It seems the NSA knew of a security hole in Windows. The NSA apparently wrote the code that the current Wannacry is based on, and didn’t info Microsoft of this vulnerability, until after they found out the code was stolen. If the NSA had informed Microsoft, the existing security patch for this hole would probably have been more widely acknowledged, and hopefully more computers would have applied the security patch.
Personally, I have very little confidence in governments to keep secret things like this. I think it is inevitable that hackers will get hold of at least some cyberweapons or lists of vulnerabilities held by governments. It’s like having heavy duty locks on a shed, and not expecting thieves to notice and wonder what is inside.
Should the NSA be held responsible for trying to keep this security weakness a secret, so that they might be able to exploit it to their own benefit? Is it ok for a government to potentially expose not just their citizens, but people and companies all over the world, on the chance that the government might want to exploit the weakness themselves?
So far, I haven’t really heard anyone screaming that the NSA did wrong. This part of the story always seems to be buried 10 paragraphs into any news stories. What would the response be if it was some other country that had held this secret, and if it was the US taking the brunt of the damage?
I was about to look up the NSA’s missions statement to refute this (I am pretty sure their missions covers ensuring the US communications are protected from other nations as well SIGINT against other nations):
Maybe they were hacked and all their files encrypted.
I guess it depends on whether you believe that the obligation to not be an unethical asshole is something that must be written into the mission statement of every public agency. I would think that an obligation to conform to ethical standards and support of the public interest would be implicit in the obligations of any institution that is funded by public money.
Well by some definition of “unethical asshole” (i.e. killing lots of people as efficiently as possible) you could claim that is built into the mission of the DoD.
The complaint about the NSA in this regard is that the NSA has dual mission. Both to carry out SIGINT on other nations, and protect the US communications from other nations.
IMO by keeping these exploits secret they clearly failed the second part of that mission.
When I heard that the ransomware behind last week’s entertainment was partly brought to us by leaked NSA code, I wondered if anyone would think to hold them liable. I’m wondering also what the response would be based on the source (US citizen/company, foreign company, or government).
I found a sketchy cache that seems to show that that their values (used to?) be
which seems like a failure on points 1 and 2 at the very least, given that a large number of hospitals were crippled by it. I did find this working page, a brief reading of which seems to have
as the most relevant line. Arguably nothing of a national nature was disrupted (that we’ve heard of), so maybe nbd? Although if CSEC had lost their toolbox and not warned anyone, I’d be giving any employees I knew some side-eye. :dubious:
Firstly protecting national security is not just the DoD, the US infrastructure. in all its forms, counts as is national security.
Secondly even if there is nothing in this particular attack that counts as “national security” (you could defintely make the argument that FedExcounts). As a general point keeping these exploits secret, when they ARE going to be used by foreign actors against the US sooner or later, is still clearly going against their stated aim of protecting the US “national security”
The problem with the first one is that the hack shows they were not deserving of trust, since they didn’t keep things properly secured. This also applies with the second, but also includes the fact that, if they were under public scrutiny, the correct thing in the software world is to report on vulnerabilities, specifically because something like this could happen. And the problem with the third is that this lack of transparency and security harmed the safety and security of American citizens.
Maybe they can justify holding onto the info if it’s not been seen out in the wild yet, and if they keep all the information secure. And maybe if they’d already worked on a way to patch it so that, if was found in the wild or leaked, a patch could be rolled out right away to mitigate the damage.
All this said, I don’t at all believe anything will come of this. They already violated this with the spying on citizens. They did not behave like they had intense public scrutiny. They were not as transparent as possible. They could at least reveal they were doing it, even if not what data they collected. Any terrorists already suspected they did it, so would encrypt anyways. They could have even controlled how it came out, and played it better, while working for a compromise solution if people were upset. But they didn’t.
And, frankly, now we’ve got bigger fish to fry. Either they focus on Trump and deal with him, or they’re in his pocket and his side is the side that doesn’t care about any of this. The NSA can do whatever they want, because “terrorism.” (That’s not to say that covers all Republicans, but it definitely fits Trump’s follower’s strongman wheelhouse.)
Either way, there’s no way this works out. They play the victim card due to the hacking, and they win.
Seems to me that this is little different than the theft of a loaded gun. There’s a good reason for the government to possess dangerous objects, and to the extent that one is stolen, it is not evidence one way or another that the owner was negligent in protecting it.
I think that Harold Martin, the guy accused of stealing that materials, may be looking at another 20 years on his sentence.
For those who assert the NSA is negligent, let me ask a serious question. Do you think it should be government policy not to possess any zero-day exploits at all, for any reason? Like if we know that the Russian nuclear weapons system has a vulnerability in a commercial system that we could exploit to insure they could never launch a nuclear war, we should tell Microsoft (or whomever) to issue a patch?
If not a total prohibition on the government holding zero-days, then in what cases could it hold them?
Wait. That’s not deliberate behavior – they didn’t WANT to be hacked. Are you arguing that they were hacked because of negligent security on their end?
An athlete can strive to be the best; you wouldn’t say he was a liar if he lost to another athlete.
Many people believe that, but others do not. What law of nature makes it “the correct thing to do?” Perhaps they weighed the value of having this hack that only they knew about and decided it was worth the risk. What makes them wrong, as a matter of objective fact?
Maybe they did!
Correct, and they never promised to be. In fact, on their behalf let me promise you this: tomorrow, next week, next month, and next year they will continue to NOT be as transparent as possible.
As others have pointed out, there’s other aspects to National Security at risk here. Sure, keeping this secret for a period of time might allow them to gain access to certain systems they might not were the security vulnerability revealed to the public and/or Microsoft. However, considering the Windows is what the majority or government networks run on, not to mention countless private businesses and citizens, failure to inform Microsoft or even other branches of government potentially leaves all of these vulnerable.
The fundamental debate here is nearly identical to the one raised with the request to build a back door into the iPhone, that it seems some people think the government can be trusted with this sort of information. But unlike that one, where there would be some sort of encryption involved that could at least give some semblance of the government maintaining sole control of the backdoor, actual unintended vulnerabilities can be discovered by the “bad guys” just as well as the “good guys”. That is, even if there is absolutely no leak of information, it’s only a matter of time before unwanted entities find vulnerabilities after we’ve found them if, in fact, they didn’t already know about them beforehand.
As such, I would argue that in the vast majority of cases, knowledge of a vulnerability should be raised to the attention of a vendor immediately. Maybe if there’s a critical investigation that might be compromised, I could potentially see some sort of a delay. But even then, I’d think it’d still make sense to at least notify the vendor and ask them to start development on the patch so it can be released immediately after the critical stage of whatever investigation they’re on.
This isn’t some obscure notion that the NSA has never considered, though. Much like the allies famously allowed civilian deaths during WWII in order to conceal the fact that they had cracked German encryption, so too does the NSA allow government systems to remain vulnerable to preserve the power of its exploits. Whether or not to disclose a vulnerability is a decision they probably make thousands of times a year, and they know full well what the ramifications of not disclosing it are.
Unless additional information comes out that suggests the NSA was particularly foolish in not disclosing this vulnerability, or particularly negligent in safeguarding it, I’m willing to give them the benefit of the doubt here. I want my government to be able to exploit our adversaries’ systems, and our adversaries are not going to be voluntarily disclosing vulnerability they find so that we can helpfully patch them.
Do you know what “NSA” stands for? This was a matter of national security, and they dropped the ball. They did not secure the nation, even though they had the information that it was necessary and the means to do so.
Is there a timeline of when the NSA discovered this and when it was stolen? My understanding is that Microsoft patched this in Windows 7 a couple months ago, but the systems affected were either not updated or still running XP which hasn’t been supported in years.
Correct. Both of these organizations would rather cultivate their own power than actually serve the interests of the American people. That’s bureaucracy for you.
