[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Inferring the NSA's MO from a short clip of Joel Brenner on BBC

I want to preface this message with a disclaimer: I am in no way defending
the actions of the NSA. I am merely attempting analysis of their
motivations and their MO.


Joel Brenner says,
"There is in all the intelligence agencies a tension between doing offense
better and doing defense better" ...and, "but unless you think 0days are

Ok let's talk about this issue for a moment.

- In the CTF world, it has been widely accepted that given a red team and a
blue team of equal abilities, the red team always wins.
- Academics say there is no way to create provably secure software.
- Developers have a phrase, "there is no such thing as bug free software."
- CISOs are using the term "risk" to describe pen test findings: a
recognition that pen tests have become a measure of the risk that someone
will find an exploitable flaw.

Suppose that the NSA gave up on securing software because they view it as
impossible. In fact, we know they view it as impossible because they have
called it a Sisyphean Task.

If there are diminishing returns from reporting software vulnerabilities to
the vendor, then doing so is a losing battle. I hear people say that the
NSA undermines the security of software by not releasing the
vulnerabilities, but we know that historically companies have been very bad
at actually fixing the vulnerabilities they are given. In some cases, a new
product is released before a vulnerability is even looked into, thus
rendering the effort useless.

So, is defense dead? Is that an accepted fact these days? If offense is a
type of defense, is the NSA perhaps aiming to use 0day for their offensive
capabilities to effect a kind of defense? How would they accomplish this?

Have any of you been to the Berlin Unterwelten? It is a tour of revision
after revision of nuclear bomb shelters that could never possibly save the
population they are tasked with saving.  We are living in an age where
there is an entire set of strategies that deal with war in a world with
weapons so strong that no walls can possibly defend against them.

Although the reach of nuclear weapons historically has been further
reaching than so-called "cyber" weapons, that is changing. Despite the very
many warnings from the infosec industry, that is changing. (Sometimes I
think my Home Invasion 2.0 talk fell on deaf ears because smart home
appliances are proliferating.) And in the future of smart homes, smart
cities, even smart bodies, when everything is internet connected: everyone
is vulnerable. Imagine cities that can be invaded without physical armies.

If you were the NSA, and you believed these things to be true, what would
you be doing?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20140203/cd592728/attachment.html>