NSA Was Concerned About Power Of Windows Exploit Long Before It Was Leaked
from the and-still-nothing-until-the-last-minute dept
The NSA's exploit toolkit has been weaponized to target critical systems all over the world. So much for the debate over the theoretical downside of undisclosed vulnerabilities. (It also inadvertently provided the perfect argument against encryption backdoors.) The real world has provided all the case study that's needed.
It appears the NSA finally engaged in the Vulnerabilities Equity Process -- not when it discovered the vulnerability, but rather when it became apparent the agency wouldn't be able to prevent it from being released to the public. What's happened recently has been devastating and Microsoft -- whose software was targeted -- has expressed its displeasure at the agency's inaction.
Maybe the agency will be a bit more forthcoming in the future. Ellen Nakashima and Craig Timberg of the Washington Post report former NSA employees and officials had concerns about the undisclosed exploit long before the Shadow Brokers gave it to the world.
When the National Security Agency began using a new hacking tool called EternalBlue, those entrusted with deploying it marveled at both its uncommon power and the widespread havoc it could wreak if it ever got loose.
Some officials even discussed whether the flaw was so dangerous they should reveal it to Microsoft, the company whose software the government was exploiting, according to former NSA employees who spoke on the condition of anonymity given the sensitivity of the issue.
Officials called it "fishing with dynamite." The exploit gave the NSA access to so much on compromised computers, the agency obviously couldn't bear the thought of voluntarily giving up such a useful hacking tool. But when it was first deployed, some inside the agency felt the vulnerability might be too powerful to be left undisclosed.
But there were plenty of others who viewed disclosure as "disarmament." Somehow, despite three straight years of leaked documents, the NSA still felt it had everything under control. The Shadow Brokers NSA exploit auction made it clear the NSA was no better at securing its software stash than it was at keeping thousands of internal documents from wandering out the door.
The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands. Since the agency cannot possibly ensure this sort of thing won't happen again, the question now is how much of other people's security is the agency willing to sacrifice in the name of national security?
The NSA appears to believe it handled this as well as it could given the circumstances, but the outcome could have so much worse. The chain of events leading to the NSA's eventual disclosure helped minimize the collateral damage. It has very little to do with the steps the NSA took (or, more accurately, didn't take).
What if the Shadow Brokers had dumped the exploits in 2014, before the [US] government had begun to upgrade software on its computers? What if they had released them and Microsoft had no ready patch?
There's your intelligence community nightmare fuel. Had the vulnerability managed to take down US government hardware and software, the NSA would be facing even more criticism and scrutiny that it already is.
The NSA appears to only disclose vulnerabilities when forced to. It may possibly hand over those it finds to be of limited use. Former NSA head Keith Alexander says the agency turns over "90%" of the vulnerabilities it discovers, but that percentage seems inflated. The NSA spent years as "No Such Agency." It's only been the last four years that it's been forced to engage in more transparency and accountability, so it's tough to believe it's spent years proactively informing affected companies about the flaws in their products.
In any event, the NSA's second-guesswork will have do for now. Some legislators are hoping to shore up the vulnerabilities reporting process, but it's likely by the time it heads for the Oval Office desk, it will be riddled with with enough national security exceptions to make it useless. With the Shadow Brokers hinting they still have more dangerous exploits to release (including one affecting Windows 10), the decision to disclose these vulnerabilities will once again be informed by the NSA's inability to keep its hacking tools secure, rather than any internal examination of its hoarder mentality.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: exploits, leaks, nsa, vep, vulnerabilities, vulnerabilities equities program, wannacry
Reader Comments
Subscribe: RSS
View by: Time | Thread
No. It's not.
[ link to this | view in chronology ]
Re:
Going by their track record, I don't think they'll give two thoughts to doing something similar in the future. They're more than likely doing it now.
[ link to this | view in chronology ]
Re:
"All of it"
[ link to this | view in chronology ]
Re: Re:
Exactly. The NSA has made it abundantly clear that it will always prioritize it's ability to do something over public security, because as Good Guys they seem to operate under the dangerous idea that if it helps them then it helps the public, and any 'collateral damage' is an acceptable price (for the public) to pay.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
i was given a back door
5 of us in certain nations with these kinda kits
and yes im at actual risk telling you this, ive decided i dont care, and they know it and yes im armed you bastards( not you techdirt peeps , this is directed at them)
they are spying on me and find me in my games and start saying shit only people involved can and boy are they sore im not playing there ...game no more
and yes ive leaked shit they cant do nothing about no more
one example is the million of honey pot ips the fbi uses
they other was knowledge that the so called Sony root kit existed in source and binary for years before sony got its part ( binary which is why they had hard time fixing it lol ) ....one day these yahoos will get what they got coming to them....
[ link to this | view in chronology ]
Re: i was given a back door
The US government takes the view that it does not matter what your intent was, only the end result... right up until it would have to prosecute itself for treason, then intent is all that matters.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Somewhere along the way, the government has forgotten that fact. They exist to protect us, yet the ease at which they will sacrifice us and our interests for at best nebulous gains is horrifying.
What is even worse though, is how many government officials consider the general public to be their enemies -- which means they meet the mens rea definition of treason, even if they haven't gotten around to the actus rea portion yet.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
It would also require that someone trust Microsoft. How many users turned off Updates due to the force 'upgrade' to Windows 10? None of those people would get the update.
On the other hand, Microsoft put the update to fix WannaCry into the Windows Defender stream. Even though I am one of those who turned off Windows Update, I still update and use Defender weekly.
While it probably won't surprise many, check out the Twitter feed in this comment
[ link to this | view in chronology ]
Re:
The Vulnerabilities Equity Process is supposed to be used by the NSA to disclose vulnerabilities to technology companies. The technology companies are supposed to work with them to close the vulnerabilities in an appropriate manner.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
It would make Microsoft an accomplish to the backdoors. MS has a lot of explaining to do when that leaks out.
[ link to this | view in chronology ]
I don't know, it seems reasonable to me. 90% of everything is crap, so the NSA just turns over the crappy exploits(don't give much access, are easily detected, only affect a small number of machines, etc), and keeps the remaining 10% of really good and powerful exploits for itself.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
That they couldn't keep it from being stolen by hackers and those hackers used it to spread ransomware on such a massive scale ...
It's not a good thing when our government is more paranoid of the people than the people are paranoid of it.
[ link to this | view in chronology ]
Watch
"What's that - that one of ours?"
"Yep that's for Tehran University - that's OK."
[ link to this | view in chronology ]
Once it was out there
(I think they ought to be held liable for the ransoms that people paid.)
[ link to this | view in chronology ]
Re: Once it was out there
Telling Microsoft about the exploitable bugs after the tools to exploit them were on the verge of leaking is the NSA's idea of trying to clean up their mess.
[ link to this | view in chronology ]
So?
So? It already knew but doesn't care.
[ link to this | view in chronology ]
NSA is Concerned with CYA
The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands.
wrong hands?
You write as if NSA's motives were pure as the driven snow.
They are not.
Remember NSA surveillance isn't about catching terrorists but keeping tabs on 330 million American citizens, corporate espionage and political blackmail.
Surveilling terrorists is simply the specious rational that is paraded about in public to make NSA's unconstitutional actions seem more palatable to Americans living under the US governments omnipresent stare.
Any well trained terrorist is quite aware of NSA's electronic surveillance and would more than likely practice good operational security and forgo cell phones, email, satellite communications gear, etc.
[ link to this | view in chronology ]
But if we had encryption backdoors, then the government would be able to help all those hit with with the ransomware decrypt their files...
[ link to this | view in chronology ]