Jon Evans
More posts from Jon Evans
Did you know that the US government is sitting on its own Strategic Zero-Day Reserve? A “zero-day” is a software vulnerability that allows adversaries to bypass or reduce security restrictions; lets them hack systems which use that software, basically. These are not restricted to shady criminal hackers. They are strategic weapons in the hands of nation-states, including America. This is morally complex.
To a certain extent makes sense. Say what you like about the NSA, and I’ve said a lot of unflattering things, but stockpiling zero-days is at least arguably part of their job. The FBI, though — isn’t the primary job of the FBI to protect the American people?
Because make no mistake, every zero-day that exists, in anyone’s hands, makes everyone marginally less safe.Their undisclosed existence makes everybody who uses the hardware or software in question more vulnerable — and the number of such innocents is almost always vastly, vastly, vastly greater than the number of criminal suspects.
How did the FBI hack into the Tor network last February? They won’t say, but it seems extremely likely that they used a zero-day in the Tor Browser, which runs on the same fundamental codebase as Firefox … which is used by hundreds of millions of people who are less safe because that zero-day has not been reported and patched.
As it turns out, the FBI’s activity subsequent to their Tor hack has been ruled an illegal search by a federal judge:
https://twitter.com/csoghoian/status/722914804118065152
skewing the risk/reward ratio of hoarding their (presumed) zero-day—and keeping, again, hundreds of millions of Firefox users that much more unsafe—even further.
Consider the famous iPhone 5c found in San Bernardino that the FBI tried to compel Apple to unlock. The unlocking method will likely remain secret, because the FBI bought it from a third party without insisting on on getting the rights to it . It was good of them to give us all an extremely blatant object example of how zero-days can be used by other parties as well.
To quote Bruce Schneier:
This is how vulnerability research is supposed to work. Vulnerabilities are found, fixed, then published. The entire security community is able to learn from the research, and — more important — everyone is more secure as a result of the work. The FBI is doing the exact opposite.
What’s more, the FBI spent more than a million dollars to get nothing out of that phone. One can’t help but wonder if that money could have been better spent elsewhere, rather than hunting mythical “cyber pathogens” that don’t exist.
These aren’t recent developments. The FBI has been trying to hack their way around encryption for more than a decade. (Although they’ve only just gotten the OK to routinely use NSA data in the course of investigations. What could possibly go wrong?)
To the government’s credit, the decision to retain or report an exploit is not made in ad-hoc manner by whoever happens to have their mitts on it. (And there’s plenty of precedents for reporting; the UK’s GCHQ, for instance, has an admirable history of reporting Firefox vulnerabilities.) There is an official procedure, known as the “Vulnerability Equities Process,” which is used to make that determination.
And of course that process is open, transparent, aboveboard, with active advocates for both sides, and in no way a rubber stamp, right? Judge for yourself, to the extent that you can from the redacted documents behind that link, and be unsurprised.
(One interesting bit in there: vulnerabilities in systems certified by the NSA are to be passed on to the NSA to deal with as they feel is appropriate, presumably in case the NSA introduced that vulnerability.)
Anybody with power, and zero-days are power, is naturally disinclined to give it up for some sort of abstract marginal benefit spread across millions of other people, even if that benefit is cumulatively massive. It’s hard to see how a star-chamber FISA-like review board can effectively advocate for stripping government agencies of that power — even if that would make the public more safe. Expect more of the same; and expect criminals to use exploits that the US government could have closed long ago.
Comment