>> now it's time to kick off ourfirst talk and this is a talk that i'm very excited about,uhm, i actually, uhm, kicked jay's, uh, talk of a couple ofyears ago. [laughter] you guys are in for a real treat! uhm,jay healey is, uhm, not only has,has a quite a interestingresume and i'm sure he's gonna
apple equity, go through some of that but he'sgoing to talk about feds and 0days and stuff [coughing] that.cause it's been kinda a wild year for things like law andpolicy and security. uhm, so, this is going to be a goodone... let's give our first
speaker a big round of applause![applause] [cheering] [background noise] [ahem] >>great, thanks very much! my name's jay healey, i teach atcolumbia university. and i wanna kick off with this for a secondbecause i don't teach computer science at columbia i teach inthe international affairs and public policy school and that'skinda been my resume up to this point. uhm, uhm, that just gotmentioned, i've spent, i started coming to defcon 9, i've beenpart of this community. a few years ago jeff moss put me onthe, uh, uh, dark tangent put me
on the review board to, uh, tolook at, so that i could review the talks to be, to be even morepart of the community. but i've also been part of the policycommunity for that time, so one foot in defcon, and, and, withall of you guys but also very much within that policy audience- the very deep washington dc crowd. and that's what i teachnow, is trying to, trying to go back and forth so that thepolicy folks can understand what you do and also transit for youguys at policy so that we can figure out. are, are the thingsbeing done at washington dc and
other capitals in our interest?and also try get through some of the bs so that you can betterunderstand. so in today's talk we're gonna look at these fourareas. and want you to come away from this especially [coughing]understanding the government's process for looking at 0days,how did they decide what to disclose to the vendor and whatthey're going to retain for their own use. second, the realmeat of this is how many 0days does the government keep toitself per year? is it hundreds, is it thousands, is it more thanthat, is it less than that? so,
just bby a show of hands, who,who imagine that the government keeps, keeps hundreds ofvulnerabilities? [pause] okay, uh, uh, alright. decent maybe, aquarter of you. thousands? [pause] wow! a lot more! whothinks it's maybe more than thousands? [pause] great! anyoneless than anything i've listed there? [pause] okay, uhm, i'mgonna, i'm gonna cut to the end of the talk - it looks like fromevery piece of evidence that we can find that it is much moreless than that. [audience noise] uhm, now i know you're not gonnabelieve that. [chuckle]
[laughter] so, we're going, i'mgonna go through every line of evidence that we've gone throughto try and prove it and disprove it. and let you make up your ownminds. last, so if every year they have got some how big isthat overall arsenal of retained vulnerabilities that they, thatthey're keeping for themselves? so if the, how many does it keepevery year? is about the flow, how many, how many do they havein the arsenal? then what we don't know, there's still some,some big re- open research questions and then somerecommendations for governments
as well as recommendations forthe rest of us. this is work that was done by, uhm, kickedoff from a team of students from columbia university, school ofinternational and public affairs. [cough] so we had fivedifferent teams that were' uh, looking across all differentaspects of this. so the student research teams, uh, one of thestudent's is here. we had folks looking at everything from, uhm,the 0day market and can we find what activity the government and0day market, what about the government and, uh, uh, role invulnerability disclosure
programs? uhm, uh, diving rightin and trying to figure out the vep process. we had some folksthat, you know, had some statistical background. they tryand look at it from statistics, we tried to see, alright, what'sthe use of actual 0days, uhm, in the wild and what do we knowabout other government programs? [pause] so, i'm not in a, i'mnot gonna reference this slide other than to say they put in alot of work, we've put in a lot of work up to this point, uhm,i'm gonna keep saying this again and again - i don't know if wegot the right answer but we've
tried to run down every line ofevidence that we can. and we put together, as you can see fromthis timeline of the government process - we've gotten to get alot of information on this. this should be coming out in areport, hopefully in the, hopefully in the fall. so,whenever i can't, whenever i've tried to make a judgement i'velisted "what's my level of confidence" based on, uhm, basedon my judging of that evidence. as someone that understands boththe technology side as well, as well as the policy side. as i'vesaid i've tried to go through
every line of evidence that ican, uh, we've hunted down as far as we can. i'll present allof that to you. [pause] [cough] uhm, you're still gonna, uhm,[pause] there's a, there's reasons why we're reallysuspicious about government on this. uhm, they've given us alot of reasons to be suspicious about this and suspect thenumber is far higher. i'm probably not gonna convince allof you. i had a great talk last night, uhm, at the speaker, atthe speaker's lounge with don, don i don't know if you're here,i couldn't convince don.
[laughter] [audience noise] and,uhm, uh, no matter, no matter the amount of evidence, uhm, donwasn't going to be convinced. and that's okay! [pause] uhm,i'm not gonna convince, i'm not gonna convince a lot of youabout the answers that we come up with. what i prefer you beconvinced about is that we did do the best job we could to tryand come up with those correct answers. and, if we did get itwrong, that someone else can come in and try and get a betteranswer. so, last, when it comes to credibility, uhm, as i said,i've been coming since, uh, i
started coming at defcon 9, i'mon the defcon review board. uhm, i've gone to the folks that youmight consider credible on this, i've talked to this about darktangent, to, to dark tangent, to the eff, to a lot of journalistson, that have written on this. and the names that you wouldknow. uhm, i've also done this to be try to, to try to becredible, credible in the policy audience. [coughing] uhm, i cameout of this in, in military, uhm, doing, uhm, doing mostlydefensive cyber stuff, i had time at the pentagon, i had timeat the white house - i've talked
to that crowd. and tried, andthe journalists that are, that, uhm, have written the storiesand i've gone to all these groups. from eff to former whitehouse and current government officials to say "where am iright? where are we wrong? what has our, has our research, uh,seem to be, uhm, seem to be off?" i've said, "can we provethat we're wrong? is there any way that we can try and, anyevidence to disprove this?". and this is what we've come up withso far. so, at least you'll hopefully be convinced with whatwe've done. okay, way too much
preface... uhm, so thegovernment has two main roles when you're talking about thevulns - and there are strong tension and often bureaucraticinfighting within these two communities. you've got the, theagencies that love to use the 0days - they want to keep the0days, generally, this is really simplified. so you get dod, theintelligence community and law enforcement agencies. uhm, thatwill likely keep these open as we saw on apple fbi so that theycan collect intelligence. so they can, they can, uhm, dotheir, do their job as they see
it. there's others that, who's,who's, who's equity is say now "we want these to be pretty muchall closed down". so for example the department of commerce[cough] has been, they've been running a vuln, vulner,vulnerability disclosure dialogue, alan freedman there.uh, the, uh, the, uh, the agencies that represent thespecific sector of critical infrastructure like the treasurydepartment or the energy depart, department have equities wherethey want things disclosed back to vendors. uhm, and the dhs -uhm, which, for the most part
want some defensive. there lawenforcement parts of dhs, uhm, on the uh, but for the most partthe critical infrastructure protection and cyber securityfolks overwhelmingly want the, want these closed down. and thisis important cause you see this tension between these agencies,the government is certainly not of one mind on this. and thisdoes come in when we're thinking of evidence later on. i alsowanna point out. there's three different main kinds ofvulnerabilities, uhm, when you're thinking of this from thegovernment's perspective. first
is the battlefield systems,right? this talk isn't going to deal with a russiansurface-to-air missile vulnerability, right? that isnot a commercial system that would go into the program thatwe're talking about here. second our closed and proprietary butstill commercial systems - so, like, this is the things likesiemens, you know, the industrial control systems, youknow, the more internet of thi, internet of things, uhm, devicesthat are coming online. last, the one that we tend to thinkabout when we're thinking about
vulns is the open internet, youknow, the microsofts, the ciscos, the apple, the applevulnerabilities. but keep in mind we do have these three setsand we're not going to be talking about the closedbattlefield one. [pause] so, we're gonna start the story.uhm, i know that the government has been, uhm, using and sharingvulnerabilities for at least 15, probably more like 20, 20 yearsgoing, going back to the '90s. uhm, some of you might have, uh,seen comments from richard bejtlich, he's now at fireeyemandiant, and he had been in the
air force in the '90s. and he hegave this quote uhm, he was on the defensive side of air forcecirt and they discovered a cisco vulnerability and they said"great, let's tell cisco.". they didn't have any type of process,they said that's the right thing to do. and the offensive part ofthe air force at that time, in san antonio, [coughing], uhm,said "what are you doing? let us know about that first, you can'tjust tell the vendor.". so you know, at least at this point inthe air force you had this, at least there was no set policyand you this default to the
offense, right? they said "we'lldecide", and it looked like they were keeping it for offensivepurposes. also, we know from this time that, uh, the militaryand the other agencies did really horded it, right? if youwere air force and you had a cisco vulnerability, you didn'ttell the navy about that. you didn't tell the nsa, you didn'ttell the army, uhm, everyone kept that capability himselfbecause it was something that you, you could have and once youshare it to the navy they might use it and then you can;t use itany, you can't use it yourself
within in the air force. so,really looked like it was quite a bit hoarded. to try and fixthis the nsa started ã¬information operationstechnology centerã®, probably around '97, '98, it looks like,to try and share capabilities. now they're talking about thistoolkit that probably was more about exploits thanvulnerabilities, but of course i'm, i'm sure it would haveincluded both. [pause] so there's nothing from the whitehouse on this point up until about two thou, well until july2002. when they came out with a
classified national securitypolicy directive, nspd, nspd 16. still classified, and it asser,it asserted the presidential authority to get involved inthis process. so, if you hear of someone that says the governmentdoesn't know what they're doing on offensive, there's no policyto coordinate this - no, it's actually quite a known policy,it's almost, it's almost 15 years old. uhm, and i've talkedto some of the folks involved, they didn't say, they don'tremember it really dealing with vulnerabilities. i don't thinkvulnerabilities featured much in
that, it was more about, itseems like it was more about coordinating operations. andagain, prior to 2010 there's, it doesn't seem like there's any usgovernment wide policy or process to handle this. [cough]uhm, so even if there wasn't anything government wide theredefinitely was within nsa. uhm, they, they call it their"equities process" was based on their intel' gain-lossassessment. if any, if any of you know intelligence, you know,the us interest can be better served if we get this to thevendor, than if we keep this to
ourselves but the decision wasentirely up to the director of nsa. he didn't have to askanyone else in the us government, he didn't have toget advice from what we, from what we know of it. uhm, doesn'tseem like there was any, anyone outside of nsa that was part ofthis. there's was no way to get anything in. uhm, they're morelikely to keep it, this phrase kept coming up a lot on theresearch of nobus, more likely to keep it if "no one but us" isable to use this vulnerability. if it is so obscure, so, so myfavorite example of nobus- since
we're in vegas - is, uhm, whatwas it? ocean's 13, you know, when brad pitt, they, they, hackthe, uhm, uh, the jackpot machine and you have to drop thecoins in a certain manner to make, to make the thing jackpot,right? that's no one but us, no one but the ocean's 11 gangwould have know that you had to drop the tokens into thismachine in a certain way. that's kinda what we mean by nobus -difficult to access, it's really obscure, i mean, it's going totake some, uh, difficult to discover, really difficult totry and exploit. now i assume
but i don't know, that the otheragencies that tried, that like to keep vulnerabilities hadtheir own internal process, uhm, i assume cia and justice didbut, uhm, we haven't been able to discover that yet. so wherethings really kick off is in 2010 and we know this nowbecause of, uh, documents from the eff, and by the way you'llsee a bit fn2 up there...[laughter] i added allthe footnotes at the very end of the talk, uhm, i'm gonna leavemy references up there so you can take a photo of it if you'reinterested in following up on
the ref, following up on thereferences. so now you finally had this document that came outin 2010, uhm, form the offices director of nationalintelligence i believe. that laid out here's the processthat's going to come out. uhm, nsa can still run it but you'venow got a formal process in washington c, dc, they call itthe "interagency" process. by which others need to be broughtin if they're going to have an equity in this issue. [pause] sothis is what that process looked like... this is what was inplace from 2010 to 2014. so
note, at the top, the governmentor it's contractors and i think that's a, that's a nice loopholethat they were taking out there to include contractors. findsomething that's newly discovered and not publiclyknown. so all of these, these are key phrases in there. nsa isthe executive severe, secretariat, this is good for usbecause if nsa iad which is the defensive side of nsa, it wasn'tbeing run by tao, which was the offence, espionage part of thensa. so it was being run by the defenders is actually a goodsign, uhm, that things were
going in the right direction.uhm, it would go to an equities review board which would havethe senior people on it and they would be the ones, the ones thatwould make the final, uhm, decision based on therecommendations from the subject matter expert. uhm, there was,and they would make the decision whether to disclose to thevendor or retain for their own purposes. now this is, uhm, it,there was an appeals process but it was retracted. so it's toughto know exactly what the appeals process was going, going to be.[pause] so as much as i like
this, this is, this is a decentprocess, right. if you were going to implement this in yourorganisation it's not a bad way to do it. at least it'srelatively well laid out, you can in fact flowchart it[chuckle] and it does include people outside of the agency inquestion. so, as a policy guide, this is, this is, okay. uh, itturns out that it wasn't really ever fully implemented. so thiscame out in 2010, uhm, footnote three there is from one of my,uhm,uh, former colleagues that had been at the white houseduring this time. that he said
it became "dormant", that nsaran their own internal process, didn't formally include theoutside agencies as much as we would have wanted. uhm, footnotefour is from the current head of the cyber direct, directorate atthe nsa. so, mi, a guy named michael daniel, so he's thepresident's top cyber advisor. and he looks at both defence andsome offence, uhm, and he said, uhm, "this policy at this timewasn't fully implemented". so they reinvigorated it in 2014and i'll talk about that reinvigoration in a second here.and it looks like this decision
to reinvigorate was in part,might have been in part driven by stuxnet. by the discoverythat stuxnet used so many microsoft, uhm, 0days as well assiemens' vulnerabilities as well. so, if you remember, italked about that tension between the bureaucracies, uhm,if this is true then, this might have been one of those placeswhere you were seeing this tension between, in thebureaucracy. so that when the way i imagine, and again, ihaven't found evidence on this, this is just in my mind, youcould, you could imagine seeing
these defensive bureaucracies,like dhs, or treasury, or energy, or commerce, saying"holy cr*p! we just did what with stuxnet? we didn't knowabout that? you were keeping all of these and now our agenciesare having to deal with this? we need to try and fix this!". andso this tension within the bureaucracy is an importantpoint, uh, i think might have been an important point here,but i'm also going to bring it up later on because, what wedon't see on it, we don't see that tension today. we don't seethis disagreement and i think
that that lack of evidence isvery interesting to me. okay, uhm, [coughing] so, after thesnowden revelations the president obama puts together asenior review group, including people like dick clark andothers i understand are, are, feel somewhat well. uhm, to say"what are the recommendations that we can do to look at, uhm,intelligence and other way based on, uhm, the snowdenrevelations?". one of those recommendations, recommendationnumber 30, was we need a default disclosure policy and we need abetter process. [coughing]
obama, ob, accepts thoserecommendations january 2014, saying one "disclosed bydefault". so the president signed off on this piece ofpaper that said "the us government policy is that whenwe get a vulnerability my intent is that that will be disclosedto the vendor, and if you don't wanna disclose that, you want toretain that, then it's up to you to prove why that's a goodidea." such public policy defaults are really important.cause now you know the president's intent and it's upto the other agencies, right?
you can't say "well, we didn'tknow what the president wanted." it well, you can but it becomesa lot, lot tougher. also, what the president did was sayingthis stuff is too damn important to leave at any one agency.[pause] so, we're gonna bring it into the white house. this can'tbe decided at just nsa anymore, this now has to run out of thensc - the president's national security council. we learned alittle bit more about this and i'll go through that process andi'll put a slide up that has that flowchart in a second. uhm,we learned a little bit more
about this in congressionaltestimony from admiral rogers, when, uhm, when he was up to bethe, uhm, uh, i think it was confirmation for cyber comcommander, march 2014. this is the first time we really learnabout this default, uh, default, disclose by default policy, wasin his testimony. we didn't, we didn't know in the communityabout obama's decision until he talked about it here. i alsothought that it was interesting, you can see the bits ihighlighted subtly there. "nsa always employed that principal",he said. he talked about, he did
a decent job of talking a littlebit about that process in highlighting it's not justsoftware vulnerabilities but hardware vulnerabilities aswell. and that if they do decide to retain it they attempt tofind other ways to mitigate the risks. so, for example, if youwere gonna, if you were gonna try and retain it, uhm, maybeyou try and you use, uhm, a more significant collection to see ifanyone else is finding this bug. and if someone else finds thebugs then you'll, then you'll decide to tell the vendor. uhm,and so this was really trusting
for us, and it helped, on a, apol, as a policy guy, what people tell congress usuallymatter. uhm, usually if a staffer thinks a person is fullof it, the congressional staffer thinks the person's full of itthey'll go through and they'll, they'll leak in saying "lookthey testified this but we know the truth, we know that thetruth is different" and we didn't find any of, we didn'tget any of that out of this kind of testimony. so i wanna reallyrepeat on this - cause as a policy guy this was incrediblyimportant to me [coughing] the
white house policy is todisclose to vendors. and you can scoff, and i'm okay with that,but for policy guy that's about as strong as it gets. thepresident himself made this decision and then he didn't justmake the decision he said "i will have my personal peoplethat are beholden to me as the national security council staff,review this." [pause] uhm, and so that, and again, it can getstronger but this is really strong in washington, inwashington dc terms. but when this was coming out it waspretty, [chuckle] there were
some exceptions that struck usand it's people like kim z and others saying that "well, yeq,the default policy is to disclose but if you carve outexceptions for national security and law enforcement, what thehell have you done?!" right? those are exception you candrive a truck through, uhm, so, so really i was extremelyskeptical at this stage. cause we know, i mean, all of us haveseen what happens when you have that kind of exception, what theintelligence community can do with it,right? they're go[chuckle] they're gonna play it
to the edge... [laughter] but wedid get three more breakthroughs that really made a significantdifference in understanding those exceptions. one,heartbleed. [pause] [background noise] so, uhm, bloombergreporter wrote a story that said "nsa knew...", he had someconfidential sources that said "nsa knew about heartbleed" andthat story came out. [cough] couple days later the new yorktimes, uhm, david sanger [cough] [pause] reacted to that storyand he was able to get the white house, sorry, to get the nsa topublicly deny the bloomberg
story. this was unprecedented toget an intelligence community agency to talk on the recordabout the about their intelligence collection ability.they would always sit back and say "we will not confirm ordeny", cause they don't wanna get in this place. it wasstunning that nsa came out and said, "look, we had no ideaabout this" [cough] and i, i suspected that they would keepthis one for reasons we'll talk about in a second. they came outand said "we didn't know about this", uhm, you see, the, theuh, the ic on the record to the
officer director of nationalintelligence came out and said "we didn't know about this - thebloomberg story is false!". uhm, or they didn't get, you know,they didn't talk to the right folks. 17 days after thatbloomberg story breaks we really get a fantastic set ofinformation - this white house cyber guy, the president cyberadvisor, uhm, publishes a blog, uhm, on "white house dot gov",that says we didn't know, and moreover he really gives us asign in on what they do and how they operate within the whitehouse. he leads out these
decision criteria [pause] - howmuch is it used? how bad is the vulnerability if it's notpatched? how much harm could they to do us? uhm, if someonewas using this vuln against us, how likely is it that we wouldknow ourselves? uhm, if we really need this vulnerabilityfor intelligence, i mean, is this something that, uhm, youknow, we need to know if russia's planning a secretnuclear strike on us? or is this just a kind of a routine kind ofbug that might not be that useful? uhm, this number 6 isreally important for reasons
i'll come back, could we use itfor short period before we disclose it? and to me, that'sthat's an important one we'll come back, we'll come back to...uhm, and can be, you know, has anyone else found it and canthis, can this get patched? now, that strikes me a pretty decentway of going about this. it's not a bad analytical way ask, ofsaying "what are the important questions that we need toanswer? what's the process by which we're gonna try and getans, answers to these? so, again, as a policy guy i readthis, i was floored that, that
the white house was willing totalk about this, this much depth at it and i was really pleased,that i, i couldn't think of any additional questions to add inhere. so it seemed to me to be a decent way of going about it.uhm, the second breakthrough, uhm, i dunno if ef, eff is herebut thank you ... [chuckle] eff did a fantastic job, uhm, doinga foyer request and follow up lawsuits for some, for some ofthese key documents on the vulnerabilities' equitiesprocess. uhm, and so, uh, this footnote two, you can go look,you can go look at these
documents again, maybe you cometo different conclusions than we did. uhm, you, you can see fromthat, from that one, it's, it's decently well redacted but stillwe were able to get a lot details out of the processthanks to eff. [cough] breakthrough number three, uhm,the nsa came out with some more information, uhm, on 30 octoberand they said "91% of vulnerabilities that wentinternal nsa process over the history of the nsa process weredisclosed to the vendor. and out of the 9% that's the remainderthat includes at least some that
they vendor discovered beforensa had a chance to disclose". uhm, now, i'm sorry, that'shistorically including all vulns at least back to 2010, not, not2020. [laughter] uh, the, uhm, and now this is only nsa, thisisn't all the us government vulnerabilities, this is, thisis just within the nsa process. but again, we are starting toreally see a lot of transparency that was coming out of thegovernment and the government on this. and, but i know a lot ofyou are saying 91% [tlrrp] "how can you say 91%, how can youknow any of this is true?". so
in the next part we'll startgetting into, uhm, uh, these assessments and can we reallyknow if the, if, uhm, any of this is true, can we prove whatthey're saying? can we disapprove what they're saying?so from 2014 to present, this is what it looks like. on the, theparts highlighted are the parts that have changed since theprevious version of the slide. so the, the top yellow one, uhm,now the equities review board is run by the white house, uhm,also [pause] the, the way to appeal is much clearer becauseonce it's in the white house,
once it's in the nsc, everybodyunderstands the rule of appeal then. if you don't like whathappened at, at this level it can go to something called, uhm,it can go up to the next big level would be a deputy'scommittee. so that would be the deputy secretary of thetreasury, deputy secretary of defense, deputy secretary dhs,uhm... and this deputy's committee's where the realdecisions get made. and so if you don't like,and if you thinkthe decision went against you and the erb either way you cansay "i'm gonna take it to the
deputy". and that's the same wayyou appeal anything that's a national security- or a homelandsecurity decision. so all of a sudden it became a lot cleareron what that appeals process was gonna be. [clicking noise] sowhat we've learnt applies to all and contractors, all vulnswhether discovered or bought. this does not apply tovulnerabilities that were known prior to the policy coming out.so that, that's an interesting loophole. a new process is ownedby the white house and then, and then, uh, again, uh, a subtleinside the beltway point, uhm, i
was pleased that this was beingrun by the cyber directorate because they are predominantly adefensive shop, uhm, this wasn't being run, for example by theintelligence part of the nsc or the defence part of the nsc. ifit were either of those, then they would probably have alittle bit more biased to wanna, do wanna retain those things forgovernment use. because it was cyber, we're gonna see much moreof a balance. so what don't we know? and i'm gonna cover all 5of these, what didn't we know from the breakthrough, thebreakthrough? so i'm gonna touch
all 5 of these. [pause] [thump]fbi versus apple by my reading of the policy as a former whitehouse guy fbi shouldn't have had to submit the iphone if, iphone5 vulnerability. uhm, based on that, that, michael danielcriteria that we talked about, those, those, 8 or 9, those 8 or9 elements - it certainly seems to fit. it's certainlywidespread, uhm, we can certainly imagine others usingthese, uhm, fbi ended up claiming contractual iprestrictions. officially fbi only bought the use of the toolfor, what, a million- or -ish
dollars the reporter said? uhm,they don't, because they don't actually know what thevulnerability is they therefore can not submit. cause they don'tknow... whomp, whomp.... [laughter] uhm, to me it seemsto contravene pretty direct presidential guidance, uhm, soi'm gonna be very curious to see if the white house is gonnarevamp the process to try and say that "you can't do this kindof exception, you can't do this kind of end-around." uhm, justone side note, a few months ago the fbi did inform apple of an,another vulnerability and they
use this entire vep process, uh,to go about and do it. i've gotta, i've gotta bet, uhm, witha, with a buddy, uhm, he put it up on law fair that uhm, i, isaid that apple would know within a year about thevulnerability. uhm, my buddy said no way apple's gonna knowabout this vulnerability in a year - so we've got a dinnerriding on that. okay, the big question! the moment you've allbeen waiting for....! how many do they actually retain?[laughter] and this was the real thing that, i think, got mystudents involved, uh, excited
about doing this was to answerthis question. this is what you have waited for! [laughter] nothundreds or thousands, uhm, this is prior to the invig, theinvigorated policy. i've got moderate confidence that, uhm,in the period up to 2014 they were probably keeping dozens.not hundreds, not thousands, not more than that. [cough] so,here's the evidence, here's how we get that - but i've only gotmoderate confidence. [sigh] to me, one of the most importantthings in this was, uhm, the revelation that we found outthat nsa keeps 20, that had a
budget of 25 point 1 million forcovert purchases of software vulnerabilities. to me, that wasa, uhm, and i'll walk through, i'll walk through this 25 point1 and what that, what that meant for me. uhm, and, so, let'sunpack that, what does, what does 25 point 1 maybe buy you?so i did some assumptions.. i, i don't think that, uhm, if i hada budget like that, for finding vulnerabilities, i don't thinkthat i would buy a bucket of bugs... [laughter] right... i'mnot just gonna go out there and find simple ones that i cankinda discover myself. uhm, i
assume that there's probablygoing to be some purchase for non-commercial bugs, i'll talkabout that in a second. i would suspect that they would tendtowards higher-value vulnerabilities rather than,rather than less expensive ones. and, that 91% the nsa numbercame out with was roughly accurate. and,and, and i'll talkabout that right here. so can we believe 91%? uhm, dickie georgewho is the former, uhm, technical director of thedefensive side of nsa, uhm, info, [audience noise]information assurance
directorate, uh, gave aninterview and he said "retaining was very rare" during his time,and he's been doing it for over 15 years. uhm, i showed theseslides to the former director of nsa - general hayden, uhm hecame in and saying "yes this all seems consistent with my timethere. seems consistent with my experience that we took defensevery seriously". uhm, but keep in mind this only applies to thensa, uhm, to really try and prove or disprove this you'dhave to go out and try and talk to vendors and find out how manyvulnerabilities nsa actually
tells them. and that was wellout of scope of what we could do here, if you really wanna goafter it, i think you've gotta try and go to the vendors andget the actual numbers. so for right now, i'm gonna take 91% asaccurate-ish and, uhm, it's tough for me to get anythingreal tight on it to prove it, i can't yet, i can't yet disproveit either. so, here's two examples of what you might dowith 25 point 1 - uh you might buy 250 important commercialvul, vulnerabilities at a hundred-k each; uhm, if youassume 91% you end up with about
25 of those if you assume thatmaybe cia and justice were getting similar numbers, youdiscover about similar number, you end up with 75... uhm, even,if we're off by a factor or 3 one this then you end up in thelow hundreds, with 125 ret, retained. so it puts us intohundreds but i can't, i couldn't get to that, i couldn't get tothousands of vulnerabilities doing this. i think, and, basedon this dozens seems okay, maybe low hundreds. but to me this isa little bit too simplistic version of what you might dowith 25 point 1 million dollars
to buy bugs. so example numbertwo, imagine we buy 12 critical commercial vulnerabilities for amillion; 5 critical non-commercial for a million,right? if nsa could buy access to a russian air defense systemfor a millions dollars - good luck on 'em! [laughter] i, i, ihope they don't do that [chuckle]. uhm, other majorvulnerabilities for 250k, if we assume 91% that leaves us with5, 5 retained. uhm, assume other agencies vulns that theydiscover, we end up with 15, again, even if we're off by afactor of 3 we are in this
middle dozens kind, kind of areaon how many before the new policy. so you can see why i'monly moderate-confidence on this, uhm, there's not that muchto go on. on one hand we've got people who say that "this isvery rare, we default it towards the defense 91%", on the otherhand we've got some evidence like this 25 point 1, uhm, 25point 1 million. [coughing] so that was prior to 2014, we'vegot much stronger evidence today on how many they retain. rightnow, it looks like single digits. [pause] i couldn'tbelieve this - everyone talked
to imagined that it was farhigher than that. people that have been white house, peoplethat have been de, uh, department of defense, andpentagon officials all assumed like you did - that is washundreds, if not thousands. and i actually had pretty, prettyhigh confidence in that assessment. [coughing] uh, pressreported earlier this year that the government, that the whitehouse reviewed about a hundred and only kept two. one of mycolleagues that was formerly white house during this time, inhis blog on apple fbi referenced
this - that matters to someone,right? if someone that probably know that, that knew the processproved it to someone else that referenced it in another, inanother new source. to me, that's a good sign that we're onabout the right track. that an insider was referencing this.uhm, dinkie george, this guy that was the nsa officialresponsible said it was about 3 or 4 per year. uhm, i was at nsain august, 2014. i had the ns, uh, tao and the iad techdirector in the room and they said "up to this point, thisyear we have retained none."
now, that was about 9 months, 8or 9 months into the new policy. uh, and i get told to my face itwas none. [pause] so, that's interesting [coughing] but, wewanted to say can we prove or disprove that? so this is whatjournalists say, and this is what others say; this is whatexecutives in it said, uhm, but can we prove, can we prove it oreven better can we disprove it? so, one, i'm not seeing thattension between bureaucracies here, no one is coming out andsaying, "no, this is bs, uhm, the intelligence community isgoing around the vulnerabilities
equities process.". we're notseeing that type of evidence, right now. uhm, that it seemshas happened in the past. two, it looks like there's only about50 total 0days last year. so to me a number from us governmentthat's in single digits or maybe low double digits that seemsreasonable to me. if nsa is keeping hundreds or thousands,it doesn't seem right that we would only be discovering 50 peryear when we've got so many people looking. and that's fromevery source! you know, from what rush, all these russiangroups are keeping, all these
china groups are keeping, fromwhat all the red team users are using, uhm, so to me, if they'reonly finding, we've only found about 50 in the wild - singledigits sounds about right. again, uh, we tried to go intothe national vulnerability database and see if we could seeany statistical anom, anomalies of this, uhm, of the governmentstarting to release more vulnerabilities into the system,the nvd was terrible. we couldn't, we couldn't figure outanything at this point if possible. uhm, again, we didn'tsee any, uhm, uh, we just could,
we tried to find conflictingevidence, we tried to say "prove us wrong", you know, we sent itto the eff, we sent it to others, no one came back withanything that was significant other than, other than, uhm,modest changes to the slide. uhm, the last one went in was,was a little, a little more worrying. uh, we said "can wefigure out the total of us, of government vulnerabilities asdisclo, disclosed?". uh, dickie george said they discoveredabout 15-hundred a year. if you apply the 91% to that, uhm, thatgets you to the, that probably
puts you in the dozens-space.but he might have been talking about the process before it wasreinvigorated in 2014. so to me, that's probably supportingevidence for the, uh,for the dozens. he also said that theyonly retained about 3 or 4 a year. and again, we tried to goin and disprove, how large is the arsenal? [pause] moderateconfidence that we're, that we're talking about dozens[cough], uh, we haven't done this fully, we haven't reallyhad the time to really do this but you can do a drake'sequation, right? if you're gonna
say how big is the arsenal,these are the kinds of equations you'd want and these are the,these are factors that you would have in that equation, right?how many did the keep? how long have they been keeping? how manydid they burn per year? how many got discovered by vendors or by,uhm, or by, or by other bad guys? what's the shelf life ofa, of a bug? we went through, when i went through this, i gotsomewhere in around 50 0r 60, when i did this... uhm, again,if we really tried to do this in depth you might come up with adifferent answer. the quote at
the bottom is from michaeldaniel, the president's cyber advisor, uhm, i, i was talkingabout this talk yesterday with dark tangent and he said, and hegave me an idea that we haven't even thought before. we actuallykinda know, there had been a, a revelation about what taocapabilities were, and, so i, added this last night. "it lookslike the nsa book of capabilities had 50 pages thateach had one capability in it". so, i thought that revelationwould be something that would disprove that it was in thedozens and it ended up being
right smack in the middle ofwhere our guess was! now, again, that was a book aboutcapabilities and not exploits but to me that was, that wasreally fascinating that it ended up exactly the same place. ithought that it was gonna have hundreds. okay, other nationshave about 30, have about, 30 other nations that have this,uhm, the uk is the only one that's even talked a little bit.so love or hate us government - we're the only ones that havebeen anywhere near this transparent. [audience noise]okay, other research questions -
so as others, others getinvolved in this. can we know, how can we know our agency'sreally submitting all their vulnerabilities? uhm, canagencies use a vulnerability while it goes through theprocess? for that criteria, for michael daniel, said, he's asked"can we use this, uhm, for a little bit?". that leads me tobelieve that they might not be doing that, but i haven't, wehaven't found a great answer for that. uh, can we find anymoredirect measurement? and, most importantly, what is the nextpresident gonna do? [audience
noise] cause this is just donebut this president, and the next president can come in there withtheir own... [laughter] okay, recommendations, uhm, [cough]two former white house officials - rob knake and ari schwartz -uhm, did a fantastic set of recommendations. they did areport on this process and that was very helpful for us. rightnow, there's no room for congress in this, right now thisis just a policy, that can be stronger. it can be an executiveorder or presidential directive. right now, once it goes throughthe process it never gets
reviewed again, uhm, and theseguys said, you know, let's take a look at that, let's look atwhat the watchdogs can do - like the inspector general, or theprivacy and civil liberties oversight board. i would add tothat mandating no use of this vulnerability until it's gonethrough the process. [cough] and that's, it doesn't seem likeit's specific, we need to add that. uhm, and i just think weneed other countries, especially other democracies, like greatbritain to get involved and, and give their process as well. butalso countries like, uhm, like
the netherlands, australia, uhm,there are great democracies that aren't picking - recommendationsfor the rest of us. [pause] normally in warfare if one sidesdisarms themselves then all they've done is disarmthemselves, right? if the us said we're not gonna havenuclear weapons everyone else has nuclear weapons and wehaven't changed. this is the one area where you dis, you candisarm governments. because once that information goes to avendor - everybody is disarmed. so if you are out discoveringvulnerabilities and you wanna
disarm governments around theworld - make sure you're telling the vendor. follow up if they'renot, not listening to you. i think we need more attention onthis question amongst, amongst the researchers and more foyer.so we covered these four, we covered these four areas, uhm, ithink it's a pretty decent process on disclosing andretaining but there's definitely some improvements that we cancome up with the number that they keep every year seems to bemuch smaller than what i would have ever guessed coming intothis. i was shocked, i assumed
it was in the hundreds, and itlooks like it used to be dozens and now into the single digits.the full arsenal seems to be in the dozens but only moderateconf, confidence in that, and then a few areas for use to talkabout. okay, here's the references. i'll leave that upfor a little bit. i don't think, we're not gonna have time forquestions,uhm, but, uhm, i'll stick around afterwards andi'll, i'll see you around here - out in the hallway afterwards.[audience noise] so, i know i might not have convinced you...[applause]
