So, just listened to the newest episode of the #DefensiveSecurity podcast.
One of the topics touched on was WannaCry/NotPetia - it's been over a year since they hit, and @jerry made some good points about why these infections keep happening (have a listen, worth it!).
But one thing I felt was sorely missing: the way three-letter-agencies basically made us all less secure. EternalBlue, after all, was #NSA's tool that got leaked.
US CERT budget: ~$93mln
NSA official budget: ~$10bln
These numbers are insane. It should be the other way around!
I firmly believe we need to start calling NSAs and GCHQs of this world out on their bullshit. If you have ~$10bln annual budget and you leak a weaponized exploit, which then gets used in *malware*, you should be liable for damages.
WannaCry alone caused estimated $4bn of damage. Why should the victims pay for it?
@rysiek This might have something to do with it: https://medicalxpress.com/news/2018-06-iq-scores-1970s.html
In no small part this is on us -- the #InfoSec community.
We need to keep calling three-letter-agencies out on their bullshit.
I appreciate Defensive Security very much, it's a great podcast.
But I find it at least a bit disturbing that EternalBlue and NSA were not mentioned at all whide discussing WannaCry, and that the perverse way three-letter-agencies are set-up in relation to #InfoSec was not pointed out as an important part of the problem.
/rant
@rysiek because it's good for them if they remain unfixed?
@a_breakin_glass sure, but what I'm saying is: people created the incentives this way, people can change them. And they should!
It perhaps made sense during the Cold War, when each side used their own tech, to focus on weaponizing bugs in "enemy's" tech.
Today we are all using the same tech. A bug in your browser is a bug in mine. The whole mission of NSA's TAO simply does not make a lot of sense anymore.
If they are supposed to keep us secure, they should help secure the tools.
Reminds me of this. The institutional distrust of the NSA is so strong that every move by them is viewed with suspicion. People are even thinking they are playing 4D chess and wanting a rejection!
Even worse, gaining the trust requires the NSA to drop at least half its mission (aka budget). Which means it will never happen.
@SlightDashOfColour @a_breakin_glass they brought it onto themselves.
If I see NSA designing an encryption scheme, I am suspicious too.
But they could start by finding vulnerabilities and reporting them to vendors. That's something that is verifiable, and could be a good starting point for them to clear their reputation a bit.
And nothing says their mission cannot be modified. or, you know, we could fund the CERT instead. ;)
Yeah they hoard vulnerabilities until they leak, then we're fubared.
The monitoring arm of the NSA is now cancerous and has overwhelmed their entire structure. It's like you said: post cold war there's no reason why an international effort couldn't be centred around CERT-style agencies. But protect EVERYONE (instead of the US) doesn't do much to inflate the organization budget. Post 911 running a surveillance state ensures they stay deeply funded.
@SlightDashOfColour @a_breakin_glass thing is, they can't even protect the US.
WannaCry hit US companies too.
@rysiek @SlightDashOfColour the point is to protect the US *state* and its interests
@a_breakin_glass @SlightDashOfColour defined how, exactly?
Any such definition must include economic interests. In fact, NSA is known to have spied to protect just that (Petrobras case, for instance).
And if so, the whole WannaCry thing is clearly a failure in that regard. And so is the general state of information security in US companies -- which I understand is not... great.
Judging by discussions on this topic recently:
1) NSA rank and file are suffering from low morale due to the PR beating they've taken in lay populace (how much sympathy you have depends on how much taxpayer dollars they're drawing sitting on those jobs they're not quitting)
2) they know both mission arms of the NSA are working at cross purposes. Success in one area means setback in the other
@SlightDashOfColour @a_breakin_glass
1. Ah, good to know! Also, negative sympathy, at the moment, sorry.
2. Yeah. that's part of the problem.
@rysiek TLAs only want security for THEMSELVES. They want to spy on US, but they don't want us imposing oversight on THEM.
They are tyrants and servants of tyrants, hypocrites who demand the right to keep secrets for themselves but would deny it to everybody else.
But also: if a ~$10bln/yr agency that *specializes* in CyberCyberCyber cannot keep their shit together, what does it say about the broader information security landscape?
Humans are failing, we completely suck at information security. Partially because the incentives are so perverse. Because US CERT gets ~107 times *less* money than NSA.
How the hell does it all make sense? Why don't three-letter-agencies put their resources into discovering bugs and helping vendors fix them?
#InfoSec