from the the-best-offense-is-not-giving-a-fuck-about-playing-defense dept
There are still people out there who think it's a good idea for the government -- whether it's the FBI, NSA, or other agency -- to hoover up exploits and hoard vulnerabilities. This activity is still being defended despite recent events, in which an NSA operative apparently left a hard drive full of exploits in a compromised computer. These exploits are now in the hands of the hacking group that took them… and, consequently, also in the hands of people who aren't nearly as interested in keeping nations secure.
The problem is you can't possibly keep every secret a secret forever. Edward Snowden proved that in 2013. The hacking group known as the Shadow Brokers are proving it again. The secrets are out and those who wish to use exploits the NSA never disclosed to affected developers are free to wreak havoc. Lily Hay Newman of Wired examines the aftermath of the TAO tools hacking.
Whoever they are, the Shadow Brokers say they still have more data to dump. But the preview has already unleashed some notable vulnerabilities, complete with tips for how to use them.
All of which means anyone—curious kids, petty criminals, trolls—can now start hacking like a spy. And it looks like they are.
Curious to learn if anyone was indeed trying to take advantage of the leak, Brendan Dolan-Gavitt—a security researcher at NYU—set up a honeypot. On August 18 he tossed out a digital lure that masqueraded as a system containing one of the vulnerabilities.
Dolan-Gavitt used the Cisco zero-day -- one which the company is still unable to completely thwart -- for his honeypot. This exploit was in the hands of the NSA for at least three years and was never disclosed to Cisco. The security researcher saw one attack in the first 24 hours. Since then, there have been a handful of attacks mounted every day.
This is the end result of someone hacking the hackers. The Shadow Brokers have turned the agency's exploit toolkit into NSA Everywhere!™ -- the NSA's new "Inadvertent Disclosure" project. The hackers have divulged far more exploits than the NSA ever has, even with the (severely loopholed) "presumption of disclosure" mandate handed down by the Obama Administration.
The NSA -- and its defenders -- remain mostly unworried about this collateral damage. Presumably the nation is still secure, even if its companies and their customers aren't. I guess that's supposed to be good enough. Every war inflicts a toll on non-combatants, and the neverending War on Terror will be no different than the neverending War on Drugs in this respect.
But those at the top of the IC heap -- and those who work closely with them, like the FBI -- need to stop pretending the government can be trusted with keeping its most secret secrets secure. And officials need to stop applying pressure on lawmakers to craft encryption backdoor legislation, because this debacle should make it clear -- even to true believers like FBI director James Comey -- that any hole labeled "GOVERNMENT USE ONLY" isn't going to keep bad guys out forever.