[cyphunk]

A good time to remember the official US Intelligence Community statement and policy/lie on 0days, as given post-heartbleed:

    When Federal agencies discover a new vulnerability in commercial 
    and open source software – a so-called “Zero day” vulnerability
    because the developers of the vulnerable software have had zero days
    to fix it –  it is in the national interest to responsibly
    disclose the vulnerability rather than to hold it for an investigative
    or intelligence purpose.

https://icontherecord.tumblr.com/post/82416436703/statement-...

https://news.ycombinator.com/item?id=7575802

[willstrafach]

A nice "gotcha" but probably more fair to include this portion:

> Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.

...due to the fact that most of the EQG vulnerabilities appear to be crafted for specific collection targets, not stumbled upon and held onto for fun.

[redahs]

Could this problem be fixed by splitting the NSA into two competing agencies, one handling offensive signals intelligence, and one handling cryptography research and disclosures?

Intuitively it seems when the same agency performs both roles it creates a conflict of interest and bias against disclosure.

[H4CK3RM4N]

But then your second branch ends up looking(to the government at least) a lot like a research program instead of anything meaningful in terms of intelligence.

[madez]

Research can be counter-intelligence, and thus intelligence.

[pstuart]

How about a third agency that focuses on securing our digital infrastructure?

[labster]

Then we'd need a fourth agency to coordinate between them, and don't forget the fifth agency in charge of oversight.

[kahnpro]

And don't forget to give all the money and power to the offensive agency, while keeping the oversight agency to an intern in a broom closet somewhere.

[Mz]

I actually approve of your plans to keep the oversight agency really minimal.

That government is best which governs least.

[EGreg]

Sounds good to me

[TeMPOraL]

How about NSA just does this, per its name, and the offensive signals intelligence gets handled by the CIA?

[willstrafach]

CIA is primarily HUMINT (and intel triage, covert operations, etc) so their focus is going to be on the end points for individual targets. SIGINT is a gigantic field and a shift like this would essentially just a merger of NSA's SID into CIA while leaving NSA with just IAD.

Genuinely curious, what would be the gain in doing that?

[PhasmaFelis]

I've wondered how "zero day" mutated from its original meaning of "pirated software cracked and released on the day of its commercial release" to "a software vulnerability of which the software's maintainers are not yet aware". There doesn't seem to be any connection aside from illicit cracking.

[chriscappuccio]

This is part of the evolution of w0rdz. Now, it just means "fresh". The l33t-speak mutated once it went from warez to expl0itz. This should be obvious. If not, i'm pretty sure they teach this in l33t 101 or even l33t 95.

[jaxn]

Zero day has been used in this context for at least 15 years and means that the vulnerability has been publicly known for zero days, or rather it is an undisclosed vulnerability.

[wyldfire]

The nomenclature of pirated "zero day" cracked (or usually just copied) software releases is at least twenty five years old, but likely older.

[strictnein]

Wish "1day" would somehow make a comeback. "0day" sounds cooler, of course, but it was a lot easier to find 1day FTP warez sites in the wild than 0day sites.

[vidarh]

Around the time of the end of my swapping of floppies back in the day, it was getting frustrating as none of the "cool" swappers accepted anything but 0day, and most would be annoyed if you couldn't regularly supply -7 to -14 day releases so they had a week or two to spread things to their downstream contacts before it'd be too stale. In other words a lot of them depended to a large extent on internal leaks... I remember receiving the occasional C64 game that was not even finished by the time it was spread.

[PhasmaFelis]

That's pretty hilarious that they were doing that even before widespread internet. I think a lot of crackers got so caught up in building and maintaining face in their tiny community that they forgot the actual reason they were doing it, i.e. "people want to play video games without paying for them".

[ashurov]

I did some minor research in the past..

The origin of 0-day (zero-day) in hacking (etymology of zero-day): http://bjorn.kuiper.nu/tag/zero-day/

[lern_too_spel]

A good time to remember the actual policy of the US government on 0-days (the so-called VEP), which is more nuanced than the tinfoil hat crowd is willing to understand. https://epic.org/privacy/cybersecurity/vep/

[cyphunk]

Interesting read. Anyone know where the vulns disclosed under so-called VEP are listed? Effectiveness the VEP policy, which the FBI directory calls "informal", would be measurable now when comparing disclosed via VEP vs undisclosed/disclosed via leak.