NSA Pats Self On Back For Disclosing Vulnerabilities '90% Of The Time,' Doesn't Specify How Long It Uses Them Before Doing So

from the honest.-you'll-be-the-first-to-know-when-we're-finished-with-them. dept

The NSA likes its software vulnerabilities. There are those it discovers on its own and others it purchases from "weaponized software" dealers. There are also certain tech companies that hand over exploits to the NSA first before working on a patch for the rest of us.

Up until now, the NSA really hasn't discussed its policies regarding software vulnerabilities and exploits. A few months after the Snowden leaks began, the White House told the NSA to start informing software companies of any exploits/vulnerabilities it had discovered. The quasi-directive set no time limit for doing so and allowed the agency to withhold discovered exploits if there was a "clear national security or law enforcement" reason to do so.

While other parties have discussed the NSA's hoarding of software exploits, the agency itself hasn't. All information gathered to date has come from outside sources. Snowden provided some of the documents. The EFF knocked a couple more loose with an FOIA lawsuit against James Clapper's office.

The NSA has finally chosen to speak for itself. Its reassurances are far from reassuring.

The U.S. National Security Agency, seeking to rebut accusations that it hoards information about vulnerabilities in computer software, thereby leaving U.S. companies open to cyber attacks, said last week that it tells U.S. technology firms about the most serious flaws it finds more than 90 percent of the time.
Disclosing nine out of ten exploits sounds good, but these disclosures are likely only occurring after the vulnerability or exploit is no longer useful.
The re-assurances may be misleading, because the NSA often uses the vulnerabilities to make its own cyber-attacks first, according to current and former U.S. government officials. Only then does NSA disclose them to technology vendors so that they can fix the problems and ship updated programs to customers, the officials said.
Status remains quo. National security interests still override the security interest of millions of affected users. The NSA can't keep criminals from using the same security holes it's discovered. The only way to prevent a vulnerability from being exploited by malicious parties or unfriendly state actors is to disclose it. Eventual disclosure is better than no disclosure, but it's not nearly as altruistic as the NSA's 90% disclosure rate would make it appear.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Yerble, 11 Nov 2015 @ 10:47am

    Tim,

    You misread the NSA statement. They disclose vulnerabilities 90% of the time that it goes through their vulnerability disclosure program. It's not clear what the criteria is for vulnerabilities to go through that program.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Nov 2015 @ 8:09pm

      Re:

      Of course it is clear what the criteria is:
      "about the most serious flaws it finds"

      My guess is they wait till they have a 3rd way to pwn something then report the oldest 0day for that scenario.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Nov 2015 @ 12:37pm

    I wonder if most of them were already reported by someone else. That would kind of make this whole reporting of theirs pointless.

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 11 Nov 2015 @ 12:50pm

    We should pay all NSA employees more than 90% of the time. Let's see if it is sufficient.

    reply to this | link to this | view in chronology ]

  • icon
    tqk (profile), 11 Nov 2015 @ 2:13pm

    Weasels.

    As everyone knows, there's exploits, and then there's exploits. An exploit that causes a Windows box to BSOD is one thing. An exploit that quietly gives an attacker remote root (admin) access is another thing entirely. If that 90% they disclose is the former and the remaining 10% is the latter, yeah I can see they're being perfectly truthful here.

    Thanks to Snowden, nobody in their right mind who knows anything believes a word they say anymore. I can't imagine who they think they're fooling other than mainstream media types who'll swallow anything to get the next high placed administration source leak.

    reply to this | link to this | view in chronology ]

  • identicon
    Mark Wing, 11 Nov 2015 @ 2:39pm

    So, the NSA doesn't hoard software exploits, but if it did, it only hoards 10% of them?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Nov 2015 @ 4:13pm

    So what I'm hearing is that 10% of the vulnerabilities that the NSA knows about were never discovered by anyone outside of military organizations, and thus were never disclosed.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Nov 2015 @ 8:16pm

    it tells U.S. technology firms about the most serious flaws it finds more than 90 percent of the time

    Yeah... sure... *wink* let's say the NSA found those and forget about the "on the market".

    reply to this | link to this | view in chronology ]

  • identicon
    Yes, I know I'm commenting anonymously, 12 Nov 2015 @ 4:12am

    90% of the time?

    Do they really spent 54 seconds out of every minute disclosing software vulnerabilities (as they claim)?
    It would put them in a much better light but I had not imagined our software that bad.

    reply to this | link to this | view in chronology ]

  • icon
    nasch (profile), 12 Nov 2015 @ 8:37am

    status quo

    Status remains quo.

    Off topic but I think "status quo remains as ante" would better match the meaning of the phrase. "Status remains quo" means something like "the state remains in which".

    https://en.wikipedia.org/wiki/Status_quo

    reply to this | link to this | view in chronology ]

  • icon
    GEMont (profile), 13 Nov 2015 @ 12:18pm

    Bafflegab at its finest.

    "...that it tells U.S. technology firms about the most serious flaws it finds more than 90 percent of the time."

    Just a note.

    This statement does not actually mean that 90% of exploits found are reported.

    It merely states instead that 90% of "the most serious flaws" it finds are being reported.

    Depending on their criteria for "seriousness", this could easily mean that only 1 of every 1000 exploits it finds are actually considered to be "serious", and that only 1% of those "serious flaws" are actually considered to be "most serious", turning that 90%, into actual reporting of found flaws to anywhere from .01% to .0001%, very quickly.

    They are masters of speaking without saying anything.

    ---

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.