Leaked NSA Zero Days Already Being Exploited By Whoever Thinks They Can Manipulate Them
from the the-best-offense-is-not-giving-a-fuck-about-playing-defense dept
There are still people out there who think it's a good idea for the government -- whether it's the FBI, NSA, or other agency -- to hoover up exploits and hoard vulnerabilities. This activity is still being defended despite recent events, in which an NSA operative apparently left a hard drive full of exploits in a compromised computer. These exploits are now in the hands of the hacking group that took them… and, consequently, also in the hands of people who aren't nearly as interested in keeping nations secure.
The problem is you can't possibly keep every secret a secret forever. Edward Snowden proved that in 2013. The hacking group known as the Shadow Brokers are proving it again. The secrets are out and those who wish to use exploits the NSA never disclosed to affected developers are free to wreak havoc. Lily Hay Newman of Wired examines the aftermath of the TAO tools hacking.
Whoever they are, the Shadow Brokers say they still have more data to dump. But the preview has already unleashed some notable vulnerabilities, complete with tips for how to use them.
All of which means anyone—curious kids, petty criminals, trolls—can now start hacking like a spy. And it looks like they are.
Curious to learn if anyone was indeed trying to take advantage of the leak, Brendan Dolan-Gavitt—a security researcher at NYU—set up a honeypot. On August 18 he tossed out a digital lure that masqueraded as a system containing one of the vulnerabilities.
Dolan-Gavitt used the Cisco zero-day -- one which the company is still unable to completely thwart -- for his honeypot. This exploit was in the hands of the NSA for at least three years and was never disclosed to Cisco. The security researcher saw one attack in the first 24 hours. Since then, there have been a handful of attacks mounted every day.
This is the end result of someone hacking the hackers. The Shadow Brokers have turned the agency's exploit toolkit into NSA Everywhere!™ -- the NSA's new "Inadvertent Disclosure" project. The hackers have divulged far more exploits than the NSA ever has, even with the (severely loopholed) "presumption of disclosure" mandate handed down by the Obama Administration.
The NSA -- and its defenders -- remain mostly unworried about this collateral damage. Presumably the nation is still secure, even if its companies and their customers aren't. I guess that's supposed to be good enough. Every war inflicts a toll on non-combatants, and the neverending War on Terror will be no different than the neverending War on Drugs in this respect.
But those at the top of the IC heap -- and those who work closely with them, like the FBI -- need to stop pretending the government can be trusted with keeping its most secret secrets secure. And officials need to stop applying pressure on lawmakers to craft encryption backdoor legislation, because this debacle should make it clear -- even to true believers like FBI director James Comey -- that any hole labeled "GOVERNMENT USE ONLY" isn't going to keep bad guys out forever.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Whoever it was that said that two people can keep a secret if one of them is dead, was an optimist.
[ link to this | view in thread ]
It just goes to show
[ link to this | view in thread ]
what about liability?
[ link to this | view in thread ]
Their take on it is obviously clear. They'd rather keep the exploits and put the nation(s) at risk so they can keep on being supah dupah cool hacking guys. Go Merika!!!
[ link to this | view in thread ]
Re: NSA secrets
[ link to this | view in thread ]
Re: It just goes to show
[ link to this | view in thread ]
Re: what about liability?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
We must not forget that this is the same government that previously used the American civilian population as (non-consenting) human guinea pigs to test all kinds of chemical, biological, and nuclear weapons.
http://www.rense.com/general36/history.htm
[ link to this | view in thread ]
To paraphrase
[ link to this | view in thread ]
National Anti-Security Agency
Wonder how well thats working out for them.
[ link to this | view in thread ]
Re: To paraphrase
[ link to this | view in thread ]
Re: Re: It just goes to show
[ link to this | view in thread ]
Re: National Anti-Security Agency
Wonder how well thats working out for them."
Just fine. Best job creation scheme and budget multiplier they've thought up so far.
[ link to this | view in thread ]
Re: Re: Re: It just goes to show
https://www.youtube.com/watch?v=e8TUwHTfOOU
[ link to this | view in thread ]
"Our (job) security IS national Security!"
The NSA cares about their privacy and security, they couldn't care less about the privacy and security of anyone else, and if anything they tend to actively works against the privacy and security of others so that they can scoop up more personal data easier.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
Using that method of sorting it's pretty clear that the NSA and the other government agencies are not the 'good guys', as they demonstrate time and time again that they don't care about the public and will even actively work against the best interests of the public as they only care about their own power and are willing to do whatever it takes to protect it, even at the public's expense.
[ link to this | view in thread ]
Government of what?
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Government of what?
Typically the government is just in the business of bustin' whistle blowers, and takin' money from the populace to fund their pet projects and pad their pockets.
In fact of all the government employees that I got to work with and know personally the ones who only had the authority to govern themselves and no one else are some of the hardest working people I know. Honestly those people make all of our lives better.
[ link to this | view in thread ]
Golden Key
[ link to this | view in thread ]
Re: Re: Re: It just goes to show
[ link to this | view in thread ]