Probably because "your" enemies use "your" software as well. If it makes you feel any better it looks like the NSA shared the vulnerabilities with Microsoft a month before they were leaked.
But the U.S. still has the most to suffer from them (as a country). But from NSA's point of view, even if the U.S. still has to suffer from those exploits, it's "worth it" because for every American that is getting harmed by those exploits, they can spy on 10 other foreigners. So it's not really a matter of "defending the country" but of "value of exploit".
Kind of how in the WW2 they used to allow one or two or five of their own ships to be sunk by the enemy just so they don't reveal that they intercepted their communications (which I guess the argument was the intelligence would've been more useful against more of the enemies' ships).
Also, this was a large batch of exploits, and the NSA knew eventually they would get released. So they might as well be the "heroes of the day" and get companies to fix them, especially if they can get the publicity for it. But for every one of these they fix there are probably dozens of others they don't want fixed, like for instance all the vulnerabilities in Chinese routers and smartphones and smart TVs and other electronics.
It's not that hard to verify that this is their logic. Look how they want to push backdoors and how they fight encryption, just to catch a few people, even if that harms everyone else. From their point of view "more security" is a bad thing. And I'm not even sure you can expect much else from a spy agency. When you have a hammer, you want every problem to be a nail. It should be up to everyone else to push back on that logic.
> If it makes you feel any better it looks like the NSA shared the vulnerabilities with Microsoft a month before they were leaked.
Do you have a source for that claim? Because I saw now multiple people indicate that.
From what I can see Microsoft hasn't said where they got the info from. They gave a statement to the intercept that indicates it wasn't NSA, but the statement isn't entirely clear, it may be up for misinterpretation.
I think it'd be really good if someone would shed light on how things unfolded here, but from what I can see right now we don't know where Microsoft got the info about these vulns - and probably only Microsoft can clarify.
I agree with that assessment: TSB were blackmailing the NSA 'We bees having windows vulns'. NSA told MS - red faces all round but then we're pros right?,..move on. Now TSB have nothing except maybe some doco and every USGA after them LOL! Anything else is stretching it. How these idiots came upon EQTN - maybe other people know, I don't. As broker of 0day exploits, they suck. As to what the NSA should be doing with 'your taxes' - erm, what do you people think the NSA do or to rephrase what do you think they should be doing? USGA have layers of expertise available to them and some punkery may have had to have been tolerated at some field level because y'know these skills are in demand and private sector pays more and when a kid has a secret some kids just can't help themselves - they are by definition immature. There is the possibility that NSA work with MS but given the emergency nature of the patch it appears not so, which is disappointing because as a federal employee you do not want to be breaking innocent people's stuff.
> How these idiots came upon EQTN - maybe other people know, I don't.
That's the bit that should really worry you. After all, if the NSA can't keep its goodies under lock and key then that means that others, possibly including your enemies have those goodies too.
It's one thing to be active in the weapons research domain, it's another to give that research away.
'Give' is harsh if you understand the operational constraints people on government salaries and budgets had to work under. USGAs collected/acquired/amassed rather than developed these and packaged them into a field kit - they were in the dark domain (for $$$), then meh punkery. Sure we'd all love to be chillin' with JMac shootin' up the neighbors porch. Not just NSA either... just sayin'. Even GCHQ have warez :O TSB are the curly, moe and larry of this sorry affair. they got lucky, now they gonna bees unlucky lol!
So, if the NSA becomes aware of an exploit that they are able to procure for $ and they really have the security of the United States at heart don't you think the proper course of action would be to alert the vendor rather than to leave their own people just as wide open to attack as their enemies?
I could understand them hoarding their own research but this essentially confirms that the NSA doesn't care about the security of the home country as much as they care about being able to infiltrate elsewhere and to me that seems to be a badly chosen priority.
After all they can't know for sure who also has access to that vulnerability.
In this circumstance, the NSA's two missions come into conflict - to spy on foreign targets, and to protect American targets. From the perspective of that institutional mission, it's not clear which motive should win out.
Do you really think that Microsoft are unaware of the limburger that lurks within their codebase to allow subtee, image hijinx, and the rest? cpls and pifs were in windows 3.1!
I don't know who the "us" and "them" are here, but fact is the NSA is into global spying and mostly does industrial spying and "business intelligence" so the USA gets and maintains an edge over the rest of the world.
But it also spies on US citizen to be sure to control dissent and shut people down.
> it also spies on US citizen to be sure to control dissent and shut people down.
Yups. Shut dissents down, in an undemocratic way, to keep an undemocratic gov't from receiving public scrutiny. In the mean time keep up the appearance you're fighting (inter)national terrorism. Yeah for "National Security".
By the very nature of the agency's remit their focus will be more in a domestic say than a foreign theater of operations, so 'yes' but 'unfair!' (the bad guys walk amongst you).
Because, cynical as this may sound to some people, that's what government does, in the name of national security. The argument that we keep zero-days exploits secret is basically security by obfuscation. That will only last until another smart person discovers it and sell that to the highest bidder. But the interest of national security in modern cyber warfare is about gathering intel. Otherwise, we wouldn't be looking at this news right now, we wouldn't have government websites hacked or classified documents stolen or government officials using their personal mail servers, if we are serious about the safety of our national computer infrastructure.
I'm pretty sure that they buy a lot of these exploits as well. If you can trust the NSA, I don't think that keeping the exploits secret is such a big deal. There are other damaging vulnerabilities that even the state actors doesn't know about and are being exploited by organized crime. It's a cat and mouse game.
..and a very distasteful business, many of these developers live in SEAsia for dubious reasons and peddle their warez to support their sickening lifestyles, I would be ok with certain CIA/SIS proffered solutions in these cases. There is no current shortage of windows 0days that I know of.
Because you have no say in how tax monies are spent, that's how taxes work. Then there is the rule for rulers[1], then because that's how USA rolls (have a look at the history of the country and you'll see that this is not an isolated event), also amusing ourselves to death[2], politics as usual, business as usual, capitalism, unsustainable economy based on growth and a bunch of other reasons, but mostly the great USA land of free yay!
What I feel is awful is the lack of information stored against each update.
It's all just "security" or "reliability" and possibly a link to a KB which says the same.
Some large organisations still have stalwart IT managers who insist not to apply updates unless they know it affects a specific issue that they have. And now that this information is unpublished they apply nothing. It's lost on me how they keep their jobs.
Why is that necessary? Ive run Windows on the desktop for probably 10 years and I have never had an update break anything. Seems like people just trying to make themselves useful if you ask me.
What if you are a bank, an airline or a hospital, with thousands of networked Windows machines, and one update breaks a specific networking feature (remember [1]) and that crashes your most vital piece of software?
That Quora post is pretty bad. Actual evidence is requested, but the top answer is a list of wild conjecture.
The responder prefaces most of their comment with "it is widely believed that" and "it is likely that", states without any explanation that the Malicious Software Removal Tool is somehow a backdoor, and that "everyone who knows about [the backdoors] is under NDA", with no evidence to support that statement either.
Undisclosed "1-day" is real and has gone on forever. A popular set of tools is binary diff tools such as the now defunct Zynamics acquired by Google. There is evidence. The amount of tooling around examining MS patches should convince most.
With so many eyeballs on release diffs, undisclosed vulnerable were often discovered (and still are). With the number of experts on file observing this it should not be controversial at all.
Got it. Quora post is suspicious. That said windows is a lot of machine code. It is more than plausible. NSA is known to have an active relationship with Microsoft.
If 9/11 == inside job is say 2/10 plausible this Quora speculation like 7/10 plausible IMO.
The second paragraph trying to class source code disclosure programs intended to find backdoors as proof of their existence was amazing, too.
The fact that it got 1.5k upvotes is a great reminder that voting systems aren't a magic wand for solving quality issues. People just love conspiracy theories too much to think critically…
