Submission + - The White House's Zero Day Sleight of Hand
Trailrunner7 writes: The White House wants you to know that it did not know about the OpenSSL Heartbleed vulnerability before you did. The White House also wants you to know that administration officials don’t think stockpiling zero days isn’t necessarily good for national security. That’s all well and good, except that it mostly doesn’t matter.
“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run.”
Here’s the problem, though: The government doesn’t necessarily need to stockpile zero days, because it has a cadre of contractors doing that job in its stead. One of the conundrums of vulnerability research is that there’s no way to know whether the bug you just discovered is in fact new. The population of skilled researchers around the world is sufficiently large that it’s possible, if not probable, that someone else has found the same bug and is already using it. It’s tempting to think that you’ve discovered a special snowflake, but there’s a good chance someone on the other side of the Web has found the same snowflake. So the fact that the White House has a “disciplined, rigorous and high-level decision-making process for vulnerability disclosure” sounds nice, but it’s not enough.
“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run.”
Here’s the problem, though: The government doesn’t necessarily need to stockpile zero days, because it has a cadre of contractors doing that job in its stead. One of the conundrums of vulnerability research is that there’s no way to know whether the bug you just discovered is in fact new. The population of skilled researchers around the world is sufficiently large that it’s possible, if not probable, that someone else has found the same bug and is already using it. It’s tempting to think that you’ve discovered a special snowflake, but there’s a good chance someone on the other side of the Web has found the same snowflake. So the fact that the White House has a “disciplined, rigorous and high-level decision-making process for vulnerability disclosure” sounds nice, but it’s not enough.