Archive for November, 2015

NSAThe NSA has a public relations problem, to put it lightly. The revelations released by Edward Snowden, the Electronic Frontier Foundation, and several other government watchdogs have cast an eerie light on the one of the government’s most ill-understood agencies.

Not that the NSA has generally made an attempt to be well-understood. If anything the agency has earned its serpentine reputation by constantly dodging attempts to give up information about what it’s been doing.

Just last year the EFF filed suit to force the federal government to disclose the actual procedure behind the Vulnerabilities Equities Process, which is used by the FBI, NSA and other agencies to determine whether to disclose vulnerabilities to various software developers or other entities, or to use those very vulnerabilities to carry out its own operation.

The suit was brought on by the discovery of the Heartbleed bug in the OpenSSL software library. The malware made accessible the personal information of millions of computer users, including their personal communications. Edward Snowden and the EEF were suspicious that the NSA had known about the bug for two years and exploited it instead of alerting proper authorities.

Now the NSA has disclosed 91 percent of all security vulnerabilities that have passed through its internal review process. Despite this development in the direction of greater “transparency,” privacy advocates remain sufficiently worried by the remaining 9 percent.

The NSA claims that it has historically leaned in favor of disclosure, and withholds information only if the information may be necessary to collect crucial foreign intelligence used to stop a terrorist attack, prevent the theft of intellectual property, or uncover greater vulnerabilities.

Director of civil liberties at the Stanford Center for the Internet and Society Jennifer Stisa Granick is not satisfied:

granick“By withholding information about the remaining 9 percent, the NSA has chosen not to notify the party best situated to fix the security flaw,” she objected. “They do this to enable intelligence agents to exploit these flaws for surveillance or to use them as weapons, as with Stuxnet. As for the remaining 91 percent, it is not clear whether the NSA uses a subset of those vulnerabilities before it discloses them.”

Stuxnet was a malicious software co-built by America and Israel. Neither state has confirmed its existence, but anonymous whistle-blowers have claimed that the worm was developed during the Obama administration to sabotage Iran’s nuclear program with what would seem like a long series of unfortunate accidents.

Security advocates disagree with the sinister portrayal of a snooping NSA. GreatHorn CEO Kevin O’Brien claimed, “The NSA has in recent years struggled from a public relations perspective; one can imagine that they would prefer that the discussion be focused on the 90 percent of exploits that they do report, and the -perhaps unexpected- indication that they adhere to the principle of sunlight being the most efficient disinfectant.”

“Software exploits of this kind- unintentional issues that are researched and reported on- are a diffrent kind from the more sophisticated types of cyberattack that lead to large breaches,” he continuted. “As a security professional, having the NSA allocating resources to finding these kinds of issues is comforting. They’re a resource that, on many levels, has the best interests of the United States and its national security in mind. Bluntly put, someone will find these exploits; I’d rather it be an agency which is aligned with our national security.”