I’ve made the statement before that the US government is not merely a victim of cyber attacks but a perpetrator (to be fair, it isn’t just the US but this is about the US). I went further to point out that they provoke other nations. I seem to think I at one point wrote about how they participate in a black market, and how that would not at all help the situation. Even if I haven’t discussed the latter, I have the others. So it is most unfortunate that there is solid evidence (I know I’ve seen other evidence, though) of them wanting to buy 0-days. It isn’t even hearsay. No, not at all; it is a statement directly from the United States Navy.
The Electronic Frontier Foundation has a mirror of the document that was taken from Google cache. This, I might add, is another thing I believe I’ve written about and if I haven’t I know I meant to at one point. I’ll just give a quick summary here: you don’t simply erase something from the Internet. The people that believe Snapchat is a brilliant way to keep things safe are very ignorant, very ignorant indeed. It isn’t brilliant at all (in any way), and there has been more than one incident where many of these supposedly very temporary photos were archived elsewhere (that is not a link but FOUR unique links, two of which include a list of different exploits and results.. and there certainly are others out there). Then there is the Internet which is even more extreme here. That is another topic entirely, however, so I will refrain from going there. I’ll return to the issue of persistence again but for the moment all you need to know is the Navy has since removed their copy of the document. But it isn’t gone.
I’m going to highlight some points from the document, comment on them and bring them all together.
This is a requirement to have access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied on commercial software.
From the very mouth of the US Navy; they require binaries to exploit widely used and relied on commercial software. Software they almost assuredly will use themselves. It gets better though; I’ll return to the issue of who uses what in a bit.
– These include but are not limited to Microsoft, Adobe, JAVA, EMC, Novell, IBM, Android, Apple, CISCO IOS, Linksys WRT, and Linux, and all others. [sic]
While there are other things I could label with [sic] I won’t because I’m not trying to be critical here (I won’t at all suggest I don’t make mistakes in writing… I do. Often). However, I do want to point out that Linux isn’t commercial software. In addition, they want the exploits to exploit including but not limited to these products, and all others (is there a reason to list any at all, then? If there is, why ‘and Linux, and all others’?). But the important point here is that they don’t actually care what it is; if it is used they want exploits for it. Not just any exploits though, they want 0-days and also technical support, instructions and everything you would expect a legitimate vendor to provide. I’ll return to this again, too.
– The vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). This list should be updated quarterly and include intelligence and exploits affecting widely used software. The government will select from the supplied list and direct development of exploit binaries.
Interesting bit here: they will select from the list and direct development of the exploit binaries. Why then, pray tell, don’t you just go to a CVE website where they can find it all for free? You know, they exist for a reason, a good reason. But here they’re being used for anything but good. It isn’t bad enough that many home users have unpatched (or otherwise insecure) systems (often unknowingly) that are already infected by more viruses and worms (etc.) than a human body would likely experience in a life time (certainly in the amount of years computers are ‘alive’). No, of course not; but governments to the rescue! Yes, it will affect others: even systems that aren’t vulnerable can be affected indirectly. People are also affected. Including our saviours in the Navy. That’s the best part. This also goes for governments wanting to get rid of encryption; it’ll affect them, their family, their friends, the nation they state they say they are protecting (that’s why they need to get rid of encryption, see? It is a lie, however, that smells near as bad as septic tank.. which is to say can easily be sniffed out even for those without a strong sense of smell). It also is a risk to themselves. It has the potential to affect every device. And the more exposure a device has, the more risks can affect it. This is sort of like the immune system: the common cold is nothing for those with a healthy immune system but to those with a poor immune system, it can be very serious.
– Completed products will be delivered to the government via secured electronic means. Over a one year period, a minimum of 10 unique reports with corresponding exploit binaries will be provided periodically (no less than 2 per quarter) and designed to be operationally deployable upon delivery.
It is rather amusing, isn’t it, that they want it delivered in a secured manner. I suppose they hope no one else will have access to these exploits (which I have alluded to already and will get to further) and somehow it will be safer for everyone. Safer for themselves, actually, and that is incredibly naive: if the US government accidentally ships live anthrax to laboratories across the US and even in other countries (all of which has been reported recently.. and other similar incidents have happened), who is to think they could keep computer exploits under their control? Reality: malware tends to spread; there is a reason the words ‘virus’, ‘worm’, ‘trojan horse’ are used for naming said types of malware. Even if it isn’t malware itself it is incredibly stupid to believe it can’t directly affect the buyer (themselves). You don’t control exploits in the wild like that – you don’t nicely tell it that you are its master and it’ll suddenly obey your every command. Even then you have the reality of bugs in software: humans aren’t perfect (irony: because I thought I saw it earlier, and because I should rest my eyes soon, I checked spelling and what did I do but spell perfect as ‘prefect’ … a great example and I wouldn’t be surprised if more exist in this write-up), programmers are human, therefore programmers aren’t perfect: this leads to errors in software (commonly called ‘bugs’). I won’t even get in to simulators.
– Based on Government’s direction, the vendor will develop exploits for future released Common Vulnerabilities and Exposures (CVE’s).
This extreme naivety that comes close to delusion (and using that word is painful… I readily admit have been delusional in the past and much of their problem is extreme foolishness) they have, that they are in control, is rather scary. Unsurprising. But scary nonetheless.
– Once a product is transferred from the vendor to the government, the government maintains a perpetual license to use, modify or share at the buyer’s discretion.
Obviously. After all, Microsoft and all these other vendors you suggest (with the exception of open source software which you don’t mention many) sell their software and openly allow it to be modified and shared with others. The license also works for infinite devices. So of course you would have this right! Too bad you’re dealing with a black market, isn’t it? Governments create black markets. Stupidly, I might add. Yet in this case there is nothing else: this is to break the security of others, something the governments outlawed years ago. Creating black markets is also another example of not learning a bloody thing from history. Yet in this case it isn’t the same thing, is it? Not exactly. If a company hires (or better yet has on staff all the time) others to audit their security (maintain it), that’s fine. But if a company were to pay another company (or other third party) to break the security of another corporation – or states! – they would be in a lot of legal trouble. This is a triple standard: whine about being victims; pay others to help you do to others what you would whine about if others did it to you; and if anyone else were to do it to others, whine also. Global police.
– The vendor shall accept vulnerability data to include patch code, proof of concept code, or analytical white papers from the government to assist with product development. Products developed under these conditions will not be available to any other customer and will remain exclusively licensed to the government.
Gullibility to the extreme! To think that anyone would believe that an entity selling exploit code (especially since in the past, and likely still, much exploit code is still released for free.. but it doesn’t take much thought to figure out that some would have no problem to profit over it; can you blame them? Do corporations sell to only one customer?) is going to not profit from others that would be willing to also pay, is amusing, very amusing indeed. I’ll also point out there is a hypocrisy here: you have the right to do whatever the hell you want with the software, something that corporate vendors wouldn’t allow (and some free software doesn’t allow it!) with their software. At the same time, though, you have the boldness to state that you maintain the license here and not only do you state the licensing terms, you also state that the vendor can’t do what they wish with their own work! Licenses are only acceptable if you’re the one stating the terms, yes?
– All delivered products will be accompanied by documentation to include exploit description, concept of operation and operator instructions.
Pathetic. That’s being incredibly nice. That is the brutally honest truth. You really need documentation of how it works as well as how to use it? Weren’t you also the one wanting to direct the development? Usually the developers write the documentation (at least when they do document it which isn’t always)! Script kiddies demanding documentation. Highly impressive. I know, I know… you bought it all on your terms and since you state the terms, you can also demand the documentation. No dignity, no pride, no honour whatsoever.
– Technical support shall be provided by the vendor to the government for purposes of integrating, troubleshooting, bug fixes, feature enhancements, and OS and third party software compatibility testing. These services must be available Monday through Friday during normal working hours (0730 EST through 1630 EST).
You demand technical support.. on your own hours?! The amount of arrogance there is unfathomable.
Indeed, no pride, no honour, no respect for others (including themselves actually), no dignity. None at all. I’ve made clear that governments participating in cyber attacks are not just victims but perpetrators (and consequently provokers). Well here is solid proof that they really are doing exactly that. With no shame on their behalf (meanwhile everyone else will see their actions as only shameful). I’d like to lastly say this: they deleted it from their website for a reason. They finally realised the implications. If they didn’t mean harm they wouldn’t have removed it. But they did. There is only one reason for it. The tragedy here is they could do things to make things better. But instead they make things worse, worse for everyone. It is a cyclical process too. Indeed, just like mirroring, this will continue more and more.