As a security professional, one of my greatest threats is the Exploit Marketplace. You can fight mistakes. You can fight attackers. But it is almost impossible to fight economics. The exploit market is creating an economy that creates and enables exploit. It is the greatest driving force optimizing the Internet for Attack, instead of Defense. Now, it looks like the Exploit Marketplace was justified, founded and sustained by the NSA. We have learned that the NSA has enormous budgets devoted to purchasing exploits. Today we learn:
"The NSA spends $250m a year on a program which, among other goals, works with technology companies to 'covertly influence' their product designs."
So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace.
If we could just get the NSA out of the exploit market, the whole thing would probably collapse like a real-estate broker's wet dream.
The other chilling revelation is the names of these programs:
"The NSA's codeword for its decryption program, Bullrun, is taken from a major battle of the American civil war. Its British counterpart, Edgehill, is named after the first major engagement of the English civil war, more than 200 years earlier."
The NSA has crappy internal discipline. Instead of using meaningless codewords for project names, their codewords frequently describe the project. PRISM described how the NSA collects info. These project names shout that the NSA is fomenting civil war. They are at war with the rest of the country.
- * The NSA must be stripped of it's ability to create exploit.
- * The NSA must be stripped of it's ability to purchase exploit.
If we survive as a nation of liberty, the NSA must serve us, not attack us.