Tuesday, August 16, 2016

Should NSA disclose Zero Day security bugs

Interesting analysis says "no":
The point is that no sane person can argue that it's worth it for the government to spend $1 million per iOS 0day in order to disclose/fix. If it were in the national interest, we'd already have federal bug bounties of that order, for all sorts of products. Long before the EFF argues that it's in the national interest that purchased bugs should be disclosed rather than exploited, the EFF needs to first show that it's in the national interest to have a federal bug bounty program at all.

Conversely, it's insane to argue it's not worth $1 million to hack into terrorist iPhones. Assuming the rumors are true, the NSA has been incredibly effective at disrupting terrorist networks, reducing the collateral damage of drone strikes and such. Seriously, I know lots of people in government, and they have stories. Even if you discount the value of taking out terrorists, 0days have been hugely effective at preventing "collateral damage" -- i.e. the deaths of innocents.
iOS "Day Zero" bugs (ones where there is no patch to protect the target) sell for around a million dollars.  Less for Windows, maybe the same for Android.  There could be a billion dollars a year in this sort of bug bounty program.  So it is doable - pricy, but probably not in the grand scheme of NSA's budget.

Or you can use them to attack high value targets.

The worry, of course, is whether you can trust NSA to attack legitimate targets and not everybody else.  The author shares those concerns:
The NSA/DoD/FBI buying and using 0days is here to stay. Nothing the EFF does or says will ever change that. Given this constant, the only question is how We The People get more visibility into what's going on, that our representative get more oversight, that the courts have clearer and more consistent rules. I'm the first to stand up and express my worry that the NSA might unleash a worm that takes down the Internet, or the FBI secretly hacks into my home devices. Policy makers need to address these issues, not the nonsense issues promoted by the EFF.
The EFF is, of course, the Electronic Frontier Foundation.  This is pretty interesting stuff, so if you're a security nerd you should RTWT.

No comments: