00:00:00.067,00:00:03.337
>> Now it's time to kick off our
first talk and this is a talk

00:00:03.337,00:00:06.540
that I'm very excited about,
uhm, I actually, uhm, kicked

00:00:06.540,00:00:10.277
Jay's, uh, talk of a couple of
years ago. [laughter] You guys

00:00:10.277,00:00:14.882
are in for a real treat! Uhm,
Jay Healey is, uhm, not only

00:00:14.882,00:00:18.952
has,has a quite a interesting
resume and I'm sure he's gonna

00:00:18.952,00:00:23.957
go through some of that but he's
going to talk about Feds and

00:00:23.957,00:00:29.696
0days and stuff [coughing] that.
Cause it's been kinda a wild

00:00:29.696,00:00:35.435
year for things like law and
policy and security. Uhm, so,

00:00:35.435,00:00:41.675
this is going to be a good
one... Let's give our first

00:00:41.675,00:00:45.245
speaker a big round of applause!
[applause] [cheering]

00:00:45.245,00:00:46.613
[background noise] [ahem] >>
Great, thanks very much! My

00:00:46.613,00:00:50.183
name's Jay Healey, I teach at
Columbia University. And I wanna

00:00:50.183,00:00:52.452
kick off with this for a second
because I don't teach Computer

00:00:52.452,00:00:55.989
Science at Columbia I teach in
the International Affairs and

00:00:55.989,00:01:00.661
Public Policy school and that's
kinda been my resume up to this

00:01:00.661,00:01:04.731
point. Uhm, uhm, that just got
mentioned, I've spent, I started

00:01:04.731,00:01:07.901
coming to DefCon 9, I've been
part of this community. A few

00:01:07.901,00:01:10.871
years ago Jeff Moss put me on
the, uh, uh, Dark Tangent put me

00:01:10.871,00:01:13.307
on the review board to, uh, to
look at, so that I could review

00:01:13.307,00:01:16.143
the talks to be, to be even more
part of the community. But I've

00:01:16.143,00:01:19.546
also been part of the policy
community for that time, so one

00:01:19.546,00:01:24.885
foot in DefCon, and, and, with
all of you guys but also very

00:01:24.885,00:01:28.121
much within that policy audience
- the very deep Washington DC

00:01:28.121,00:01:30.924
crowd. And that's what I teach
now, is trying to, trying to go

00:01:30.924,00:01:34.361
back and forth so that the
policy folks can understand what

00:01:34.361,00:01:39.333
you do and also transit for you
guys at policy so that we can

00:01:39.333,00:01:42.703
figure out. Are, are the things
being done at Washington DC and

00:01:42.703,00:01:46.406
other capitals in our interest?
And also try get through some of

00:01:46.406,00:01:50.110
the BS so that you can better
understand. So in today's talk

00:01:50.110,00:01:53.413
we're gonna look at these four
areas. And want you to come away

00:01:53.413,00:01:56.350
from this especially [coughing]
understanding the government's

00:01:56.350,00:02:00.520
process for looking at 0days,
how did they decide what to

00:02:00.520,00:02:04.057
disclose to the vendor and what
they're going to retain for

00:02:04.057,00:02:10.097
their own use. Second, the real
meat of this is how many 0days

00:02:10.097,00:02:13.700
does the government keep to
itself per year? Is it hundreds,

00:02:13.700,00:02:16.703
is it thousands, is it more than
that, is it less than that? So,

00:02:16.703,00:02:19.506
just bby a show of hands, who,
who imagine that the government

00:02:19.506,00:02:23.410
keeps, keeps hundreds of
vulnerabilities? [pause] Okay,

00:02:23.410,00:02:27.047
uh, uh, alright. Decent maybe, a
quarter of you. Thousands?

00:02:27.047,00:02:29.016
[pause] Wow! A lot more! Who
thinks it's maybe more than

00:02:29.016,00:02:32.853
thousands? [Pause] Great! Anyone
less than anything I've listed

00:02:32.853,00:02:36.390
there? [pause] Okay, uhm, I'm
gonna, I'm gonna cut to the end

00:02:36.390,00:02:39.760
of the talk - it looks like from
every piece of evidence that we

00:02:39.760,00:02:43.263
can find that it is much more
less than that. [audience noise]

00:02:43.263,00:02:48.135
Uhm, now I know you're not gonna
believe that. [chuckle]

00:02:48.135,00:02:50.771
[laughter] So, we're going, I'm
gonna go through every line of

00:02:50.771,00:02:53.206
evidence that we've gone through
to try and prove it and disprove

00:02:53.206,00:02:57.811
it. And let you make up your own
minds. Last, so if every year

00:02:57.811,00:03:00.380
they have got some how big is
that overall arsenal of retained

00:03:00.380,00:03:03.750
vulnerabilities that they, that
they're keeping for themselves?

00:03:03.750,00:03:07.387
So if the, how many does it keep
every year? Is about the flow,

00:03:07.387,00:03:10.957
how many, how many do they have
in the arsenal? Then what we

00:03:10.957,00:03:13.894
don't know, there's still some,
some big re- open research

00:03:13.894,00:03:16.630
questions and then some
recommendations for governments

00:03:16.630,00:03:19.666
as well as recommendations for
the rest of us. This is work

00:03:19.666,00:03:23.603
that was done by, uhm, kicked
off from a team of students from

00:03:23.603,00:03:26.139
Columbia University, School of
International and Public

00:03:26.139,00:03:29.476
Affairs. [cough] So we had five
different teams that were' uh,

00:03:29.476,00:03:34.548
looking across all different
aspects of this. So the student

00:03:34.548,00:03:38.318
research teams, uh, one of the
student's is here. We had folks

00:03:38.318,00:03:43.457
looking at everything from, uhm,
the 0Day market and can we find

00:03:43.457,00:03:46.726
what activity the government and
0day market, what about the

00:03:46.726,00:03:49.096
government and, uh, uh, role in
vulnerability disclosure

00:03:49.096,00:03:53.133
programs? Uhm, uh, diving right
in and trying to figure out the

00:03:53.133,00:03:56.136
VEP process. We had some folks
that, you know, had some

00:03:56.136,00:03:58.872
statistical background. They try
and look at it from statistics,

00:03:58.872,00:04:01.508
we tried to see, alright, what's
the use of actual 0days, uhm, in

00:04:01.508,00:04:06.646
the wild and what do we know
about other government programs?

00:04:06.646,00:04:09.549
[pause] So, I'm not in a, I'm
not gonna reference this slide

00:04:09.549,00:04:12.853
other than to say they put in a
lot of work, we've put in a lot

00:04:12.853,00:04:16.490
of work up to this point, uhm,
I'm gonna keep saying this again

00:04:16.490,00:04:20.060
and again - I don't know if we
got the right answer but we've

00:04:20.060,00:04:23.697
tried to run down every line of
evidence that we can. And we put

00:04:23.697,00:04:25.999
together, as you can see from
this timeline of the government

00:04:25.999,00:04:29.469
process - we've gotten to get a
lot of information on this. This

00:04:29.469,00:04:31.972
should be coming out in a
report, hopefully in the,

00:04:31.972,00:04:35.208
hopefully in the Fall. So,
whenever I can't, whenever I've

00:04:35.208,00:04:37.644
tried to make a judgement I've
listed "What's my level of

00:04:37.644,00:04:42.449
confidence" based on, uhm, based
on my judging of that evidence.

00:04:42.449,00:04:45.819
As someone that understands both
the technology side as well, as

00:04:45.819,00:04:48.922
well as the policy side. As I've
said I've tried to go through

00:04:48.922,00:04:53.160
every line of evidence that I
can, uh, we've hunted down as

00:04:53.160,00:04:56.696
far as we can. I'll present all
of that to you. [pause] [cough]

00:04:56.696,00:05:02.035
Uhm, you're still gonna, uhm,
[pause] There's a, there's

00:05:02.035,00:05:04.804
reasons why we're really
suspicious about government on

00:05:04.804,00:05:10.277
this. Uhm, they've given us a
lot of reasons to be suspicious

00:05:10.277,00:05:13.980
about this and suspect the
number is far higher. I'm

00:05:13.980,00:05:16.583
probably not gonna convince all
of you. I had a great talk last

00:05:16.583,00:05:19.686
night, uhm, at the speaker, at
the speaker's lounge with Don,

00:05:19.686,00:05:23.190
Don I don't know if you're here,
I couldn't convince Don.

00:05:23.190,00:05:25.292
[laughter] [audience noise] And,
uhm, uh, no matter, no matter

00:05:25.292,00:05:28.428
the amount of evidence, uhm, Don
wasn't going to be convinced.

00:05:28.428,00:05:31.464
And that's okay! [pause] Uhm,
I'm not gonna convince, I'm not

00:05:31.464,00:05:34.734
gonna convince a lot of you
about the answers that we come

00:05:34.734,00:05:37.704
up with. What I prefer you be
convinced about is that we did

00:05:37.704,00:05:40.674
do the best job we could to try
and come up with those correct

00:05:40.674,00:05:45.445
answers. And, if we did get it
wrong, that someone else can

00:05:45.445,00:05:48.982
come in and try and get a better
answer. So, last, when it comes

00:05:48.982,00:05:53.520
to credibility, uhm, as I said,
I've been coming since, uh, I

00:05:53.520,00:05:57.257
started coming at DefCon 9, I'm
on the DEfCon review board. Uhm,

00:05:57.257,00:06:00.193
I've gone to the folks that you
might consider credible on this,

00:06:00.193,00:06:02.796
I've talked to this about Dark
Tangent, to, to Dark Tangent, to

00:06:02.796,00:06:06.499
the EFF, to a lot of journalists
on, that have written on this.

00:06:06.499,00:06:10.237
And the names that you would
know. Uhm, I've also done this

00:06:10.237,00:06:13.273
to be try to, to try to be
credible, credible in the policy

00:06:13.273,00:06:16.943
audience. [coughing] Uhm, I came
out of this in, in military,

00:06:16.943,00:06:21.248
uhm, doing, uhm, doing mostly
defensive cyber stuff, I had

00:06:21.248,00:06:24.217
time at the Pentagon, I had time
at the White House - I've talked

00:06:24.217,00:06:28.355
to that crowd. And tried, and
the journalists that are, that,

00:06:28.355,00:06:31.157
uhm, have written the stories
and I've gone to all these

00:06:31.157,00:06:36.229
groups. From EFF to former White
House and current government

00:06:36.229,00:06:40.400
officials to say "Where am I
right? Where are we wrong? What

00:06:40.400,00:06:43.303
has our, has our research, uh,
seem to be, uhm, seem to be

00:06:43.303,00:06:48.808
off?" I've said, "Can we prove
that we're wrong? Is there any

00:06:48.808,00:06:52.212
way that we can try and, any
evidence to disprove this?". And

00:06:52.212,00:06:55.448
this is what we've come up with
so far. So, at least you'll

00:06:55.448,00:07:00.186
hopefully be convinced with what
we've done. Okay, way too much

00:07:00.186,00:07:02.789
preface... Uhm, so the
government has two main roles

00:07:02.789,00:07:05.458
when you're talking about the
vulns - and there are strong

00:07:05.458,00:07:08.228
tension and often bureaucratic
infighting within these two

00:07:08.228,00:07:13.066
communities. You've got the, the
agencies that love to use the

00:07:13.066,00:07:16.403
0days - they want to keep the
0days, generally, this is really

00:07:16.403,00:07:19.773
simplified. So you get DOD, the
intelligence community and law

00:07:19.773,00:07:23.610
enforcement agencies. Uhm, that
will likely keep these open as

00:07:23.610,00:07:27.714
we saw on Apple FBI so that they
can collect intelligence. So

00:07:27.714,00:07:31.618
they can, they can, uhm, do
their, do their job as they see

00:07:31.618,00:07:35.789
it. There's others that, who's,
who's, who's equity is say now

00:07:35.789,00:07:40.393
"We want these to be pretty much
all closed down". So for example

00:07:40.393,00:07:42.996
the department of commerce
[cough] has been, they've been

00:07:42.996,00:07:45.198
running a vuln, vulner,
vulnerability disclosure

00:07:45.198,00:07:50.403
dialogue, Alan Freedman there.
Uh, the, uh, the, uh, the

00:07:50.403,00:07:53.606
agencies that represent the
specific sector of critical

00:07:53.606,00:07:57.043
infrastructure like the treasury
department or the energy depart,

00:07:57.043,00:07:59.612
department have equities where
they want things disclosed back

00:07:59.612,00:08:05.151
to vendors. Uhm, and the DHS -
uhm, which, for the most part

00:08:05.151,00:08:09.322
want some defensive. There law
enforcement parts of DHS, uhm,

00:08:09.322,00:08:11.991
on the uh, but for the most part
the critical infrastructure

00:08:11.991,00:08:14.494
protection and cyber security
folks overwhelmingly want the,

00:08:14.494,00:08:18.164
want these closed down. And this
is important cause you see this

00:08:18.164,00:08:21.434
tension between these agencies,
the government is certainly not

00:08:21.434,00:08:24.871
of one mind on this. And this
does come in when we're thinking

00:08:24.871,00:08:28.608
of evidence later on. I also
wanna point out. There's three

00:08:28.608,00:08:31.144
different main kinds of
vulnerabilities, uhm, when

00:08:31.144,00:08:33.480
you're thinking of this from the
government's perspective. First

00:08:33.480,00:08:37.217
is the battlefield systems,
right? This talk isn't going to

00:08:37.217,00:08:41.388
deal with a Russian
surface-to-air missile

00:08:41.388,00:08:44.958
vulnerability, right? That is
not a commercial system that

00:08:44.958,00:08:50.163
would go into the program that
we're talking about here. Second

00:08:50.163,00:08:54.300
our closed and proprietary but
still commercial systems - so,

00:08:54.300,00:08:56.102
like, this is the things like
Siemens, you know, the

00:08:56.102,00:08:59.606
industrial control systems, you
know, the more internet of thi,

00:08:59.606,00:09:03.977
internet of things, uhm, devices
that are coming online. Last,

00:09:03.977,00:09:06.346
the one that we tend to think
about when we're thinking about

00:09:06.346,00:09:11.684
vulns is the open internet, you
know, the Microsofts, the

00:09:11.684,00:09:14.554
Ciscos, the Apple, the Apple
vulnerabilities. But keep in

00:09:14.554,00:09:16.923
mind we do have these three sets
and we're not going to be

00:09:16.923,00:09:21.694
talking about the closed
battlefield one. [pause] So,

00:09:21.694,00:09:24.397
we're gonna start the story.
Uhm, I know that the government

00:09:24.397,00:09:29.536
has been, uhm, using and sharing
vulnerabilities for at least 15,

00:09:29.536,00:09:33.339
probably more like 20, 20 years
going, going back to the '90s.

00:09:33.339,00:09:37.677
Uhm, some of you might have, uh,
seen comments from Richard

00:09:37.677,00:09:41.514
Bejtlich, he's now at FireEye
Mandiant, and he had been in the

00:09:41.514,00:09:45.618
air force in the '90s. And he he
gave this quote uhm, he was on

00:09:45.618,00:09:50.423
the defensive side of Air force
CIRT and they discovered a Cisco

00:09:50.423,00:09:54.894
vulnerability and they said
"Great, let's tell CISCO.". They

00:09:54.894,00:09:57.163
didn't have any type of process,
they said that's the right thing

00:09:57.163,00:10:02.435
to do. And the offensive part of
the air force at that time, in

00:10:02.435,00:10:06.172
San Antonio, [coughing], uhm,
said "What are you doing? Let us

00:10:06.172,00:10:09.909
know about that first, you can't
just tell the vendor.". So you

00:10:09.909,00:10:11.978
know, at least at this point in
the air force you had this, at

00:10:11.978,00:10:15.915
least there was no set policy
and you this default to the

00:10:15.915,00:10:19.886
offense, right? They said "We'll
decide", and it looked like they

00:10:19.886,00:10:23.623
were keeping it for offensive
purposes. Also, we know from

00:10:23.623,00:10:27.827
this time that, uh, the military
and the other agencies did

00:10:27.827,00:10:30.096
really horded it, right? If you
were air force and you had a

00:10:30.096,00:10:33.333
CISCO vulnerability, you didn't
tell the NAVY about that. You

00:10:33.333,00:10:36.736
didn't tell the NSA, you didn't
tell the ARMY, uhm, everyone

00:10:36.736,00:10:40.640
kept that capability himself
because it was something that

00:10:40.640,00:10:43.409
you, you could have and once you
share it to the NAVY they might

00:10:43.409,00:10:46.246
use it and then you can;t use it
any, you can't use it yourself

00:10:46.246,00:10:48.715
within in the air force. So,
really looked like it was quite

00:10:48.715,00:10:51.451
a bit hoarded. To try and fix
this the NSA started

00:10:51.451,00:10:54.854
ìInformation Operations
Technology Centerî, probably

00:10:54.854,00:10:59.158
around '97, '98, it looks like,
to try and share capabilities.

00:10:59.158,00:11:02.362
Now they're talking about this
toolkit that probably was more

00:11:02.362,00:11:05.164
about exploits than
vulnerabilities, but of course

00:11:05.164,00:11:09.335
I'm, I'm sure it would have
included both. [pause] So

00:11:09.335,00:11:12.105
there's nothing from the White
House on this point up until

00:11:12.105,00:11:18.511
about two thou, well until July
2002. When they came out with a

00:11:18.511,00:11:23.917
classified National Security
Policy Directive, NSPD, NSPD 16.

00:11:23.917,00:11:27.387
Still classified, and it asser,
it asserted the presidential

00:11:27.387,00:11:30.590
authority to get involved in
this process. So, if you hear of

00:11:30.590,00:11:32.725
someone that says the government
doesn't know what they're doing

00:11:32.725,00:11:35.695
on offensive, there's no policy
to coordinate this - no, it's

00:11:35.695,00:11:37.931
actually quite a known policy,
it's almost, it's almost 15

00:11:37.931,00:11:41.668
years old. Uhm, and i've talked
to some of the folks involved,

00:11:41.668,00:11:44.237
they didn't say, they don't
remember it really dealing with

00:11:44.237,00:11:47.240
vulnerabilities. I don't think
vulnerabilities featured much in

00:11:47.240,00:11:49.876
that, it was more about, it
seems like it was more about

00:11:49.876,00:11:55.415
coordinating operations. And
again, prior to 2010 there's, it

00:11:55.415,00:12:00.987
doesn't seem like there's any US
government wide policy or

00:12:00.987,00:12:07.594
process to handle this. [cough]
Uhm, so even if there wasn't

00:12:07.594,00:12:10.964
anything government wide there
definitely was within NSA. Uhm,

00:12:10.964,00:12:14.567
they, they call it their
"Equities Process" was based on

00:12:14.567,00:12:16.869
their intel' gain-loss
assessment. If any, if any of

00:12:16.869,00:12:19.906
you know intelligence, you know,
the US interest can be better

00:12:19.906,00:12:22.008
served if we get this to the
vendor, than if we keep this to

00:12:22.008,00:12:26.179
ourselves but the decision was
entirely up to the director of

00:12:26.179,00:12:29.616
NSA. He didn't have to ask
anyone else in the US

00:12:29.616,00:12:33.620
government, he didn't have to
get advice from what we, from

00:12:33.620,00:12:37.790
what we know of it. Uhm, doesn't
seem like there was any, anyone

00:12:37.790,00:12:41.361
outside of NSA that was part of
this. There's was no way to get

00:12:41.361,00:12:44.497
anything in. Uhm, they're more
likely to keep it, this phrase

00:12:44.497,00:12:47.934
kept coming up a lot on the
research of NOBUS, more likely

00:12:47.934,00:12:52.305
to keep it if "no one but us" is
able to use this vulnerability.

00:12:52.305,00:12:56.409
If it is so obscure, so, so my
favorite example of NOBUS- since

00:12:56.409,00:13:00.580
we're in Vegas - is, uhm, what
was it? Ocean's 13, you know,

00:13:00.580,00:13:05.251
when Brad Pitt, they, they, hack
the, uhm, uh, the jackpot

00:13:05.251,00:13:09.022
machine and you have to drop the
coins in a certain manner to

00:13:09.022,00:13:11.991
make, to make the thing jackpot,
right? That's no one but us, no

00:13:11.991,00:13:14.427
one but the Ocean's 11 gang
would have know that you had to

00:13:14.427,00:13:16.929
drop the tokens into this
machine in a certain way. That's

00:13:16.929,00:13:21.200
kinda what we mean by NOBUS -
difficult to access, it's really

00:13:21.200,00:13:24.537
obscure, I mean, it's going to
take some, uh, difficult to

00:13:24.537,00:13:28.741
discover, really difficult to
try and exploit. Now I assume

00:13:28.741,00:13:32.311
but I don't know, that the other
agencies that tried, that like

00:13:32.311,00:13:35.381
to keep vulnerabilities had
their own internal process, uhm,

00:13:35.381,00:13:38.751
I assume CIA and justice did
but, uhm, we haven't been able

00:13:38.751,00:13:44.023
to discover that yet. So where
things really kick off is in

00:13:44.023,00:13:47.527
2010 and we know this now
because of, uh, documents from

00:13:47.527,00:13:50.063
the EFF, and by the way you'll
see a bit FN2 up

00:13:50.063,00:13:53.332
there...[laughter] I added all
the footnotes at the very end of

00:13:53.332,00:13:56.703
the talk, uhm, I'm gonna leave
my references up there so you

00:13:56.703,00:13:59.138
can take a photo of it if you're
interested in following up on

00:13:59.138,00:14:03.176
the ref, following up on the
references. So now you finally

00:14:03.176,00:14:08.514
had this document that came out
in 2010, uhm, form the offices

00:14:08.514,00:14:11.250
director of national
intelligence I believe. That

00:14:11.250,00:14:15.555
laid out here's the process
that's going to come out. Uhm,

00:14:15.555,00:14:19.792
NSA can still run it but you've
now got a formal process in

00:14:19.792,00:14:23.362
Washington C, DC, they call it
the "interagency" process. by

00:14:23.362,00:14:26.365
which others need to be brought
in if they're going to have an

00:14:26.365,00:14:31.370
equity in this issue. [pause] So
this is what that process looked

00:14:33.506,00:14:38.811
like... This is what was in
place from 2010 to 2014. So

00:14:38.811,00:14:42.982
note, at the top, the government
or it's contractors and I think

00:14:42.982,00:14:45.451
that's a, that's a nice loophole
that they were taking out there

00:14:45.451,00:14:48.187
to include contractors. Find
something that's newly

00:14:48.187,00:14:52.725
discovered and not publicly
known. So all of these, these

00:14:52.725,00:14:56.496
are key phrases in there. NSA is
the executive severe,

00:14:56.496,00:15:01.134
secretariat, this is good for us
because if NSA IAD which is the

00:15:01.134,00:15:06.906
defensive side of NSA, it wasn't
being run by TAO, which was the

00:15:06.906,00:15:10.910
offence, espionage part of the
NSA. So it was being run by the

00:15:10.910,00:15:14.013
defenders is actually a good
sign, uhm, that things were

00:15:14.013,00:15:18.251
going in the right direction.
Uhm, it would go to an equities

00:15:18.251,00:15:22.088
review board which would have
the senior people on it and they

00:15:22.088,00:15:24.957
would be the ones, the ones that
would make the final, uhm,

00:15:24.957,00:15:26.926
decision based on the
recommendations from the subject

00:15:26.926,00:15:30.897
matter expert. Uhm, there was,
and they would make the decision

00:15:30.897,00:15:34.367
whether to disclose to the
vendor or retain for their own

00:15:34.367,00:15:39.806
purposes. Now this is, uhm, it,
there was an appeals process but

00:15:39.806,00:15:42.842
it was retracted. So it's tough
to know exactly what the appeals

00:15:42.842,00:15:48.181
process was going, going to be.
[pause] So as much as I like

00:15:48.181,00:15:52.251
this, this is, this is a decent
process, right. If you were

00:15:52.251,00:15:56.322
going to implement this in your
organisation it's not a bad way

00:15:56.322,00:15:57.657
to do it. At least it's
relatively well laid out, you

00:15:57.657,00:16:01.127
can in fact flowchart it
[chuckle] and it does include

00:16:01.127,00:16:05.364
people outside of the agency in
question. So, as a policy guide,

00:16:05.364,00:16:09.635
this is, this is, okay. Uh, it
turns out that it wasn't really

00:16:09.635,00:16:15.441
ever fully implemented. So this
came out in 2010, uhm, footnote

00:16:15.441,00:16:20.413
three there is from one of my,
uhm,uh, former colleagues that

00:16:20.413,00:16:24.083
had been at the White House
during this time. THat he said

00:16:24.083,00:16:27.787
it became "dormant", that NSA
ran their own internal process,

00:16:27.787,00:16:30.756
didn't formally include the
outside agencies as much as we

00:16:30.756,00:16:35.828
would have wanted. Uhm, footnote
four is from the current head of

00:16:35.828,00:16:39.265
the cyber direct, directorate at
the NSA. So, Mi, a guy named

00:16:39.265,00:16:42.635
Michael Daniel, so he's the
president's top cyber advisor.

00:16:42.635,00:16:47.039
And he looks at both defence and
some offence, uhm, and he said,

00:16:47.039,00:16:52.211
uhm, "This policy at this time
wasn't fully implemented". So

00:16:52.211,00:16:54.847
they reinvigorated it in 2014
and I'll talk about that

00:16:54.847,00:16:59.118
reinvigoration in a second here.
And it looks like this decision

00:16:59.118,00:17:03.856
to reinvigorate was in part,
might have been in part driven

00:17:03.856,00:17:07.660
by Stuxnet. By the discovery
that Stuxnet used so many

00:17:07.660,00:17:12.899
Microsoft, uhm, 0days as well as
Siemens' vulnerabilities as

00:17:12.899,00:17:15.201
well. So, if you remember, I
talked about that tension

00:17:15.201,00:17:20.706
between the bureaucracies, uhm,
if this is true then, this might

00:17:20.706,00:17:22.308
have been one of those places
where you were seeing this

00:17:22.308,00:17:26.245
tension between, in the
bureaucracy. So that when the

00:17:26.245,00:17:28.681
way I imagine, and again, I
haven't found evidence on this,

00:17:28.681,00:17:32.885
this is just in my mind, you
could, you could imagine seeing

00:17:32.885,00:17:38.991
these defensive bureaucracies,
like DHS, or treasury, or

00:17:38.991,00:17:43.195
energy, or commerce, saying
"Holy cr*p! We just did what

00:17:43.195,00:17:46.766
with Stuxnet? We didn't know
about that? You were keeping all

00:17:46.766,00:17:49.769
of these and now our agencies
are having to deal with this? We

00:17:49.769,00:17:52.939
need to try and fix this!". And
so this tension within the

00:17:52.939,00:17:56.742
bureaucracy is an important
point, uh, I think might have

00:17:56.742,00:17:59.278
been an important point here,
but I'm also going to bring it

00:17:59.278,00:18:02.648
up later on because, what we
don't see on it, we don't see

00:18:02.648,00:18:05.785
that tension today. We don't see
this disagreement and I think

00:18:05.785,00:18:08.521
that that lack of evidence is
very interesting to me. Okay,

00:18:08.521,00:18:14.694
uhm, [coughing] So, after the
Snowden revelations the

00:18:14.694,00:18:18.497
president Obama puts together a
senior review group, including

00:18:18.497,00:18:20.967
people like Dick Clark and
others I understand are, are,

00:18:20.967,00:18:25.204
feel somewhat well. Uhm, to say
"What are the recommendations

00:18:25.204,00:18:29.842
that we can do to look at, uhm,
intelligence and other way based

00:18:29.842,00:18:33.045
on, uhm, the snowden
revelations?". One of those

00:18:33.045,00:18:36.716
recommendations, recommendation
number 30, was we need a default

00:18:36.716,00:18:41.087
disclosure policy and we need a
better process. [coughing]

00:18:41.087,00:18:46.692
Obama, ob, accepts those
recommendations January 2014,

00:18:46.692,00:18:51.197
saying one "Disclosed by
default". So the president

00:18:51.197,00:18:56.102
signed off on this piece of
paper that said "The US

00:18:56.102,00:19:02.141
government policy is that when
we get a vulnerability my intent

00:19:02.141,00:19:05.845
is that that will be disclosed
to the vendor, and if you don't

00:19:05.845,00:19:09.415
wanna disclose that, you want to
retain that, then it's up to you

00:19:09.415,00:19:14.220
to prove why that's a good
idea." Such public policy

00:19:14.220,00:19:16.822
defaults are really important.
Cause now you know the

00:19:16.822,00:19:21.127
president's intent and it's up
to the other agencies, right?

00:19:21.127,00:19:23.329
You can't say "Well, we didn't
know what the president wanted."

00:19:23.329,00:19:29.035
It well, you can but it becomes
a lot, lot tougher. Also, what

00:19:29.035,00:19:32.772
the president did was saying
this stuff is too damn important

00:19:32.772,00:19:38.077
to leave at any one agency.
[pause] So, we're gonna bring it

00:19:38.077,00:19:43.683
into the White House. This can't
be decided at just NSA anymore,

00:19:43.683,00:19:47.353
this now has to run out of the
NSC - the president's National

00:19:47.353,00:19:52.658
Security Council. We learned a
little bit more about this and

00:19:52.658,00:19:54.960
I'll go through that process and
I'll put a slide up that has

00:19:54.960,00:19:58.764
that flowchart in a second. Uhm,
we learned a little bit more

00:19:58.764,00:20:01.434
about this in congressional
testimony from Admiral Rogers,

00:20:01.434,00:20:06.338
when, uhm, when he was up to be
the, uhm, uh, I think it was

00:20:06.338,00:20:10.710
confirmation for cyber com
commander, March 2014. This is

00:20:10.710,00:20:13.312
the first time we really learn
about this default, uh, default,

00:20:13.312,00:20:18.317
disclose by default policy, was
in his testimony. We didn't, we

00:20:18.317,00:20:21.020
didn't know in the community
about Obama's decision until he

00:20:21.020,00:20:23.522
talked about it here. I also
thought that it was interesting,

00:20:23.522,00:20:26.092
you can see the bits I
highlighted subtly there. "NSA

00:20:26.092,00:20:30.362
always employed that principal",
he said. He talked about, he did

00:20:30.362,00:20:33.532
a decent job of talking a little
bit about that process in

00:20:33.532,00:20:36.102
highlighting it's not just
software vulnerabilities but

00:20:36.102,00:20:40.473
hardware vulnerabilities as
well. And that if they do decide

00:20:40.473,00:20:43.609
to retain it they attempt to
find other ways to mitigate the

00:20:43.609,00:20:46.612
risks. So, for example, if you
were gonna, if you were gonna

00:20:46.612,00:20:50.483
try and retain it, uhm, maybe
you try and you use, uhm, a more

00:20:50.483,00:20:53.252
significant collection to see if
anyone else is finding this bug.

00:20:53.252,00:20:55.221
And if someone else finds the
bugs then you'll, then you'll

00:20:55.221,00:20:59.692
decide to tell the vendor. Uhm,
and so this was really trusting

00:20:59.692,00:21:03.062
for us, and it helped, on a, a
pol, as a policy guy, what

00:21:03.062,00:21:06.765
people tell congress usually
matter. Uhm, usually if a

00:21:06.765,00:21:10.870
staffer thinks a person is full
of it, the congressional staffer

00:21:10.870,00:21:13.772
thinks the person's full of it
they'll go through and they'll,

00:21:13.772,00:21:17.076
they'll leak in saying "Look
they testified this but we know

00:21:17.076,00:21:19.178
the truth, we know that the
truth is different" and we

00:21:19.178,00:21:22.348
didn't find any of, we didn't
get any of that out of this kind

00:21:22.348,00:21:26.085
of testimony. So I wanna really
repeat on this - cause as a

00:21:26.085,00:21:28.821
policy guy this was incredibly
important to me [coughing] The

00:21:28.821,00:21:32.858
White House policy is to
disclose to vendors. And you can

00:21:32.858,00:21:36.729
scoff, and I'm okay with that,
but for policy guy that's about

00:21:36.729,00:21:40.232
as strong as it gets. The
president himself made this

00:21:40.232,00:21:44.703
decision and then he didn't just
make the decision he said "I

00:21:44.703,00:21:47.940
will have my personal people
that are beholden to me as the

00:21:47.940,00:21:54.914
national security council staff,
review this." [pause] Uhm, and

00:21:54.914,00:21:58.284
so that, and again, it can get
stronger but this is really

00:21:58.284,00:22:02.388
strong in Washington, in
Washington DC terms. But when

00:22:02.388,00:22:05.825
this was coming out it was
pretty, [chuckle] there were

00:22:05.825,00:22:08.928
some exceptions that struck us
and it's people like Kim Z and

00:22:08.928,00:22:12.998
others saying that "Well, yeq,
the default policy is to

00:22:12.998,00:22:16.702
disclose but if you carve out
exceptions for national security

00:22:16.702,00:22:19.438
and law enforcement, what the
hell have you done?!" Right?

00:22:19.438,00:22:25.444
Those are exception you can
drive a truck through, uhm, so,

00:22:25.444,00:22:29.048
so really I was extremely
skeptical at this stage. Cause

00:22:29.048,00:22:32.084
we know, I mean, all of us have
seen what happens when you have

00:22:32.084,00:22:35.287
that kind of exception, what the
intelligence community can do

00:22:35.287,00:22:36.989
with it,right? They're go
[chuckle] they're gonna play it

00:22:36.989,00:22:41.493
to the edge... [laughter] But we
did get three more breakthroughs

00:22:41.493,00:22:44.330
that really made a significant
difference in understanding

00:22:44.330,00:22:49.902
those exceptions. One,
heartbleed. [pause] [background

00:22:49.902,00:22:54.773
noise] So, uhm, Bloomberg
reporter wrote a story that said

00:22:54.773,00:22:59.578
"NSA knew...", he had some
confidential sources that said

00:22:59.578,00:23:04.650
"NSA knew about heartbleed" and
that story came out. [cough]

00:23:04.650,00:23:11.557
Couple days later the New York
Times, uhm, David Sanger [cough]

00:23:11.557,00:23:15.394
[pause] reacted to that story
and he was able to get the White

00:23:15.394,00:23:20.633
House, sorry, to get the NSA to
publicly deny the Bloomberg

00:23:20.633,00:23:24.603
story. This was unprecedented to
get an intelligence community

00:23:24.603,00:23:26.605
agency to talk on the record
about the about their

00:23:26.605,00:23:30.109
intelligence collection ability.
They would always sit back and

00:23:30.109,00:23:32.077
say "We will not confirm or
deny", cause they don't wanna

00:23:32.077,00:23:35.748
get in this place. It was
stunning that NSA came out and

00:23:35.748,00:23:40.653
said, "Look, we had no idea
about this" [cough] and I, I

00:23:40.653,00:23:43.055
suspected that they would keep
this one for reasons we'll talk

00:23:43.055,00:23:45.291
about in a second. They came out
and said "We didn't know about

00:23:45.291,00:23:48.227
this", uhm, you see, the, the
uh, the IC on the record to the

00:23:48.227,00:23:50.996
officer director of national
intelligence came out and said

00:23:50.996,00:23:54.333
"We didn't know about this - the
Bloomberg story is false!". Uhm,

00:23:54.333,00:23:58.103
or they didn't get, you know,
they didn't talk to the right

00:23:58.103,00:24:03.275
folks. 17 days after that
Bloomberg story breaks we really

00:24:03.275,00:24:07.479
get a fantastic set of
information - this White House

00:24:07.479,00:24:11.750
cyber guy, the president cyber
advisor, uhm, publishes a blog,

00:24:11.750,00:24:18.223
uhm, on "White House dot gov",
that says we didn't know, and

00:24:18.223,00:24:22.027
moreover he really gives us a
sign in on what they do and how

00:24:22.027,00:24:26.131
they operate within the White
House. He leads out these

00:24:26.131,00:24:31.337
decision criteria [pause] - how
much is it used? How bad is the

00:24:31.337,00:24:34.540
vulnerability if it's not
patched? How much harm could

00:24:34.540,00:24:38.143
they to do us? Uhm, if someone
was using this vuln against us,

00:24:38.143,00:24:41.447
how likely is it that we would
know ourselves? Uhm, if we

00:24:41.447,00:24:43.882
really need this vulnerability
for intelligence, I mean, is

00:24:43.882,00:24:47.353
this something that, uhm, you
know, we need to know if

00:24:47.353,00:24:50.322
Russia's planning a secret
nuclear strike on us? Or is this

00:24:50.322,00:24:53.292
just a kind of a routine kind of
bug that might not be that

00:24:53.292,00:24:56.328
useful? Uhm, this number 6 is
really important for reasons

00:24:56.328,00:25:00.165
I'll come back, could we use it
for short period before we

00:25:00.165,00:25:02.735
disclose it? And to me, that's
that's an important one we'll

00:25:02.735,00:25:05.938
come back, we'll come back to...
Uhm, and can be, you know, has

00:25:05.938,00:25:10.909
anyone else found it and can
this, can this get patched? Now,

00:25:10.909,00:25:15.214
that strikes me a pretty decent
way of going about this. It's

00:25:15.214,00:25:20.052
not a bad analytical way ask, of
saying "What are the important

00:25:20.052,00:25:23.155
questions that we need to
answer? What's the process by

00:25:23.155,00:25:25.824
which we're gonna try and get
ans, answers to these? So,

00:25:25.824,00:25:29.294
again, as a policy guy I read
this, I was floored that, that

00:25:29.294,00:25:31.730
the White House was willing to
talk about this, this much depth

00:25:31.730,00:25:34.633
at it and I was really pleased,
that I, I couldn't think of any

00:25:34.633,00:25:37.503
additional questions to add in
here. So it seemed to me to be a

00:25:37.503,00:25:41.640
decent way of going about it.
Uhm, the second breakthrough,

00:25:41.640,00:25:46.378
uhm, I dunno if EF, EFF is here
but thank you ... [chuckle] EFF

00:25:46.378,00:25:50.482
did a fantastic job, uhm, doing
a foyer request and follow up

00:25:50.482,00:25:53.085
lawsuits for some, for some of
these key documents on the

00:25:53.085,00:25:58.090
vulnerabilities' equities
process. Uhm, and so, uh, this

00:26:03.629,00:26:04.963
footnote two, you can go look,
you can go look at these

00:26:04.963,00:26:06.965
documents again, maybe you come
to different conclusions than we

00:26:06.965,00:26:08.333
did. Uhm, you, you can see from
that, from that one, it's, it's

00:26:08.333,00:26:09.668
decently well redacted but still
we were able to get a lot

00:26:09.668,00:26:12.538
details out of the process
thanks to EFF. [cough]

00:26:12.538,00:26:15.140
Breakthrough number three, uhm,
the NSA came out with some more

00:26:15.140,00:26:20.145
information, uhm, on 30 October
and they said "91% of

00:26:22.548,00:26:27.286
vulnerabilities that went
internal NSA process over the

00:26:27.286,00:26:32.791
history of the NSA process were
disclosed to the vendor. And out

00:26:32.791,00:26:37.429
of the 9% that's the remainder
that includes at least some that

00:26:37.429,00:26:42.768
they vendor discovered before
NSA had a chance to disclose".

00:26:42.768,00:26:49.141
Uhm, now, I'm sorry, that's
historically including all vulns

00:26:49.141,00:26:54.146
at least back to 2010, not, not
2020. [laughter] Uh, the, uhm,

00:26:56.248,00:26:59.418
and now this is only NSA, this
isn't all the US government

00:26:59.418,00:27:01.920
vulnerabilities, this is, this
is just within the NSA process.

00:27:01.920,00:27:05.657
But again, we are starting to
really see a lot of transparency

00:27:05.657,00:27:07.493
that was coming out of the
government and the government on

00:27:07.493,00:27:12.130
this. And, but I know a lot of
you are saying 91% [tlrrp] "How

00:27:12.130,00:27:15.834
can you say 91%, how can you
know any of this is true?". So

00:27:15.834,00:27:19.271
in the next part we'll start
getting into, uhm, uh, these

00:27:19.271,00:27:23.275
assessments and can we really
know if the, if, uhm, any of

00:27:23.275,00:27:27.145
this is true, can we prove what
they're saying? Can we

00:27:27.145,00:27:30.816
disapprove what they're saying?
So from 2014 to present, this is

00:27:30.816,00:27:34.753
what it looks like. On the, the
parts highlighted are the parts

00:27:34.753,00:27:38.257
that have changed since the
previous version of the slide.

00:27:38.257,00:27:44.730
So the, the top yellow one, uhm,
now the equities review board is

00:27:44.730,00:27:49.735
run by the White House, uhm,
also [pause] The, the way to

00:27:52.938,00:27:57.743
appeal is much clearer because
once it's in the White House,

00:27:57.743,00:28:01.446
once it's in the NSC, everybody
understands the rule of appeal

00:28:01.446,00:28:05.851
then. If you don't like what
happened at, at this level it

00:28:05.851,00:28:09.955
can go to something called, uhm,
it can go up to the next big

00:28:09.955,00:28:13.025
level would be a deputy's
committee. So that would be the

00:28:13.025,00:28:15.260
deputy secretary of the
treasury, deputy secretary of

00:28:15.260,00:28:18.897
defense, deputy secretary DHS,
uhm... And this deputy's

00:28:18.897,00:28:21.300
committee's where the real
decisions get made. And so if

00:28:21.300,00:28:23.602
you don't like,and if you think
the decision went against you

00:28:23.602,00:28:28.073
and the ERB either way you can
say "I'm gonna take it to the

00:28:28.073,00:28:32.711
deputy". And that's the same way
you appeal anything that's a

00:28:32.711,00:28:35.714
national security- or a homeland
security decision. So all of a

00:28:35.714,00:28:38.283
sudden it became a lot clearer
on what that appeals process was

00:28:38.283,00:28:40.652
gonna be. [clicking noise] So
what we've learnt applies to all

00:28:40.652,00:28:44.790
and contractors, all vulns
whether discovered or bought.

00:28:44.790,00:28:48.193
This does not apply to
vulnerabilities that were known

00:28:48.193,00:28:51.697
prior to the policy coming out.
So that, that's an interesting

00:28:51.697,00:28:55.901
loophole. A new process is owned
by the White House and then, and

00:28:55.901,00:29:00.405
then, uh, again, uh, a subtle
inside the beltway point, uhm, I

00:29:00.405,00:29:03.375
was pleased that this was being
run by the cyber directorate

00:29:03.375,00:29:07.045
because they are predominantly a
defensive shop, uhm, this wasn't

00:29:07.045,00:29:10.882
being run, for example by the
intelligence part of the NSC or

00:29:10.882,00:29:14.052
the defence part of the NSC. If
it were either of those, then

00:29:14.052,00:29:15.988
they would probably have a
little bit more biased to wanna,

00:29:15.988,00:29:19.224
do wanna retain those things for
government use. Because it was

00:29:19.224,00:29:23.662
cyber, we're gonna see much more
of a balance. So what don't we

00:29:23.662,00:29:26.965
know? And I'm gonna cover all 5
of these, what didn't we know

00:29:26.965,00:29:29.167
from the breakthrough, the
breakthrough? So I'm gonna touch

00:29:29.167,00:29:35.874
all 5 of these. [pause] [thump]
FBI versus Apple by my reading

00:29:35.874,00:29:40.512
of the policy as a former White
House guy FBI shouldn't have had

00:29:40.512,00:29:45.117
to submit the iPhone if, iPhone
5 vulnerability. Uhm, based on

00:29:45.117,00:29:47.853
that, that, Michael Daniel
criteria that we talked about,

00:29:47.853,00:29:51.123
those, those, 8 or 9, those 8 or
9 elements - it certainly seems

00:29:51.123,00:29:55.060
to fit. It's certainly
widespread, uhm, we can

00:29:55.060,00:29:59.031
certainly imagine others using
these, uhm, FBI ended up

00:29:59.031,00:30:03.235
claiming contractual IP
restrictions. Officially FBI

00:30:03.235,00:30:08.907
only bought the use of the tool
for, what, a million- or -ish

00:30:08.907,00:30:12.744
dollars the reporter said? Uhm,
they don't, because they don't

00:30:12.744,00:30:16.114
actually know what the
vulnerability is they therefore

00:30:16.114,00:30:20.285
can not submit. Cause they don't
know... whomp, whomp....

00:30:20.285,00:30:23.555
[laughter] Uhm, to me it seems
to contravene pretty direct

00:30:23.555,00:30:26.992
presidential guidance, uhm, so
I'm gonna be very curious to see

00:30:26.992,00:30:29.461
if the White House is gonna
revamp the process to try and

00:30:29.461,00:30:32.064
say that "You can't do this kind
of exception, you can't do this

00:30:32.064,00:30:35.333
kind of end-around." Uhm, just
one side note, a few months ago

00:30:35.333,00:30:38.236
the FBI did inform Apple of an,
another vulnerability and they

00:30:38.236,00:30:42.274
use this entire VEP process, uh,
to go about and do it. I've

00:30:42.274,00:30:45.911
gotta, I've gotta bet, uhm, with
a, with a buddy, uhm, he put it

00:30:45.911,00:30:49.281
up on law fair that uhm, I, I
said that Apple would know

00:30:49.281,00:30:51.883
within a year about the
vulnerability. Uhm, my buddy

00:30:51.883,00:30:54.119
said no way Apple's gonna know
about this vulnerability in a

00:30:54.119,00:30:56.855
year - so we've got a dinner
riding on that. Okay, the big

00:30:56.855,00:30:59.858
question! The moment you've all
been waiting for....! How many

00:30:59.858,00:31:02.861
do they actually retain?
[laughter] And this was the real

00:31:02.861,00:31:05.597
thing that, I think, got my
students involved, uh, excited

00:31:05.597,00:31:08.200
about doing this was to answer
this question. This is what you

00:31:08.200,00:31:12.504
have waited for! [laughter] Not
hundreds or thousands, uhm, this

00:31:12.504,00:31:18.610
is prior to the invig, the
invigorated policy. I've got

00:31:18.610,00:31:23.115
moderate confidence that, uhm,
in the period up to 2014 they

00:31:23.115,00:31:27.786
were probably keeping dozens.
Not hundreds, not thousands, not

00:31:27.786,00:31:30.822
more than that. [cough] So,
here's the evidence, here's how

00:31:30.822,00:31:34.826
we get that - but I've only got
moderate confidence. [sigh] To

00:31:34.826,00:31:39.164
me, one of the most important
things in this was, uhm, the

00:31:39.164,00:31:42.768
revelation that we found out
that NSA keeps 20, that had a

00:31:42.768,00:31:47.239
budget of 25 point 1 million for
covert purchases of software

00:31:47.239,00:31:51.910
vulnerabilities. To me, that was
a, uhm, and I'll walk through,

00:31:51.910,00:31:54.279
I'll walk through this 25 point
1 and what that, what that meant

00:31:54.279,00:31:58.583
for me. Uhm, and, so, let's
unpack that, what does, what

00:31:58.583,00:32:02.454
does 25 point 1 maybe buy you?
So I did some assumptions.. I, I

00:32:02.454,00:32:05.891
don't think that, uhm, if I had
a budget like that, for finding

00:32:05.891,00:32:07.793
vulnerabilities, I don't think
that I would buy a bucket of

00:32:07.793,00:32:09.961
bugs... [laughter] Right... I'm
not just gonna go out there and

00:32:09.961,00:32:13.064
find simple ones that I can
kinda discover myself. Uhm, I

00:32:13.064,00:32:15.801
assume that there's probably
going to be some purchase for

00:32:15.801,00:32:18.637
non-commercial bugs, I'll talk
about that in a second. I would

00:32:18.637,00:32:20.872
suspect that they would tend
towards higher-value

00:32:20.872,00:32:24.776
vulnerabilities rather than,
rather than less expensive ones.

00:32:24.776,00:32:28.446
And, that 91% the NSA number
came out with was roughly

00:32:28.446,00:32:32.751
accurate. And,and, and I'll talk
about that right here. So can we

00:32:32.751,00:32:38.323
believe 91%? Uhm, Dickie George
who is the former, uhm,

00:32:38.323,00:32:42.460
technical director of the
defensive side of NSA, uhm,

00:32:42.460,00:32:45.430
info, [audience noise]
information assurance

00:32:45.430,00:32:48.533
directorate, uh, gave an
interview and he said "Retaining

00:32:48.533,00:32:52.137
was very rare" during his time,
and he's been doing it for over

00:32:52.137,00:32:56.107
15 years. Uhm, I showed these
slides to the former director of

00:32:56.107,00:32:59.711
NSA - general Hayden, uhm he
came in and saying "Yes this all

00:32:59.711,00:33:03.215
seems consistent with my time
there. Seems consistent with my

00:33:03.215,00:33:06.318
experience that we took defense
very seriously". Uhm, but keep

00:33:06.318,00:33:10.522
in mind this only applies to the
NSA, uhm, to really try and

00:33:10.522,00:33:13.792
prove or disprove this you'd
have to go out and try and talk

00:33:13.792,00:33:17.462
to vendors and find out how many
vulnerabilities NSA actually

00:33:17.462,00:33:20.599
tells them. And that was well
out of scope of what we could do

00:33:20.599,00:33:23.235
here, if you really wanna go
after it, I think you've gotta

00:33:23.235,00:33:26.004
try and go to the vendors and
get the actual numbers. So for

00:33:26.004,00:33:29.875
right now, I'm gonna take 91% as
accurate-ish and, uhm, it's

00:33:29.875,00:33:33.612
tough for me to get anything
real tight on it to prove it, I

00:33:33.612,00:33:36.548
can't yet, I can't yet disprove
it either. So, here's two

00:33:36.548,00:33:39.751
examples of what you might do
with 25 point 1 - uh you might

00:33:39.751,00:33:42.988
buy 250 important commercial
vul, vulnerabilities at a

00:33:42.988,00:33:48.126
hundred-k each; uhm, if you
assume 91% you end up with about

00:33:48.126,00:33:52.097
25 of those if you assume that
maybe CIA and justice were

00:33:52.097,00:33:55.533
getting similar numbers, you
discover about similar number,

00:33:55.533,00:34:00.839
you end up with 75... Uhm, even,
if we're off by a factor or 3

00:34:00.839,00:34:05.477
one this then you end up in the
low hundreds, with 125 ret,

00:34:05.477,00:34:10.515
retained. So it puts us into
hundreds but I can't, I couldn't

00:34:10.515,00:34:12.651
get to that, I couldn't get to
thousands of vulnerabilities

00:34:12.651,00:34:16.254
doing this. I think, and, based
on this dozens seems okay, maybe

00:34:16.254,00:34:19.224
low hundreds. But to me this is
a little bit too simplistic

00:34:19.224,00:34:21.660
version of what you might do
with 25 point 1 million dollars

00:34:21.660,00:34:27.032
to buy bugs. So example number
two, imagine we buy 12 critical

00:34:27.032,00:34:30.468
commercial vulnerabilities for a
million; 5 critical

00:34:30.468,00:34:35.373
non-commercial for a million,
right? If NSA could buy access

00:34:35.373,00:34:40.011
to a Russian air defense system
for a millions dollars - good

00:34:40.011,00:34:42.480
luck on 'em! [laughter] I, I, I
hope they don't do that

00:34:42.480,00:34:45.750
[chuckle]. Uhm, other major
vulnerabilities for 250k, if we

00:34:45.750,00:34:50.755
assume 91% that leaves us with
5, 5 retained. Uhm, assume other

00:34:50.755,00:34:53.758
agencies vulns that they
discover, we end up with 15,

00:34:53.758,00:34:57.662
again, even if we're off by a
factor of 3 we are in this

00:34:57.662,00:35:02.400
middle dozens kind, kind of area
on how many before the new

00:35:02.400,00:35:06.104
policy. So you can see why I'm
only moderate-confidence on

00:35:06.104,00:35:11.109
this, uhm, there's not that much
to go on. On one hand we've got

00:35:11.109,00:35:13.411
people who say that "This is
very rare, we default it towards

00:35:13.411,00:35:17.182
the defense 91%", on the other
hand we've got some evidence

00:35:17.182,00:35:21.820
like this 25 point 1, uhm, 25
point 1 million. [coughing] So

00:35:21.820,00:35:25.790
that was prior to 2014, we've
got much stronger evidence today

00:35:25.790,00:35:29.527
on how many they retain. Right
now, it looks like single

00:35:29.527,00:35:33.264
digits. [pause] I couldn't
believe this - everyone talked

00:35:33.264,00:35:36.468
to imagined that it was far
higher than that. People that

00:35:36.468,00:35:38.737
have been White House, people
that have been de, uh,

00:35:38.737,00:35:41.272
department of defense, and
pentagon officials all assumed

00:35:41.272,00:35:43.241
like you did - that is was
hundreds, if not thousands. And

00:35:43.241,00:35:46.711
I actually had pretty, pretty
high confidence in that

00:35:46.711,00:35:50.115
assessment. [coughing] Uh, press
reported earlier this year that

00:35:50.115,00:35:52.117
the government, that the White
House reviewed about a hundred

00:35:52.117,00:35:55.053
and only kept two. One of my
colleagues that was formerly

00:35:55.053,00:35:59.224
White House during this time, in
his blog on Apple FBI referenced

00:35:59.224,00:36:03.628
this - that matters to someone,
right? If someone that probably

00:36:03.628,00:36:08.566
know that, that knew the process
proved it to someone else that

00:36:08.566,00:36:11.403
referenced it in another, in
another new source. To me,

00:36:11.403,00:36:14.906
that's a good sign that we're on
about the right track. That an

00:36:14.906,00:36:18.643
insider was referencing this.
Uhm, Dinkie George, this guy

00:36:18.643,00:36:22.781
that was the NSA official
responsible said it was about 3

00:36:22.781,00:36:28.286
or 4 per year. Uhm, I was at NSA
in August, 2014. I had the NS,

00:36:28.286,00:36:31.623
uh, TAO and the IAD tech
director in the room and they

00:36:31.623,00:36:34.826
said "Up to this point, this
year we have retained none."

00:36:34.826,00:36:39.064
Now, that was about 9 months, 8
or 9 months into the new policy.

00:36:39.064,00:36:43.101
Uh, and I get told to my face it
was none. [pause] So, that's

00:36:43.101,00:36:46.204
interesting [coughing] but, we
wanted to say can we prove or

00:36:46.204,00:36:48.907
disprove that? So this is what
journalists say, and this is

00:36:48.907,00:36:52.610
what others say; this is what
executives in it said, uhm, but

00:36:52.610,00:36:56.347
can we prove, can we prove it or
even better can we disprove it?

00:36:56.347,00:36:59.150
So, one, I'm not seeing that
tension between bureaucracies

00:36:59.150,00:37:03.855
here, no one is coming out and
saying, "No, this is BS, uhm,

00:37:03.855,00:37:06.191
the intelligence community is
going around the vulnerabilities

00:37:06.191,00:37:08.493
equities process.". We're not
seeing that type of evidence,

00:37:08.493,00:37:13.164
right now. Uhm, that it seems
has happened in the past. Two,

00:37:13.164,00:37:19.170
it looks like there's only about
50 total 0days last year. So to

00:37:19.170,00:37:23.141
me a number from US government
that's in single digits or maybe

00:37:23.141,00:37:27.011
low double digits that seems
reasonable to me. If NSA is

00:37:27.011,00:37:29.447
keeping hundreds or thousands,
it doesn't seem right that we

00:37:29.447,00:37:31.716
would only be discovering 50 per
year when we've got so many

00:37:31.716,00:37:34.886
people looking. And that's from
every source! you know, from

00:37:34.886,00:37:37.122
what rush, all these Russian
groups are keeping, all these

00:37:37.122,00:37:40.492
China groups are keeping, from
what all the red team users are

00:37:40.492,00:37:44.763
using, uhm, so to me, if they're
only finding, we've only found

00:37:44.763,00:37:48.032
about 50 in the wild - single
digits sounds about right.

00:37:48.032,00:37:50.635
Again, uh, we tried to go into
the national vulnerability

00:37:50.635,00:37:54.005
database and see if we could see
any statistical anom, anomalies

00:37:54.005,00:37:57.442
of this, uhm, of the government
starting to release more

00:37:57.442,00:38:00.011
vulnerabilities into the system,
the NVD was terrible. We

00:38:00.011,00:38:02.213
couldn't, we couldn't figure out
anything at this point if

00:38:02.213,00:38:06.818
possible. Uhm, again, we didn't
see any, uhm, uh, we just could,

00:38:06.818,00:38:10.889
we tried to find conflicting
evidence, we tried to say "Prove

00:38:10.889,00:38:13.691
us wrong", you know, we sent it
to the EFF, we sent it to

00:38:13.691,00:38:16.828
others, no one came back with
anything that was significant

00:38:16.828,00:38:20.899
other than, other than, uhm,
modest changes to the slide.

00:38:20.899,00:38:25.303
Uhm, the last one went in was,
was a little, a little more

00:38:25.303,00:38:28.806
worrying. Uh, we said "Can we
figure out the total of US, of

00:38:28.806,00:38:32.243
government vulnerabilities as
disclo, disclosed?". Uh, Dickie

00:38:32.243,00:38:35.213
George said they discovered
about 15-hundred a year. If you

00:38:35.213,00:38:39.083
apply the 91% to that, uhm, that
gets you to the, that probably

00:38:39.083,00:38:41.586
puts you in the dozens-space.
But he might have been talking

00:38:41.586,00:38:45.790
about the process before it was
reinvigorated in 2014. So to me,

00:38:45.790,00:38:47.859
that's probably supporting
evidence for the, uh,for the

00:38:47.859,00:38:50.929
dozens. He also said that they
only retained about 3 or 4 a

00:38:50.929,00:38:55.166
year. And again, we tried to go
in and disprove, how large is

00:38:55.166,00:38:59.537
the arsenal? [pause] Moderate
confidence that we're, that

00:38:59.537,00:39:03.474
we're talking about dozens
[cough], uh, we haven't done

00:39:03.474,00:39:06.244
this fully, we haven't really
had the time to really do this

00:39:06.244,00:39:10.248
but you can do a Drake's
equation, right? If you're gonna

00:39:10.248,00:39:11.583
say how big is the arsenal,
these are the kinds of equations

00:39:11.583,00:39:12.917
you'd want and these are the,
these are factors that you would

00:39:12.917,00:39:14.252
have in that equation, right?
How many did the keep? How long

00:39:14.252,00:39:16.354
have they been keeping? How many
did they burn per year? How many

00:39:16.354,00:39:19.958
got discovered by vendors or by,
uhm, or by, or by other bad

00:39:19.958,00:39:23.528
guys? What's the shelf life of
a, of a buG? We went through,

00:39:23.528,00:39:27.966
when I went through this, I got
somewhere in around 50 0r 60,

00:39:27.966,00:39:31.870
when I did this... Uhm, again,
if we really tried to do this in

00:39:31.870,00:39:34.739
depth you might come up with a
different answer. The quote at

00:39:34.739,00:39:36.407
the bottom is from Michael
Daniel, the president's cyber

00:39:36.407,00:39:39.310
advisor, uhm, I, I was talking
about this talk yesterday with

00:39:39.310,00:39:42.680
Dark Tangent and he said, and he
gave me an idea that we haven't

00:39:42.680,00:39:45.383
even thought before. We actually
kinda know, there had been a, a

00:39:45.383,00:39:49.854
revelation about what TAO
capabilities were, and, so I,

00:39:49.854,00:39:54.058
added this last night. "It looks
like the NSA book of

00:39:54.058,00:39:57.662
capabilities had 50 pages that
each had one capability in it".

00:39:57.662,00:40:01.599
So, I thought that revelation
would be something that would

00:40:01.599,00:40:04.969
disprove that it was in the
dozens and it ended up being

00:40:04.969,00:40:08.106
right smack in the middle of
where our guess was! Now, again,

00:40:08.106,00:40:10.708
that was a book about
capabilities and not exploits

00:40:10.708,00:40:13.344
but to me that was, that was
really fascinating that it ended

00:40:13.344,00:40:16.681
up exactly the same place. I
thought that it was gonna have

00:40:16.681,00:40:20.485
hundreds. Okay, other nations
have about 30, have about, 30

00:40:20.485,00:40:23.488
other nations that have this,
uhm, the UK is the only one

00:40:23.488,00:40:27.125
that's even talked a little bit.
So love or hate US government -

00:40:27.125,00:40:29.060
we're the only ones that have
been anywhere near this

00:40:29.060,00:40:33.264
transparent. [audience noise]
Okay, other research questions -

00:40:33.264,00:40:36.267
so as others, others get
involved in this. Can we know,

00:40:36.267,00:40:38.369
how can we know our agency's
really submitting all their

00:40:38.369,00:40:41.806
vulnerabilities? Uhm, can
agencies use a vulnerability

00:40:41.806,00:40:46.210
while it goes through the
process? For that criteria, for

00:40:46.210,00:40:51.015
Michael Daniel, said, he's asked
"Can we use this, uhm, for a

00:40:51.015,00:40:53.751
little bit?". That leads me to
believe that they might not be

00:40:53.751,00:40:56.387
doing that, but I haven't, we
haven't found a great answer for

00:40:56.387,00:41:00.024
that. Uh, can we find anymore
direct measurement? And, most

00:41:00.024,00:41:03.828
importantly, what is the next
president gonna do? [audience

00:41:03.828,00:41:06.297
noise] Cause this is just done
but this president, and the next

00:41:06.297,00:41:10.601
president can come in there with
their own... [laughter] Okay,

00:41:10.601,00:41:13.471
recommendations, uhm, [cough]
two former White House officials

00:41:13.471,00:41:17.342
- Rob Knake and Ari Schwartz -
uhm, did a fantastic set of

00:41:17.342,00:41:20.278
recommendations. They did a
report on this process and that

00:41:20.278,00:41:23.214
was very helpful for us. Right
now, there's no room for

00:41:23.214,00:41:26.884
congress in this, right now this
is just a policy, that can be

00:41:26.884,00:41:30.588
stronger. It can be an executive
order or presidential directive.

00:41:30.588,00:41:32.623
Right now, once it goes through
the process it never gets

00:41:32.623,00:41:35.727
reviewed again, uhm, and these
guys said, you know, let's take

00:41:35.727,00:41:38.629
a look at that, let's look at
what the watchdogs can do - like

00:41:38.629,00:41:41.065
the inspector general, or the
privacy and civil liberties

00:41:41.065,00:41:44.702
oversight board. I would add to
that mandating no use of this

00:41:44.702,00:41:47.538
vulnerability until it's gone
through the process. [cough] And

00:41:47.538,00:41:49.941
that's, it doesn't seem like
it's specific, we need to add

00:41:49.941,00:41:54.345
that. Uhm, and I just think we
need other countries, especially

00:41:54.345,00:41:58.983
other democracies, like Great
Britain to get involved and, and

00:41:58.983,00:42:01.986
give their process as well. But
also countries like, uhm, like

00:42:01.986,00:42:05.790
The Netherlands, Australia, uhm,
there are great democracies that

00:42:05.790,00:42:09.794
aren't picking - recommendations
for the rest of us. [pause]

00:42:09.794,00:42:13.798
Normally in warfare if one sides
disarms themselves then all

00:42:13.798,00:42:16.367
they've done is disarm
themselves, right? If the US

00:42:16.367,00:42:18.803
said we're not gonna have
nuclear weapons everyone else

00:42:18.803,00:42:21.672
has nuclear weapons and we
haven't changed. This is the one

00:42:21.672,00:42:28.212
area where you dis, you can
disarm governments. Because once

00:42:28.212,00:42:32.216
that information goes to a
vendor - everybody is disarmed.

00:42:32.216,00:42:35.319
So if you are out discovering
vulnerabilities and you wanna

00:42:35.319,00:42:38.222
disarm governments around the
world - make sure you're telling

00:42:38.222,00:42:42.326
the vendor. Follow up if they're
not, not listening to you. I

00:42:42.326,00:42:44.328
think we need more attention on
this question amongst, amongst

00:42:44.328,00:42:48.332
the researchers and more foyer.
So we covered these four, we

00:42:48.332,00:42:51.502
covered these four areas, uhm, I
think it's a pretty decent

00:42:51.502,00:42:55.573
process on disclosing and
retaining but there's definitely

00:42:55.573,00:42:58.743
some improvements that we can
come up with the number that

00:42:58.743,00:43:02.213
they keep every year seems to be
much smaller than what I would

00:43:02.213,00:43:04.449
have ever guessed coming into
this. I was shocked, I assumed

00:43:04.449,00:43:08.219
it was in the hundreds, and it
looks like it used to be dozens

00:43:08.219,00:43:12.557
and now into the single digits.
The full arsenal seems to be in

00:43:12.557,00:43:16.994
the dozens but only moderate
conf, confidence in that, and

00:43:16.994,00:43:20.398
then a few areas for use to talk
about. Okay, here's the

00:43:20.398,00:43:23.100
references. I'll leave that up
for a little bit. I don't think,

00:43:23.100,00:43:26.137
we're not gonna have time for
questions,uhm, but, uhm, I'll

00:43:26.137,00:43:28.739
stick around afterwards and
I'll, I'll see you around here -

00:43:28.739,00:43:33.744
out in the hallway afterwards.
[audience noise] So, I know I

00:43:37.582,00:43:39.851
might not have convinced you...
[applause]