Saturday, November 5, 2016

It's Raining VEP!

This is the technical community's feeling on these papers, summed up in a tweet.

And this is it summed up in...another tweet.


There's this weird trend in the policy world to have a group of law students get together, read a bunch of Wired and NYT articles on all things cyber, quote a few of their own papers on the subject and call it "research". That's like doing lemur research by looking at the drawings a first grade class does after they watch Madagascar. If they really wanted to do research on the 0day market, they should find some 0day, then sell them on the "market"! Can't? Then STFU about all things vuln markets!

But to get more substantive on a critique of the latest Pro-VEP paper (this time by @jason_healey and co). Let's start with the most ridiculous recommendation in any VEP paper so far!
Yes, because opportunities just wait around for the VEP process to complete.

Just to revisit how hacking works: your shock troops are small teams building and deploying exploits faster than their hard targets can adjust. Custom-built is what works best for both return on investment and OPSEC. Policies that apply to "every vulnerability" ignore the vast differences in how the Government finds and uses vulnerabilities across its entire mission set. Do we have an entire-Government-wide policy on shovels?

Aside from the data being of "who the fuck knows" in terms of accuracy, and the contents of the table being entirely conjecture by law students who've never touched a vulnerability, I can't imagine the the purchasing officer who is going to spend 4.4M USD on things they don't get to use. In what world do people think that's how the system works? SEQUESTRATION IS A REAL THING, THIS TABLE IS NOT.

Look, not for nothing, but you need lots more bugs than 45 to get the job done, and beyond that, to get the job done safely. Your instinct should tell you that a team with 8 Solaris implants (c.f. EQGRP latest leak) has more than 15 bugs a year? THINK ABOUT IT: 8 DIFFERENT SOLARIS IMPLANTS. IMAGINE THE REASONS WHY.


THIS is just a description of the ethical argument in favor of unilaterally deciding not to do SIGINT. Not one I think we should use when designing government policy.
Here's what it comes down to: Unrealistic expectations of some sort of ethical purity argument as applied to SIGINT policy. The icing on the cake is the below feeling of betrayal when reality steps in.


I guarantee you that Obama, who is involved in our offensive operations more than any previous President, does not intend what VEP supporters think he intended. The key is the phrase "or the technology sector expects". That's what this is about. The Tech Sector has expectations. They are not being met, nor should they be.

No comments:

Post a Comment