out who’s working with who.)

But — as I pointed out — not everyone working at spy agency X is working FOR spy agency X. Thus when zero-day exploit #1234 is sold to X and to Y, it’s possible that one of the agents of Y — working inside X — will this relay this interesting tidbit back to Y.

There’s precedent for this, you know — a LOT of precedent, as spy agencies are not only extremely interested in knowing things, but also extremely interested in knowing how much their counterparts know. So while the seller of #1234 might escape detection this time — because it turns out that Y doesn’t have an agent inside X, or the agent they do have isn’t positioned to find about it — every time they pull this stunt, they’re spinning the roulette wheel.

There’s another way as well: these agencies intend to use these zero-days, and well, they will. Eventually that will come out: see, for example, “Stuxnet”. It took a while. I’m sure we don’t know the whole story. But it did come out and so will some/most/all other similar exploits will too. So when X uses exploit #5678 against country A, and Y uses exploit #5678 against country B, it’s probably only a matter of time until someone, somewhere in the world, puts the pieces together and deduces that the attacks have an awful lot in common.

There’s more, but I think this will suffice to illustrate the point, and that is, the double- or triple-dipping at the expense of multiple intelligence agencies is likely a good way to get them to momentarily put aside their mutual dislike and distrust of one another and divert some of their energy in your direction. Kinetic energy, perhaps.

Anonymous Coward says:

It has been the stance of the NSA as well that what they do has little effect on other businesses. Yet the financial business being conducted on the internet revolves around trust. Trust that your data is safe to be used.

That very trust is what is being undermined in these efforts to round up zero days for spying uses. It is not by accident that people are distrustful and don’t want to have anything to do with US businesses. They are losing the faith of their customers unless they do something to counteract these attempts at government meddling. The cost is hidden but it is meaningful and present none the less.

I personally refuse to do banking by the internet. Any exposure of my data won’t come from me. But I can not control these banks and their security. That is completely out of my hands. This news does not inspire me with trust to do internet business but rather encourages me not to put my info out in any manner. There are enough out there between the government and these various corporations wanting to know everything for the purpose of targeted ads. While I may not prevent them from knowing everything I do all I can to prevent my data from being out there.

You will not find financial info on my computer. If it isn’t there it can’t be hacked to find it out from my side. I’m already paranoid enough when it comes to finances. This will only make it worse.

That One Guy (profile) says:

Government agencies: Protecting you by making you less safe

Actions like this provide monetary incentive, large monetary incentive, for companies to not fix critical security issues, but instead sell information on them to everyone they can.

As such, when you’ve got agencies who claim to be doing what they are to protect the public… yeah, it’s pretty clear that they’re lying through their teeth. They are intentionally doing something that makes everyone less secure, that is the direct opposite of their claimed justification for their actions.

Anonymous Coward says:

That's not the worst of it.

“That, in its turn, will encourage even more people to find and sell zero-days…”

It will also provide a way for software developers to get rich by purposely including security weaknesses that they can then legally and secretly sell to the highest government bidder (and maybe a few others on the side). Governments will be effectively secretly paying software developers to compromise their products and there will be no practical way to know which ones have been compromised. Way to go!

Anonymous Coward says:

Fckng idiots

So instead of the direction to improve the internets security, the direction is to keep it perpetually insecure, WHY, to SPY on people

Fckng idiots, in my book, up there ^, that makes YOU the bad guy……..that means, any actions reported i pay attention, , your words untrusted, and your motives suspected………and once its at this point, weak action/lipservice is so FARRRRRRR, to far from being enough to trust these folks again, barely scratches the surface………once you fck up this spectacularly.

idiots for either not realising how far accross the line they’ve gone, or tyrants for knowing, not caring, and forcing without consent………..free western governments…..my ass…….more like “civilized” tyrants.

“Without leaders”

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...