[rossdavidh]

Prediction: at some point (if it isn't already happening as we speak), the government insistence on "we need to be able to hack into any software if it's important" will collide with "we need to be able to keep foreign powers out of our software", and there will be bitter internal fights about it, both sides claiming national security interests.

[sbierwagen]

Bruce Schneier has been complaining about this tradeoff for more than a decade: https://www.schneier.com/blog/archives/2014/05/disclosing_vs...

>The NSA can play either defense or offense. It can either alert the vendor and get a still-secret vulnerability fixed, or it can hold on to it and use it to eavesdrop on foreign computer systems. Both are important US policy goals, but the NSA has to choose which one to pursue. By fixing the vulnerability, it strengthens the security of the Internet against all attackers: other countries, criminals, hackers. By leaving the vulnerability open, it is better able to attack others on the Internet. But each use runs the risk of the target government learning of, and using for itself, the vulnerability — or of the vulnerability becoming public and criminals starting to use it.

Unsurprisingly, the NSA often chooses to keep zerodays for their own use.

[55555]

I know this would be hard to keep under wraps, and extremely difficult for closed source software, but it seems like the right answer here would be for the NSA to create patches for government use.

If the government only used open-source software, the NSA could create patches that only the government would use, while keeping zero days that can be used against everyone else.

If the government started requiring all/most software to be open-source, it would create a market. There's no way big government vendors would refuse to create open source software. They would just shift to monetizing more heavily using consulting services, or support, or something.

[Xylakant]

I think this would be even worse. The number of people that would need to have access to the patched versions would be too large to effectively secure and the patch would deliver knowledge about the vulnerability to any potential attacker. Government computers would be protected, but contractors and other businesses placed at higher risk.

[bayindirh]

Doesn't SELinux provide some of that?

Tightly enclose all running software with a beyond-root, kernel-level authority/sandbox, so even vulnerabilities only we know can't harm us if they're discovered?

[jl2718]

If only it was just one agency from one country plinking holes in things...

[NortySpock]

Makes me wonder if we should have a white-hat government org that notifies big corporations or software projects about critical vulnerabilities in their code.

[WrtCdEvrydy]

That was the point of the NSA, but the war on terror has corrupted that mission to the core.

[rdtwo]

The attack vector Makes more sense. Your enemies will always have new backdoors they don’t report so you need a many as you can get. Closing loop holes isn’t super effective because there will always be a new bug or exploit

[ackbar03]

There's another perspective on this that's often cited and if I remember correctly was used to argue against the release of stuxnet. who has the most to lose if there are widespread cyber attacks? Given the related attacks so far I'd say it's probably the US where most people are connected and everyone either wants to spy on or attack. But then again attacking sounds so much cooler which is why I guess we still do it

[dredmorbius]

The Crypto AG revelations --- a Swiss-based firm selling Telex encoding equipment revealed to be a CIA front --- strongly suggest to me that the principle (though not only) strength of the US intelligence agencies has been based on backdoors. As software-based encryption became more prevalent, they sought to either discourage effective crypto, or impose mandatory back-doors.

The downside of having generally-known weaknesses seems to have been largely deprecated.

Rather than "security by obscurity", the operational status has been "insecurity by obscurity". Unknown to users, systems are largely wholly insecure, and it's only ignorance that gives the illusion that they are secure.

I wrote on this recently: https://joindiaspora.com/posts/b596219086b1013991d8002590d8e...

In practice, the "everyone anywhere can attack any online system" status of the Internet, and the porosity of most LANs and even nominally airgapped / detached systems (see the Stuxnet attack on Iran's centrifuge systems) means that virtually all systems are vulnerable.

I suspect that the debate is quite live within government, particularly as the US itself is repeatedly the victim of such attacks.

[legutierr]

Here's a good discussion of that very same debate that is happening right now.

https://www.lawfareblog.com/lawfare-podcast-nicole-perlroth-...

[Spooky23]

The only reason people use garbage like Pulse is compliance with stupid federal bullshit like FIPS 140.

[godelski]

> at some point

Hasn't this been the debate since encryption came around? I thought we've been having this debate for at least 50 years.

[PeterisP]

Encryption is a bit different debate with different tradeoffs. With encryption, the government can try to use different encryption than everyone else, and many sectors of industry don't rely on encryption. But vulnerabilities on common software apply to everyone; there's pretty much the same pieces of software and electronics (e.g. mobile phones) used by every country, by civilians and businesses and governments alike.

[godelski]

I'm sorry, but what industry doesn't rely on encryption? Every financial service relies pretty heavily on encryption.

As an aside, I personally would argue that in the age of big data/information that your populous having security is extremely important. Modern warfare (or all warfare) depends highly on information. TOR only works if average people use it. The military suggests soldiers use Signal because many times they've gotten in trouble because adversaries intercepted SMS messages to loved ones (or just someone getting some strange).

There is of course a question of balance, but personally I don't see one. Safer to encrypt everything imo.

[rossdavidh]

For sure, my point was that the debate, instead of being between government figures who are in favor of keeping the right to listen in vs. non-government figures who want to keep them out, it will shift (has shifted?) to a within-government debate. In the days after 9/11, I don't get the impression there was much of an intra-government debate at all.

[godelski]

By intra-government you mean like US vs China? (or any other competitors? We could say Israel and Germany) I think this has always existed though the information age has swung the balance to there being more importance for average citizens to have encrypted data in a more general sense and not just finance.

[kelnos]

"Intra" here means inside the same government (you're thinking of "inter"). The hypothesis is that there will be parts of the US government (like perhaps the FBI) that will advocate for government-controlled backdoors into all encryption, while other parts (like perhaps the NSA) will argue for the strongest, backdoor-free encryption possible.

I think it's an interesting hypothesis, but one weakness is that the government can have its cake and eat it too: they can mandate that all encryption have backdoors, except that the government is exempt from that requirement.

Of course, then it just becomes the usual "if you outlaw strong encryption, then only outlaws will have strong encryption". As long as backdoor-free encryption merely exists, the "bad guys" will get their hands on it and use it. So you haven't fixed the problem of being unable to prosecute crimes due to encryption, and at the same time you've weakened everyone's security. This state of affairs is still beneficial to the government, as it makes dragnet surveillance a lot easier, and your average citizen with "nothing to hide" won't seek out the (illegal) strong encryption.

[rossdavidh]

...until the higher ups learn that, yet again, China or Russia or Iran or somebody got their hands on a lot of sensitive data, and they start pressuring the NSA to get a handle on this. I don't know if it's happening yet, but if it hasn't it will.

[TheCondor]

It probably already happened.

In the defensive world, success is abstract, failure is concrete and there are always going to be bugs, accidents, lapses, etc. in the offensive world, you demonstrate success by providing actual intel, you can demonstrate value. I’ve worked on security products for most of my career, there is a point in the lifecycle before your product is just a requirement where customers will ask “how do I know I need this? Or it’s working?” It can be more challenging to answer that than if your product failed and they got popped, at least you can help and provide information if they got popped.

I know who I think would climb the ranks. Long term strategy wise, if they split it up and aggressively worked with industry to patch holes and fix things, encouraging best practices, it would probably save the nation trillions but we would have to use other techniques to get some of our intel.

[WrtCdEvrydy]

Yeah, this was a problem back when NSA's directorate went from Defensive to Offensive. We would like to patch issues that are zero days but they are just so damn fruitful when attacking enemies of the state... the battle lines are already drawn on this.

[pedro2]

Trolling prediction: all U.S. agencies will switch to open-source software on top of Gentoo Linux as a way to easier patch whatever vulnerabilities NSA finds and does not disclose

:)

[nr2x]

Some version of that debate has been going on since roman days.