[Dailydave] The Reality Bubble of the VEP

Tue Dec 18 17:54:27 UTC 2018

[image: IMG_20181205_123821.jpg]

So recently I went to a conference on vulnerability equities
<https://carnegieendowment.org/2018/12/05/international-policy-conference-on-government-vulnerability-management-event-7009>,
which I wanted to tell everyone about on this mailing list. Normally I
reserve this mailing list for technical conversations, and use the cyber
policy blog <https://cybersecpolitics.blogspot.com/> for policy talk, but I
think this one touches us all.

First of all it was under Chatham House Rule
<https://www.chathamhouse.org/chatham-house-rule>, which means I can't say
WHO SAID anything or who was there, but they did publish an agenda, so your
best guess is probably right, if you've been following the VEP discussion.

Anyways, here (in click-bait format like Jenny Nicholson
<https://www.youtube.com/watch?v=QYUJ_ODfc8w>) are my top three things that
are literally and mathematically irrational about the VEP, as informed by
the discussion at the conference:

1. *A lot of the questions you are supposed to answer in order to make the
VEP decision are 100% unknowable.*

Questions include: "How many targets use a particular software" and "how
many US people use a software platform" and "will the Chinese find this bug
easily or not" etc etc.

Some panel members thought a partial solution might be for every technology
company to give all their customer survey information to the government,
which could help answer questions like "Do we need to protect or hack more
people who are vulnerable to this bug?" This idea is a bad idea and you
could sense the people in the room laughing internally at it, although it
is partially already the goal of Export Control regulations.

Needless to say, if you are making your decisions based on a bunch of
questions you have NO ANSWERS TO, you are making RANDOM decisions. And some
of the questions are obviously unknowable because they involve the future.
For example, the answer to "Do our opponents use the latest version of
Weblogic?" is always "not at the moment but the future is an unknown
quantum interplay between dark energy and dark matter that may decide if
the universe continues to expand and also if the system administrator in
Tehran upgrades to something vulnerable to this particular deserialize
issue!". And even better example is the question of "How hard is this bug
for the Chinese to find?" to which if you KNEW WHAT BUGS THE CHINESE COULD
FIND IN THE FUTURE you would not be worrying about CyberWar problems so
much as how to deal with the crippling level of depression that happens
when you have a brain the size of a planet
<https://en.wikipedia.org/wiki/Marvin_the_Paranoid_Android>.

Although ironically the VEP will tell the Chinese how hard it is for US to
find particular bugclasses, so we have THAT going for us at least.

2. *Voting does not resolve equities issues. *One of the panelists mentioned
that if you want to take every bug, and rank its usefulness from 1 to 10,
and then take its negative impact, and rank that one to ten, you can draw a
nice diagram like the one below.

[image: image.png]

Then (they posit) you can just look at the equities decisions you've made,
and draw a simple line with some sort of slope between the yay's and the
nays and you've "made progress" (tm).

Except that in reality, every number on the graph is somewhere on the axis
of "would stop World War III if we could use it for SIGINT" and "would end
all commerce over the Internet as we know it resulting in the second Great
Depression". I.E. every number is zero, infinity, or both zero AND infinity
at the same time using a set of irrational numbers that can only graphed on
the side of a twelve dimensional Klein bottle. What if a bug has no use,
but the bugclass it belongs to is one you rely on for other ops? The
complications are literally an endless Talmudic whirlpool into the abyss.

For example, I am continually mystified by certain high level officials
misunderstanding of the basics of OPSEC when you give a bug out. They seem
to think that you can USE a bug operationally before you go through the
VEP, and then decide to kill it, and not suffer huge risks with OPSEC
(including attribution). They often justify this with the idea that
"sometimes bugs get caught in the wild or die by themselves" which is TRUE.
In that sense, yes, *every operational use of an exploit is an equities
decision* - one that you take for OPSEC reasons. Which is why GOOD
OPERATORS use one whole toolchain per target if possible. And if you think
that's overkill, then* maybe you've underestimated the difficulty of your
future target set.*

Also note that no person in government policy wants to use this process to
measure the impact of the VEP over time - although I'm not sure what units
you would measure your operational loss in, other than human lives?
Likewise, there's only one output to the VEP, "Give bug to Vendor" as
opposed to a multi-output system including "Write and publish our own
Patch" which seems like a better choice if you want to have options for
when you disagree with a vendor's triage or timeline?

3. *No Government in Europe is dumb enough in this geopolitical environment
to do VEP for real. *It may happen that every Western government signs or
sets up some document that assigns a ton of unanswerable rote paperwork
per-bug to their already small technical and cleared teams, if for no other
reason, because Microsoft and Mozilla and the Software Alliance
<https://www.bsa.org/?sc_lang=en-US> all have legitimate soft power that
can influence public policy. I mention them in particular because they
funded this conference and following the money is a thing I once heard
about. As a positive bonus note: VEPs are,  great cover for killing OTHER
people's bugs once you catch them in the wild.

But the EU technical teams were also there at the conference, with the
government policy people responsible for getting their cyber war game from
D-level to A-level. You can imagine the post-Snowden meetings all across
Europe in rooms with no electronic devices where elected officials looked
at their teams and said "What exactly do they mean "SSL Added and Removed
Here?!? We need to 'Get Gud', as the teens are saying. Pronto."

Does anyone realistically think that they're going to hamstring themselves?
Because I talked to them there and I'm pretty sure they're not going to.
(insert SHRUG emoji!)

And here's the actual strategy implication that they know, but don't want
to say: *Your best people will leave if you implement the VEP seriously*.
There are those Sardaukar for whom it is not about money, who are with you
for life, as long as you have a mutual understanding that their work is on
*mission*, all warheads in foreheads. And to them, the VEP is an anathema.

And then there are people out for fame and money, and those people are
going to get stolen by a random company anyway, because why would they ever
stay and be a glorified bug bounty hunter?

I mean, every country is different. It's possible I'm misjudging cultures
and talent pools. Or not. But if you are running a country's VEP program,
you have to be pretty confident that I'm wrong about that to move forward.
This is the kind of thing you'd want to start asking about in your exit
interviews.

Oh, and as a final note: One of the submitted talks to INFILTRATE
<http://infiltratecon.com/register/> required an equities decision. Cool
0day, very old, and you should come and see the talk even though we haven't
officially announced it yet. :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20181218/1abdf241/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 232098 bytes
Desc: not available
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20181218/1abdf241/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMG_20181205_123821.jpg
Type: image/jpeg
Size: 2083686 bytes
Desc: not available
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20181218/1abdf241/attachment-0001.jpg>