The Ineffectiveness of the Vulnerabilities Equities Process

Originally published at: News - Whonix Forum

There was a very interesting debate about the Vulnerabilities Equity Process (VEP) going on between ex-NSA employees (Dave Aitel and Matt Tait) now private security industry entrepreneurs and a Harvard fellow civil liberties supporter. The VEP process can be summarized as the USG playing hot potato with vulnerability disclosure vs NOBUS.

Its an interesting conversation because it provides an insight into the logic of the NSA and essentially what state-level computer crackers on the front lines think.

It boils down to the idea that the VEP is placing heavy restrictions that will affect SIGINT collection and that disclosing bugs will do little to improve things without a strategic assessment that requires heavy resource investment - so why bother.

You should read it for yourself. I think many points it brings up deserve commenting. While I don’t agree on many things I still have much respect for Dave Aitel and what he’s written. Check out his mail list.

"The vulnerability equities process (VEP) is broken. While it is designed to ensure the satisfaction of many equities, in reality it satisfies none—or at least, none visible to those beyond the participants of the insular process. Instead of meaningfully shaping best outcomes, the VEP provides thin public relations cover when the US government is questioned on its strategy around vulnerabilities."

I agree with this but for the reason that the process is an opaque process aimed at window-dressing and shielding the status-quo from criticism not because it has made (or will make) the job of the IC any harder as the post claims. How effective has self-regulation ever been in enforcing checks and balances? Since assessing what to disclose is not based on any objective or technical framework and relies on many unknown variables - it becomes very easy to always land on the side of not fixing much of anything that’s found. Also the idea that you have complete knowledge of what 0day cards the Russians, Chinese and North Koreans hold is a little arrogant and will get you burned.

"Law enforcement use of hacking as an investigative technique is an inevitable consequences of increased use of end-to-end encryption, device encryption and anonymity programs such as Tor browser. Want to open a locked iPhone? Well, you need a zero-day. Want to see what’s being said in that end-to-end encrypted message? Need a zero-day. Want to know where that Tor user is actually browsing from? Zero-day."

This is why many civil liberties group are concerned. The revolving door between military use of 0day and LE has spun off the hinges and there is no longer any meaningful difference. Now civilians and petty criminals have to contend with the most powerful signals intelligence agencies in history. Once this distinction disappears, we are looking at a police state and so the concerns of groups like the ACLU have merit and should be taken seriously even if the VEP process is a farce. Many recent court cases leave a lot of doubt about the effectiveness of protections given to citizens.

"The process of properly understanding the operational security and technical details of hundreds of vulnerabilities a year would require an expert staff of thousands. Undertaking the effort while failing to make the required investments puts strategic cyber security goals on a roulette wheel."

Assuming good faith and the will to reform, isn’t it a worthy goal despite costs?

"Many commercial entities embrace some future VEP as a kind of universal government bug bounty program. That’s a nicer way of saying that (lots and lots) of US tax dollars will be used to subsidize the security of some of the biggest companies in the world."

Just as governments should not be required to do companies’ jobs for them, then by the same token, neither should they require companies disclose private information to “help cyber-security” as CISA claims to do. That is to say non-intervention should be upheld in both cases of when it gives the government a offensive advantage or disadvantage.

"Individual exploitable software vulnerabilities are difficult to find in the first place."

OK then how do you explain the waterfall of new bugs every day? This is contradicted by another statement where you claim there is enough of them that there is no overlap between other countries’ stockpiles. Constantly referring to “stockpiles” implies there is quite few more of them.

"The prevailing expert opinion is that there is no clear evidence that Russian and Chinese operational zero days overlap with those of the US IC."

How can you really know?

"Also note that when the USG reports vulnerabilities to, say, Microsoft, the company then sends the information to a team in India for remediation. It is not all that difficult for the governments of India or China to penetrate those teams. It’s what the NSA and GCHQ would do, probably together."

Very ironic example since Microsoft goes above and beyond the call of duty and consults NSA before patching vulnerabilities they find themselves and as of late they are developing their OSes to cater to the IC needs.

"And as we’ve seen this week with the EQGRP release, you never know when you might need a whole new batch of tested and working exploits. Sometimes, in order to avoid attribution, it is necessary to use a completely new toolchain on just a single target!"

What we’ve seen is that the 0days that the USG supposedly thought it had exclusive knowledge of was also possessed by another hostile agency for years and might have also used them in the mean time. So we end up with the US, Russians and Chinese having this knowledge while everyone else including the citizens you claim to protect are left defenseless.

"Public information about the vulnerability marketplace is littered with claims that vulnerabilities are sold on a “grey market,” portrayed as a shadowy, quasi-criminal underworld. In reality, like any important supply chain, the vulnerability marketplace is a valuable part of our strategic national mission in cyber. "

Arguably the existence of a whole security “industry” is a result of a collective failure and selling out by the hacker community at large. They figured its easier and more financially beneficial to keep up the vulnerability discovery treadmill running instead of developing any serious exploit mitigation technologies that puts an end to this charade.

"If collectively we decide that the intelligence community should do more to help defend America online, they should be charged with helping companies develop systemic improvements against phishing or research anti-exploit techniques for major software. "

But if they do the latter in any serious effort, then logically their collection capabilities will suffer. I don’t think there is any real incentive for the government or private sector to do this and so we won’t see any large scale adoption of mitigation beyond Anti-Virus right now :wink:

"The vast majority of vendors are closely aligned with the mission. Efforts to restrict the US Government ability to license or purchase vulnerabilities drives the marketplace to buyers who can transact under less onerous conditions or exponentially increases the prices. "

Then why do you oppose the Wassenaar Arrangement? Isn’t it to ensure that 0day firms cannot sell outside a countries jurisdiction and keep 0day prices low for the USG? You oppose it because it hurts your bottom line and allows the government to corner the market. I oppose it because it the moment you start applying export controls to programming code it looms dangerously close to the export munitions bullshit crypto writers had to fight two decades ago. The EFF is unfortunately supporting it in a bid to outlaw the exploit sale industry to protect activists but everyone knows that is doomed to fail. As long as there is demand, a government will always circumvent its own laws and legalize criminal actions for itself.

I wanted to point out the flawed logic behind the core assumptions they make but I am inclined to agree with the finders keepers mentality in that its “fair enough” but the scope of their argument leaves out a lot of messed up actions the IC has clearly been engaged in. Going all out and rigging standards, which are basically scientific facts about crypto communication protocols is outrageous so is actively introducing security vulnerabilities in products and not just merely finding them as they claim (hello Juniper Netscreen). NSA still maintaining a mandatory advisory role in NIST despite officially being an offensive IC agency is unsettling and shows a complete defiance to calls for reform (Around February COMSEC was disbanded or “merged” with the SIGINT department). So please don’t claim you are hamstrung by the VEP straw-man and “going dark”. We know its not true and the fact that millions of PCs still run Windows and Flash makes these cries all the more absurd.