Tuesday04 October 2022

Keeping the Backdoor open... how the NSA's collection of 0-day exploits hurts us all

Reading time is around minutes.

The world lives in fear of zero-day exploits although the average person does not even know it. A zero-day exploit is a bug or a flaw that has not been discovered by the developers yet, but is known to someone outside. This can be good guys, bad guys or other, but it is still a flaw that can be used to do harm to a computer system and no one has a patch for it yet. When the good guys (security researchers) know about them they work with companies to patch them. When the bad guys know about these things get very ugly indeed. But what happens if someone knows about one (or a bunch of them) and does not tell anyone at all?

This is the boat the world is in when surveillance agencies or law enforcement find flaws. If someone like the NSA or FBI discover an exploit in a piece of software or firmware they can (and do) keep that flaw a secret in order to ensure they can have it for their use later. Until recently agencies in the US had no compulsion to turn over flaws discovered in the course of their surveillance. However, starting in 2010 a law was made that sets the default response to include notifying the software or hardware developer so they can patch the flaw… well that is unless the agency in question feels it is important for ongoing surveillance. Then they can keep it hidden as long as they want.

This has many people wondering just how many flaws might be known, but undisclosed by the US government and that NSA in particular. The US government is not saying all that much about it except they disclose more than they keep. We know that the NSA was involved in introducing flaws in the encryption standards along with more than a few communications standards so they could keep tabs on encrypted communication. Recently, with the number of announced bugs in encryption stacks, many people feel that these are slowly getting fixed, but you can guarantee that there are more out there. The NSA is not about to give up all their ammo and they (apparently) have no problems with leaving many, many systems exposed just to make sure they can get back in later if they need to.

As the curtain is peeled back on what the NSA and others have been doing this will slowly change simply because consumers (and voters) are going to react to the companies that have not only allowed, but in some ways supported this pattern of behavior. Even now smartphone makers are working on systems that allow the user to encrypt their phone without ever having an encryption key. This means that law enforcement agencies will not be able subpoena carriers to get information on a subscriber. It also limits the usefulness of the blanket sweeps that have been done in the past. Of course they will complain that this is playing into criminal’s hands, but in the end the NSA has many tools that will get them into your phone if they need to. All local encryption does is prevent sweeps and indirect information gathering from happening in the manner is has been.

So the tables are turning on blanket surveillance and the people in power are not all that happy about it. The surveillance candy store they have been in is going close and they will have to start playing by the rules that were intended to protect innocent people from being caught up with the bad. Sadly, this means that we are more likely to see the NSA and others hang on to zero-day flaws so they can keep their current lazy and invasive methods in place. This means that everything from your home to your money is at risk, just so the NSA can continue to spy on people…

Tell us what you think in our Forum

Last modified on Friday, 21 November 2014 09:43

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.