[asher]

I used to think like that. But consider two things. The capabilities of the state actors are high. They cooperate with chipmakers and OS makers (or subvert or hack them). They compromise routers and hard drive firmware. Second, Kaplan's book documents multiple waves of cyber-fear in the US government; multiple US presidents starting with Reagan have tried and failed to secure our vulnerable systems. Simply put, corporations are not going to let NSA dictate security practices to them, because they need to make money and can't spend all day on security. Similar problems occur in military/government.

Remember how cannons made castles obsolete? We're in a similar era, where offense is outstripping defense.

Consider stuxnet. You have to assume Iran, which is smart enough to make nuclear weapons, took its best shot at securing that air-gapped network.

I think you have to accept that hoarding vulns is the international reality and difficult to change. Maybe a cyber-SALT treaty could change it.

[AnthonyMouse]

It doesn't matter whether offense is stronger than defense because this is not a mutually assured destruction scenario. Having offensive capabilities doesn't prevent an attack because we already have offensive capabilities -- sanctions and missiles. The problem isn't an inability to strike back, it's attribution. A hoard of vulnerabilities does nothing to solve that.

What governments actually use vulnerabilities for isn't deterrence, it's espionage and sabotage. But those goals can't justify knowingly leaving critical infrastructure vulnerable to criminals and terrorists.

> I think you have to accept that hoarding vulns is the international reality and difficult to change.

It doesn't really matter whether other people are doing it. The solution is to keep the espionage agencies on the hunt for vulnerabilities but require them to be disclosed within e.g. four weeks.

If it really is so easy for entities with state-level resources to find vulnerabilities then they'll be able to find a new one every month and continue to use it for their espionage, and at least the low-hanging fruit will be eliminated which makes it harder for criminals without state-level resources.

If there is not an endless supply of vulnerabilities then soon enough they'll have reported every existing vulnerability in commonly used software, they'll all be patched and there will be nothing for other states to hoard regardless of whether they have the same policy or not.

[freeflight]

> The capabilities of the state actors are high.

Not just of state actors, we are not talking about aircraft carriers or nuclear missiles here, things that need a massive infrastructure behind them, we are talking about tools pretty much anybody with the right knowledge can apply once they get access.

That's the thing barely anybody wants to acknowledge with this situation because it's way more convenient to attribute everything to state actors, it's become the new get-out-of-jail card for shoddy security practices. "Nothing we could do to prevent that, adversary was a mighty state actor ¯\_(ツ)_/¯"

It's also convenient for pointing fingers at the usual suspects and start the war drums (Russia, China, NK) without admitting that attribution pretty much boils down to a guessing game with no guarantees.

In that regard the "who" is pretty much meaningless to the problem, it's all about the "how" and as Wannacry has shown the "how" quite often boils down to "Abused a vuln. that has been known, but hoarded in secret".

> They cooperate with chipmakers and OS makers (or subvert or hack them). They compromise routers and hard drive firmware. Second, Kaplan's book documents multiple waves of cyber-fear in the US government; multiple US presidents starting with Reagan have tried and failed to secure our vulnerable systems.

That's a bit contradictory, why would manufacturers be willing to let themselves get subverted to make less-secure products, but not to make more secure products? Especially considering how security is a big part of the business for quite a few of these companies, like CISCO's firewalls. For that very same reason, MS did act rather quickly and pushed out a fix when NSA informed them about EternalBlue.

> Remember how cannons made castles obsolete? We're in a similar era, where offense is outstripping defense.

That comparison doesn't really hold up. Cannons didn't work because of some obscure vulnerability in castle walls that only cannon makers knew about and which could have been fixed by wall-makers once they knew about it. Cannons simply overpowered walls.

One could argue that offense is outstripping defense due to the simple fact that "state actors" mostly focus on offense, while barely ever bothering with defense because that would also hamper their own offensive capabilities.

IT security always boils down to how much effort an attacker is willing to invest. If government agencies focus most of their efforts (backed by massive resources) on offense then the natural outcome will be that defense (mostly driven by private entities) always lacks behind, because we end up spending more time poking new holes than actually plugging them.

> Consider stuxnet. You have to assume Iran, which is smart enough to make nuclear weapons, took its best shot at securing that air-gapped network.

Their best shot was air-gapping the network, that's about it. To get trough that Stuxnet went wide and deep: https://www.scmagazineuk.com/chevron-confirms-that-it-was-hi...

> I think you have to accept that hoarding vulns is the international reality and difficult to change.

Sure I have to accept that, can't force anybody to do anything. That reasoning still reminds me way too much of the reasoning for selling weapons to questionable nation states, "If we don't do it somebody else is gonna do it", the kind of reasoning that doesn't get us anywhere and only makes the problem worse.

[qb45]

> That's a bit contradictory, why would manufacturers be willing to let themselves get subverted to make less-secure products, but not to make more secure products?

I know that's not exactly what you meant, but allegedly China requires some Western products sold there to have backdoors. I heard reasonably reliable rumors about one specific case, here's some general article to prove I'm not completely talking out of my ass:

http://www.networkworld.com/article/2331257/lan-wan/encrypti...

> Especially considering how security is a big part of the business for quite a few of these companies, like CISCO's firewalls.

Funny that you mention firewalls, a year ago it was discovered that some Juniper firewalls and VPN gateways had a covert master password and an advanced crypto backdoor allowing decryption of the VPN traffic IIRC.

Juniper denied knowledge of this backdoor and it's possible that this wasn't NSA's job at all because it involved the Dual_EC_DRBG algorithm to which they are believed to have a backdoor baked in the standard. But this means that somebody managed to hack them (and specifically their precious security products).