German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security
from the is-that-really-a-good-idea? dept
The newspaper Süddeutsche Zeitung reports that the German spy agency BND will spend €28 million on what it calls its 'Strategic Technical Initiative' (SIT) next year, and that it has asked the German government for a further €300 million (original in German). The German edition of the English-language site "The Local" explains how the money will be used:The aim of the programme is to penetrate foreign social networks and create an early warning system for cyber attacks.Techdirt has written about Vupen a couple of times recently, and emphasized why buying such zero-day vulnerabilities to use for surveillance purposes without passing them on to be fixed makes the Internet much less safe for everyone. According to a related story in Der Spiegel (original in German), the BND hopes to apply zero-days to undermine the main encryption technology used to protect online communications, the Secure Sockets Layer (SSL) protocol. As The Local writes:
Government spokesman Steffen Seibert confirmed to dpa on Monday that the BND had worked with French computer security firm Vupen, which is known to sell details of security holes to governments, in the past.
The programme to penetrate SSL, codenamed Nitidezza, would also target the HTTPS protocol which is the standard for many banks, online shops, webmail providers and social networks.SIT means that not only will the privacy of millions of people be at risk, but so will their economic activities and that of all the companies that use SSL to carry out online transactions.
"Holes in SSL need to be patched [fixed] because it is ubiquitous and everyone depends on it for their security," said Jim Killock of London-based digital rights NGO Open Rights Group.
"There is a real risk that failing to fix problems means criminal gangs will seek to obtain the same data using the same defects."
The BND's move is particularly worrying, since it could well encourage spy agencies in other nations to follow suit, thus starting a bidding war for serious software flaws. That, in its turn, will encourage even more people to find and sell zero-days, rather than report them, reducing security online. It's probably too much to hope that government agencies would ever agree to give up acquiring and using software bugs in this way, but they should at least be required to limit their use so as to minimize the serious harm they could wreak across the entire Internet.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bnd, germany, security, spy agency, ssl, surveillance, zero days
Companies: vupen
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
At the rate things are going
[ link to this | view in thread ]
[ link to this | view in thread ]
Back to the 90s
(disclosure: I work in information security at a major bank, so it could be bad for me if trust in being able to securely conduct financial dealings online was significantly disrupted)
This article is timed pretty well. Microsoft just 2 days ago issued a critical patch for vulnerabilities in their version of TLS (schannel or secure channel - update now if you haven't yet, this one is important). And within the last year, every major implementation of TLS has had serious vulnerabilities - OpenSSL (Heartbleed), Apple's SecureTransport, and GNUTLS.
[ link to this | view in thread ]
Who's paying for it.
[ link to this | view in thread ]
Bidding war? Oh, heavens no
How? Well, for starters, consider that not everyone who has their paycheck signed by spy agency X is working for spy agency X. There are, no doubt, British in the Kremlin, and Japanese in the CIA, and Iranians in GCHQ, and so on. Of course there are: it's what they do. And some of them are very good at it.
So if I were running the Elbonian spy agency, I wouldn't bother bidding on these: instead, I'd work on placing my people inside the agencies which are likely to be the winning bidders most of the time, let them fork over the cash, and then just lift it from them. Failing that -- which I might, given limited budget and personnel -- there are always the old ways: bribery and seduction, extortion and blackmail, and so on -- all the things that have a long history of yielding successful results in the world of secrets.
So let the Americans and the Brits and the Germans knock themselves out competing for exploits: I'll just sit back, watch, and wait for my chance to pick the pocket of the winner.
[ link to this | view in thread ]
That very trust is what is being undermined in these efforts to round up zero days for spying uses. It is not by accident that people are distrustful and don't want to have anything to do with US businesses. They are losing the faith of their customers unless they do something to counteract these attempts at government meddling. The cost is hidden but it is meaningful and present none the less.
I personally refuse to do banking by the internet. Any exposure of my data won't come from me. But I can not control these banks and their security. That is completely out of my hands. This news does not inspire me with trust to do internet business but rather encourages me not to put my info out in any manner. There are enough out there between the government and these various corporations wanting to know everything for the purpose of targeted ads. While I may not prevent them from knowing everything I do all I can to prevent my data from being out there.
You will not find financial info on my computer. If it isn't there it can't be hacked to find it out from my side. I'm already paranoid enough when it comes to finances. This will only make it worse.
[ link to this | view in thread ]
SSL?
[ link to this | view in thread ]
Government agencies: Protecting you by making you less safe
As such, when you've got agencies who claim to be doing what they are to protect the public... yeah, it's pretty clear that they're lying through their teeth. They are intentionally doing something that makes everyone less secure, that is the direct opposite of their claimed justification for their actions.
[ link to this | view in thread ]
Re: Bidding war? Oh, heavens no
[ link to this | view in thread ]
Re: Re: Bidding war? Oh, heavens no
But the problem is that once it's detected, the unhappy purchasers -- who are, let's remember, governments who possess enormous weapons stocks of all descriptions as well as military forces and clandestine assassins -- may choose to express their dissatisfaction in ways that are very unpleasant. So yes, it might be tempting to make, let's say, $2.5M three times instead of once...but it's probably not good for one's health.
[ link to this | view in thread ]
That's not the worst of it.
It will also provide a way for software developers to get rich by purposely including security weaknesses that they can then legally and secretly sell to the highest government bidder (and maybe a few others on the side). Governments will be effectively secretly paying software developers to compromise their products and there will be no practical way to know which ones have been compromised. Way to go!
[ link to this | view in thread ]
Re: Re: Re: Bidding war? Oh, heavens no
Oh yeah, because spy agencies always keep each other fully informed of everything they're doing. Just out of professional courtesy, you see.
I don't think so.
[ link to this | view in thread ]
Re: Re: Re: Bidding war? Oh, heavens no
[ link to this | view in thread ]
Credit cards? Never use 'em.
The bad old days? You HAVE been paying attention to the news, haven't you?
"Why this is hell, nor am I out of it."
[ link to this | view in thread ]
Re: Re: Re: Re: Bidding war? Oh, heavens no
But -- as I pointed out -- not everyone working at spy agency X is working FOR spy agency X. Thus when zero-day exploit #1234 is sold to X and to Y, it's possible that one of the agents of Y -- working inside X -- will this relay this interesting tidbit back to Y.
There's precedent for this, you know -- a LOT of precedent, as spy agencies are not only extremely interested in knowing things, but also extremely interested in knowing how much their counterparts know. So while the seller of #1234 might escape detection this time -- because it turns out that Y doesn't have an agent inside X, or the agent they do have isn't positioned to find about it -- every time they pull this stunt, they're spinning the roulette wheel.
There's another way as well: these agencies intend to use these zero-days, and well, they will. Eventually that will come out: see, for example, "Stuxnet". It took a while. I'm sure we don't know the whole story. But it did come out and so will some/most/all other similar exploits will too. So when X uses exploit #5678 against country A, and Y uses exploit #5678 against country B, it's probably only a matter of time until someone, somewhere in the world, puts the pieces together and deduces that the attacks have an awful lot in common.
There's more, but I think this will suffice to illustrate the point, and that is, the double- or triple-dipping at the expense of multiple intelligence agencies is likely a good way to get them to momentarily put aside their mutual dislike and distrust of one another and divert some of their energy in your direction. Kinetic energy, perhaps.
[ link to this | view in thread ]
Re: Re: Re: Re: Bidding war? Oh, heavens no
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: At the rate things are going
Given the way DMCA violators are pursued, it's not a very big step from there to terrorists.
[ link to this | view in thread ]
Re: Bidding war? Oh, heavens no
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Bidding war? Oh, heavens no
[ link to this | view in thread ]
[ link to this | view in thread ]
So instead of the direction to improve the internets security, the direction is to keep it perpetually insecure, WHY, to SPY on people
Fckng idiots, in my book, up there ^, that makes YOU the bad guy........that means, any actions reported i pay attention, , your words untrusted, and your motives suspected.........and once its at this point, weak action/lipservice is so FARRRRRRR, to far from being enough to trust these folks again, barely scratches the surface.........once you fck up this spectacularly.
idiots for either not realising how far accross the line they've gone, or tyrants for knowing, not caring, and forcing without consent...........free western governments.....my ass.......more like "civilized" tyrants.
"Without leaders"
[ link to this | view in thread ]
Re: Who's paying for it.
When you put it that way, it makes a fairly compelling case in favor of encryption, and darknet/undernet/... instead of doing things out in the open. Anyone doing anything the way Teresa May suggests it be done is just setting themselves up to be roadkill. When you can't trust the authorities and you can't find any functional difference between cops and thugs, we're back in the jungle. Everything you see is a potential predator whether it's carrying a badge or not.
Welcome to the jungle. Be careful what you wish for, Teresa.
[ link to this | view in thread ]
Modern Day German Stasi Seek to Buy Exploits from French Black Hat Hackers to Reduce Trust in E-commerce Worlwide
[ link to this | view in thread ]
[ link to this | view in thread ]