Mind-blowing secrets of NSA's security exploit stockpile revealed at last

Incredible document has to be seen to be believed


PDF The NSA has revealed for the first time in public how it handles and reports critical unpatched security flaws its snoopers discover in software.

It is generally accepted the US taxpayer-funded spy agency has a private stash of exploitable programming blunders that it uses to infect and monitor its intelligence targets' computers and phones.

Alerting app makers and IT giants to these holes, and getting them patched, could cost Uncle Sam some valuable information. It's possible the agency tips off companies about the vulnerabilities once they've been successfully used against a target. The tech security world has been pressing to get some insight into the US government's zero-day policy.

On Friday, we found out thanks to a successful Freedom of Information Act request from the Electronic Frontier Foundation (EFF).

The obtained NSA document [full PDF] issued by the ████████ ███████████████████ ████ ███████ ████████████████ advises government agencies on how to handle and report vulnerabilities in software used by agencies or the contracting companies they work with.

The dossier, marked secret, explains how agencies can accomplish the US Department of Homeland Security-mandated cybersecurity task of ██████████████ █████████████ ███████ within the Joint Plan for the Coordination and Application of ███████ ███████ █████████████ ████ ███████████.

Among the processes explained is the government's Vulnerability Equities Process (VEP), a bunch of rules that covers ███████████████ ████████ █████████████ ██████ █████████████████████ when ████████████████ ██████ ███████ █████ ███████ and ████████ ██████ ███████ with ███████████ ██████████████████████ █████████ ████████████ ████████████ ████████ ██████████.

The document – some parts marked as US-only, others for America's Five Eyes partners – also says that government agencies and contractors should not immediately take their vulnerability discoveries to vendors, but instead notify █████ ████████████ ██████ █████████████ ████████ ███ ██ █████ ███████████████ █████ ████ ██████ and consider the risks for ███████ ███████████ ███ and ████ █████████████████.

Crucially, ████████ ██████ █████████████ ████████ ███ ██ █████ ████████████ ██████ █████████████ ████████ ███ ██ █████ ████████████ ██████ █████████████ ████████ ███ ██ █████ ████████████ ██████ █████████████ ████████ ███ ██ █████ ████████████ ██████ █████████████ ████████ ███ ██ █████ ████████████ ██████ █████████████ ████████ ███ ██ █████ ████.

Meanwhile, flaws in NSA-certified hardware, software, and encryption algorithms should be reported to the NSA, which will handle things from there.

Infosec bods were quick to share their thoughts on the newly unearthed government policies.

EFF staff attorney Andrew Crocker noted that in-between discussing ███████ █████████ ████████████ █████████████████ ██████ and explaining ████████████ ████████ ███████████████, the document does provide some interesting clues on government security policy in regards to security vulnerabilities.

"If the government chooses to keep a vulnerability secret for intelligence purposes, for example, it does not notify the developer, which would likely otherwise issue a patch and protect users from online adversaries such as identity thieves or foreign governments who may also be aware of the zero-day," Crocker wrote.

"That’s why the US government’s written policy on what to do with zero-days is so important."

There is no word on whether further reports on the NSA's █████████ ██████████████ █████████████████████ ██████████ will be forthcoming.

Agency spokesperson ████████████ ███████████████ told El Reg: "███████ ████ █████████████ ████████ █████████████████████████ █████████ ████████████ ██████. ████ ██████████████████████████████ ████████ ████ ██████.████ █████████ █████ ███████ ██████." ®


Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022