Wednesday, November 23, 2016

CIS VEP Panel Commentary


You can be super smart and not understand CNO operational issues because of a lack of experience in the area. And you can be smart and have ethical issues with the very idea of doing CNO. Above is a link to the CIS panel released last week on "Government Hacking" that discusses the VEP where both are on display.

It's hard to address the "ethical" issues around SIGINT collection that make people unhappy. I find it disturbing (as should you) that Ari Schwartz and Rob Knake and the Obama White House decided to do what they did with the VEP, sacrificing years of effort to maintain operational advantage by our IC, because of vague ethical issues with something they don't even understand fully. In the video, you can see Ari's face panic when the question comes in about what a vulnerability "Class" is, something we've written about on this blog. Sinan Eren answers it, much to Ari's relief, because Ari has no idea what a vulnerability class is except in the most general sense. He couldn't name them if his life depended on it. AND LIVES DO DEPEND ON IT.

It's also funny in the video to see Ari's look of surprise when he hears Sinan say "Vulnerabilities don't matter from a defensive perspective - focusing on mitigating factors is what makes the difference from a software security perspective". You can see an epiphany almost start to form in his head, then fade away as he returns to his blind ideology.

Inexperience with operational matters is something we can point out clearly though. You can always tell someone is inexperienced when they say things like "How long should we hold a vulnerability for?" or "You don't even need 0days to attack things!" That second one is true, except against hard targets, or when you cannot afford to get caught. Does that sound like the exact position the IC is in? Yes, yes it does.

This is the probabilistic game every good operator has in their heads. This is why it's not simple. Like a scuba operator measuring their outgassing a good CNO OPSEC person is also measuring their exposure to other operations across their entire toolchain at all times.
The reason hackers love 0day is not always the high success levels. It's the protection against detection by intermediaries or the target themselves. Likewise, it takes a very long time - sometimes years - to properly test an exploit in the wild. When people say "How long have you had this bug?" the answer from a properly trained operator is always "Not long enough to be comfortable with it".

The saddest part of the VEP video was when Ari says "Just because we've given it to a vendor doesn't mean it's blown!" Everyone in the IC was headslapping as he said that. It demonstrates a complete lack of understanding of how operations are protected that should not be the case in someone making policy that affects the IC.

But it comes out, during the video, that Ari believes we should control the whole vulnerability "market". That was his real goal with the VEP. And that means everyone. It means Ari thinks the entire research community should follow some disclosure law he and his friends think up and ram through Congress, without any understanding of the impact of his "Ethics" on the rest of us. It's the same as the Wassenaar Agreement. And yet the EFF is still trying to support him on this one. And that too, is baffling.


No comments:

Post a Comment