German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security

from the is-that-really-a-good-idea? dept

The newspaper Süddeutsche Zeitung reports that the German spy agency BND will spend €28 million on what it calls its 'Strategic Technical Initiative' (SIT) next year, and that it has asked the German government for a further €300 million (original in German). The German edition of the English-language site "The Local" explains how the money will be used:
The aim of the programme is to penetrate foreign social networks and create an early warning system for cyber attacks.

Government spokesman Steffen Seibert confirmed to dpa on Monday that the BND had worked with French computer security firm Vupen, which is known to sell details of security holes to governments, in the past.
Techdirt has written about Vupen a couple of times recently, and emphasized why buying such zero-day vulnerabilities to use for surveillance purposes without passing them on to be fixed makes the Internet much less safe for everyone. According to a related story in Der Spiegel (original in German), the BND hopes to apply zero-days to undermine the main encryption technology used to protect online communications, the Secure Sockets Layer (SSL) protocol. As The Local writes:
The programme to penetrate SSL, codenamed Nitidezza, would also target the HTTPS protocol which is the standard for many banks, online shops, webmail providers and social networks.

"Holes in SSL need to be patched [fixed] because it is ubiquitous and everyone depends on it for their security," said Jim Killock of London-based digital rights NGO Open Rights Group.

"There is a real risk that failing to fix problems means criminal gangs will seek to obtain the same data using the same defects."
SIT means that not only will the privacy of millions of people be at risk, but so will their economic activities and that of all the companies that use SSL to carry out online transactions.

The BND's move is particularly worrying, since it could well encourage spy agencies in other nations to follow suit, thus starting a bidding war for serious software flaws. That, in its turn, will encourage even more people to find and sell zero-days, rather than report them, reducing security online. It's probably too much to hope that government agencies would ever agree to give up acquiring and using software bugs in this way, but they should at least be required to limit their use so as to minimize the serious harm they could wreak across the entire Internet.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 13 Nov 2014 @ 11:30am

    Well at the very least, in a world where nobody trusts anybody because of moves like this, encryption research and development should accelerate.

    reply to this | link to this | view in chronology ]

    • icon
      Digitalme (profile), 13 Nov 2014 @ 11:36am

      At the rate things are going

      At the rate things are going, encryption research and development will be deemed a national security risk and anybody other than state-approved research will be deemed a terrorist threat.

      reply to this | link to this | view in chronology ]

      • icon
        Bergman (profile), 13 Nov 2014 @ 7:26pm

        Re: At the rate things are going

        In a way they already do -- under copyright law, it's not just one-sided with the rights owners having rights and no one else, consumers have statutory rights too. But DRM frequently prevents the exercise of those rights, and it's illegal to circumvent DRM.

        Given the way DMCA violators are pursued, it's not a very big step from there to terrorists.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Nov 2014 @ 11:40am

    when you get some organisations, especially ones with paranoid and over the top beliefs, they are gonna try to do whatever they want, whatever they can to satisfy their particular issue(s). they do not think about the catastrophic damage that would come along with what they want and the way they want to do it. their 'problem', their 'aim' is the most important in the world and having medical and banking information running rampant, unchecked, all offer the internet means nothing to them, as long as they can SAY they stopped another terrorist plot! the real truth is that these people are creating more terrorist plots than the terrorists planned, so playing right into their hands. how ridiculous!!

    reply to this | link to this | view in chronology ]

  • icon
    Josh in CharlotteNC (profile), 13 Nov 2014 @ 12:03pm

    Back to the 90s

    Does anyone remember what e-commerce was like in the 1990s? Basically it was little to none. Because no one trusted putting their credit cards into some form on a computer. Do we really want to head back to the bad old days?

    (disclosure: I work in information security at a major bank, so it could be bad for me if trust in being able to securely conduct financial dealings online was significantly disrupted)

    This article is timed pretty well. Microsoft just 2 days ago issued a critical patch for vulnerabilities in their version of TLS (schannel or secure channel - update now if you haven't yet, this one is important). And within the last year, every major implementation of TLS has had serious vulnerabilities - OpenSSL (Heartbleed), Apple's SecureTransport, and GNUTLS.

    reply to this | link to this | view in chronology ]

  • identicon
    Applesauce, 13 Nov 2014 @ 12:18pm

    Who's paying for it.

    All the world's governments are spending enormous sums to attack the cyber security of their own (and others) citizenry. Firstly, the citizens themselves are funding the attacks on themselves. Secondly, we are now beginning to see the additional costs to the citizens.

    reply to this | link to this | view in chronology ]

    • icon
      tqk (profile), 14 Nov 2014 @ 6:57am

      Re: Who's paying for it.

      All the world's governments are spending enormous sums to attack the cyber security of their own (and others) citizenry.

      When you put it that way, it makes a fairly compelling case in favor of encryption, and darknet/undernet/... instead of doing things out in the open. Anyone doing anything the way Teresa May suggests it be done is just setting themselves up to be roadkill. When you can't trust the authorities and you can't find any functional difference between cops and thugs, we're back in the jungle. Everything you see is a potential predator whether it's carrying a badge or not.

      Welcome to the jungle. Be careful what you wish for, Teresa.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Nov 2014 @ 12:44pm

    Bidding war? Oh, heavens no

    Bidding is tedious, potentially quite expensive, and well, you might lose. If you're a spy agency, there are better ways.

    How? Well, for starters, consider that not everyone who has their paycheck signed by spy agency X is working for spy agency X. There are, no doubt, British in the Kremlin, and Japanese in the CIA, and Iranians in GCHQ, and so on. Of course there are: it's what they do. And some of them are very good at it.

    So if I were running the Elbonian spy agency, I wouldn't bother bidding on these: instead, I'd work on placing my people inside the agencies which are likely to be the winning bidders most of the time, let them fork over the cash, and then just lift it from them. Failing that -- which I might, given limited budget and personnel -- there are always the old ways: bribery and seduction, extortion and blackmail, and so on -- all the things that have a long history of yielding successful results in the world of secrets.

    So let the Americans and the Brits and the Germans knock themselves out competing for exploits: I'll just sit back, watch, and wait for my chance to pick the pocket of the winner.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Nov 2014 @ 1:23pm

      Re: Bidding war? Oh, heavens no

      The other problem, what is to stop the seller selling to other spy agencies, especially as this activity is largely carried out in secret.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Nov 2014 @ 1:39pm

        Re: Re: Bidding war? Oh, heavens no

        The seller might get away with this duplicitous tactic...for a while.

        But the problem is that once it's detected, the unhappy purchasers -- who are, let's remember, governments who possess enormous weapons stocks of all descriptions as well as military forces and clandestine assassins -- may choose to express their dissatisfaction in ways that are very unpleasant. So yes, it might be tempting to make, let's say, $2.5M three times instead of once...but it's probably not good for one's health.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 13 Nov 2014 @ 1:57pm

          Re: Re: Re: Bidding war? Oh, heavens no

          "The seller might get away with this duplicitous tactic...for a while."

          Oh yeah, because spy agencies always keep each other fully informed of everything they're doing. Just out of professional courtesy, you see.

          I don't think so.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 13 Nov 2014 @ 2:58pm

            Re: Re: Re: Re: Bidding war? Oh, heavens no

            You do not understand. Of course the spy agencies won't explicitly inform each other. (Unless they're allies, but of course we can presume that anyone trying to scam intelligence services is bright enough to work out who's working with who.)

            But -- as I pointed out -- not everyone working at spy agency X is working FOR spy agency X. Thus when zero-day exploit #1234 is sold to X and to Y, it's possible that one of the agents of Y -- working inside X -- will this relay this interesting tidbit back to Y.

            There's precedent for this, you know -- a LOT of precedent, as spy agencies are not only extremely interested in knowing things, but also extremely interested in knowing how much their counterparts know. So while the seller of #1234 might escape detection this time -- because it turns out that Y doesn't have an agent inside X, or the agent they do have isn't positioned to find about it -- every time they pull this stunt, they're spinning the roulette wheel.

            There's another way as well: these agencies intend to use these zero-days, and well, they will. Eventually that will come out: see, for example, "Stuxnet". It took a while. I'm sure we don't know the whole story. But it did come out and so will some/most/all other similar exploits will too. So when X uses exploit #5678 against country A, and Y uses exploit #5678 against country B, it's probably only a matter of time until someone, somewhere in the world, puts the pieces together and deduces that the attacks have an awful lot in common.

            There's more, but I think this will suffice to illustrate the point, and that is, the double- or triple-dipping at the expense of multiple intelligence agencies is likely a good way to get them to momentarily put aside their mutual dislike and distrust of one another and divert some of their energy in your direction. Kinetic energy, perhaps.

            reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 13 Nov 2014 @ 2:02pm

          Re: Re: Re: Bidding war? Oh, heavens no

          There is always the excuse that we do not keep records, and I forgot to tell the person who sold it to the other agency that I had sold it to you.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 13 Nov 2014 @ 3:45pm

            Re: Re: Re: Re: Bidding war? Oh, heavens no

            Yes, yes, I'm sure that "we don't keep records of our high-priced secret transactions with government intelligence agencies" will work perfectly as an excuse.

            reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 13 Nov 2014 @ 7:29pm

      Re: Bidding war? Oh, heavens no

      Consider as well that multinational corporations and organized criminal organizations often have budgets that rival small nations -- It's not just foreign espionage to consider when spy agencies are buying back doors and zero-day exploits, it's the big time criminals as well.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Nov 2014 @ 2:30am

        Re: Re: Bidding war? Oh, heavens no

        An excellent point. And of course many of the big-time criminals you mention have people on their payrolls in law enforcement agencies, intelligence agencies, regulatory agencies, etc. It's just good business.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Nov 2014 @ 12:46pm

    It has been the stance of the NSA as well that what they do has little effect on other businesses. Yet the financial business being conducted on the internet revolves around trust. Trust that your data is safe to be used.

    That very trust is what is being undermined in these efforts to round up zero days for spying uses. It is not by accident that people are distrustful and don't want to have anything to do with US businesses. They are losing the faith of their customers unless they do something to counteract these attempts at government meddling. The cost is hidden but it is meaningful and present none the less.

    I personally refuse to do banking by the internet. Any exposure of my data won't come from me. But I can not control these banks and their security. That is completely out of my hands. This news does not inspire me with trust to do internet business but rather encourages me not to put my info out in any manner. There are enough out there between the government and these various corporations wanting to know everything for the purpose of targeted ads. While I may not prevent them from knowing everything I do all I can to prevent my data from being out there.

    You will not find financial info on my computer. If it isn't there it can't be hacked to find it out from my side. I'm already paranoid enough when it comes to finances. This will only make it worse.

    reply to this | link to this | view in chronology ]

  • icon
    Rabbit80 (profile), 13 Nov 2014 @ 1:01pm

    SSL?

    I thought we were all supposed to be phasing out SSL in favour of TLS after the POODLE attack proved SSL to be insecure.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 13 Nov 2014 @ 1:03pm

    Government agencies: Protecting you by making you less safe

    Actions like this provide monetary incentive, large monetary incentive, for companies to not fix critical security issues, but instead sell information on them to everyone they can.

    As such, when you've got agencies who claim to be doing what they are to protect the public... yeah, it's pretty clear that they're lying through their teeth. They are intentionally doing something that makes everyone less secure, that is the direct opposite of their claimed justification for their actions.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Nov 2014 @ 1:54pm

    That's not the worst of it.

    "That, in its turn, will encourage even more people to find and sell zero-days..."

    It will also provide a way for software developers to get rich by purposely including security weaknesses that they can then legally and secretly sell to the highest government bidder (and maybe a few others on the side). Governments will be effectively secretly paying software developers to compromise their products and there will be no practical way to know which ones have been compromised. Way to go!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Nov 2014 @ 2:03pm

    Credit cards? Never use 'em.

    >... Because no one trusted putting their credit cards into some form on a computer. Do we really want to head back to the bad old days?

    The bad old days? You HAVE been paying attention to the news, haven't you?
    "Why this is hell, nor am I out of it."

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Nov 2014 @ 6:16pm

    Meanwhile Chinese hackers put NOAA to bed and don't bother to tuck them in. I see the NSA is hard at work protecting us from the bad guys, so I can sleep better at night.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 14 Nov 2014 @ 1:50am

    At some point such behavior is bound to cause massive financial damages. When it happens money will make it stop. Much like losses attributed to climate change will make some quite stubborn countries go green.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Nov 2014 @ 2:51am

    Why throw "criminal gangs"?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Nov 2014 @ 3:36am

    Fckng idiots

    So instead of the direction to improve the internets security, the direction is to keep it perpetually insecure, WHY, to SPY on people

    Fckng idiots, in my book, up there ^, that makes YOU the bad guy........that means, any actions reported i pay attention, , your words untrusted, and your motives suspected.........and once its at this point, weak action/lipservice is so FARRRRRRR, to far from being enough to trust these folks again, barely scratches the surface.........once you fck up this spectacularly.

    idiots for either not realising how far accross the line they've gone, or tyrants for knowing, not caring, and forcing without consent...........free western governments.....my ass.......more like "civilized" tyrants.

    "Without leaders"

    reply to this | link to this | view in chronology ]

  • icon
    Nick (profile), 14 Nov 2014 @ 9:49am

    A more cynical headline might be:
    Modern Day German Stasi Seek to Buy Exploits from French Black Hat Hackers to Reduce Trust in E-commerce Worlwide

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Nov 2014 @ 9:04am

    Seems like Stasi is still alive.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.