[electic]

No one will be safe until governments stop hoarding 0-days. Until we all realize we live in a glass house, the hacks will continue. The best solution is to split the NSA and similar agencies into two. One for developing new tools that produces safer code and finding flaws and reporting them to companies so they get patched. The second for offense.

[thematt]

I'm not sure how splitting up the NSA fixes anything. Wouldn't the new offensive organization still be compelled to seek out zero-day exploits as well for their mission? What happens when they find one that the defensive organization hasn't found yet?

[electic]

Better than the current setup. The defensive side sole responsibility is to find critical flaws and report them. This would also include investigating breaches in US infra and making sure things get patched. Right now, you don't even have the defensive side.

[tptacek]

Splitting IAD off from SIGINT wouldn't reduce the number of zero-days the government collected, but it would:

* Ensure that the advice IAD was generating was untainted by SIGINT influence

* Enable IAD to independently collect vulnerability intelligence and disseminate it (most importantly, to vendors) without having to endure a bogus equities process to ensure they weren't blowing a SIGINT operation.

Of course, this only works if IAD is stripped completely out of the NSA, and perhaps out of the DoD entirely. IAD probably belongs under DHS.

[tptacek]

When a government researcher (or government-funded researcher) discovers a new Flash vulnerability, the government hasn't created the vulnerability, nor have they prevented anyone else from discovering that same vulnerability.

Lobbying against SIGINT vulnerability collection doesn't actually make us materially safer --- even if things like the "Shadow Brokers" became routine (rather than the unprecedented shitstorm it actually was), the number and caliber of the vulnerabilities we're talking about are a tiny fraction of the threat we face.

[woodman]

Thankfully those who shutdown biological weapons development in the DoD didn't follow the same logic. Purely from a strategic perspective: defense costs much more than offense, it doesn't make sense for a superpower to spend more on offense than defense when their potential adversaries can't afford to defend themselves against low cost attacks.

[tptacek]

As regards software security vulnerabilities, defensive spending in the USG utterly and completely dwarfs offensive spending.

The median venture capitalist in the valley could outspend the US --- actually, probably the world --- on vulnerability acquisition. But there probably isn't an investor and there may not be a single tech company that outspends the USG on defensive security acquisitions.

[woodman]

I'd really love to know how you know this. I can think of a handful of very public DARPA, NIST, USN and NSA programs that are dedicated to hardening (most are little more than academic curiosities, measured in millions) - whereas the NSA's black budget (measured in billions) easily dwarfs those. Are you saying that the NSA is secretly spending large sums of money on hardening software outside of their black cube?

I don't disagree on the lack of private hardening spending, which is really beside the point, because obviously there is very little incentive for a company when all they have to do is budget for useless CYA lifelock service.

[tptacek]

And? What do you think they're spending those billions on? Giant computing centers in Utah and all the signals intelligence the entire country does --- all the satellites, all the underseas cable taps, all the deployments of hardware implants on Chinese military computers.

Exploit development is a rounding error in that budget.

[woodman]

Satellites and undersea cable taps fall to the NRO and the USN, though I'm sure the NSA pays for some of it. That is beside the point though, the issue is exploit to hardening ratio - not exploit to everything-else ratio.

[viraptor]

Why do you think it matters if NSA stops hoarding 0-days? Let's put that into perspective - iPhone jailbreaking community hacks every new release in days/weeks. And that's just a few people doing it for fun and not getting paid. Companies like Cellebrite have more people paid good money to do the same thing, so they're likely to have an even bigger stash of working exploits. And that's for a locked down device which has all the incentives of being a closed platform.

There's nothing special about NSA or 0-days here. We're using very generic platforms. Lots of organisations have exploits. We're still in a situation where you can point a fuzzer for a few hours at any popular app and get yourself a new 0-day. The only thing that will help you is getting rid of the possibility of exploitation, and limiting the scope when it happens.

[electic]

It is special because it is government. We have tax payer money going to support thousands of people finding 0-days. What I am proposing is to move some of those funds to be defensive and since it is government, the intention and motivation is to make more secure software. It also forces companies and the industry in general to pay more attention to this stuff.

Right now, government doesn't care. Right now, it is cheaper to get hacked, spew all your information, and then say, "sorry". Not right.

[tptacek]

We probably do not support "thousands of people" finding zero-days. We might not even support 100 effective researchers.

[electic]

see budget report.

[tptacek]

Doesn't answer that question.

[nradov]

So you would like the federal government to effectively subsidize large technology companies by providing free QA for commercial products?

[superuser2]

We don't make every building a blast shelter and everyone wear body armor. People who walk through the steps of attacking the US physically are going to succeed.

Our security strategy is to:

A) surveil, infiltrate, and block conspiracies to do so before they happen, and

B) identify, track, and punish our attackers after the fact.

I don't think (and "cyber" policy makers don't seem to think) that making every piece of software free of vulnerabilities is realistic. Sabotaging hacking groups, and building sufficiently scary capabilities for retaliation against nation-states that might attack us, seems much more attainable.

[Tsagadai]

The NSA is already partly split like this. There are parts that work to improve security.

[alasdair_]

Sadly, there are other parts that do things like pay RSA $10 Million to INTENTIONALLY make their security products easier to hack.

Actively harming the security of Americans is extremely wrong.

[abysmallyideal]

Being secure and having privacy is for the privileged. To actually have the same amount of security and privacy before the internet and device boom is prohibitively expensive for over 90% of the citizens.

They've made absolutely certain of it.