- Reddit Relationships: Man laughs at girlfriend for using Microsoft PowerPoint during sex Thursday 8:59 PM
- The 15 Brad Pitt movies you need to see now, ranked Thursday 8:26 PM
- Facebook could face legal action over the Area 51 event Thursday 6:50 PM
- How to stream Texans vs. Chargers in NFL Week 3 action Thursday 6:40 PM
- Tekashi 69 alleges Cardi B was a Bloods gang member Thursday 5:55 PM
- Right-wing sites falsely claimed group of Somalis attacked man in viral video Thursday 5:00 PM
- Big creators risk losing checkmarks amid YouTube verification purge Thursday 4:56 PM
- How to stream Eagles vs. Lions in NFL Week 3 action Thursday 4:52 PM
- How to stream Steelers vs. 49ers in NFL Week 3 action Thursday 4:10 PM
- How to stream Bills vs. Bengals in NFL Week 3 action Thursday 4:03 PM
- Colt halts production of AR-15s for civilians Thursday 3:45 PM
- If you love long-winded, hashtag-heavy Instagram captions, these apps can help Thursday 2:54 PM
- Teen girls on TikTok have convinced the internet that they eat their tampons Thursday 2:33 PM
- Twitch streamer faces criticism for trying to defend racist jokes Thursday 2:03 PM
- How to stream Raiders vs. Vikings in Week 3 Thursday 12:55 PM
EFF sues U.S. government over cybersecurity disclosures
Your move, NSA.
The Electronic Frontier Foundation (EFF) wants to know how the U.S. government decides which major cybersecurity flaws to disclose and which to keep secret.
On Tuesday, the EFF launched a Freedom of Information Act (FOIA) lawsuit against the National Security Agency and the Office of the Director of National Intelligence (ODNI) in an effort to obtain documents that show how American intelligence agencies choose to disclose devastating and previously unknown computer security flaws known as “zero days.”
“This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community’s toolset: security vulnerabilities,” EFF Legal Fellow Andrew Crocker said Tuesday in a statement. “These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country.”
Zero days are the most valuable and effective weapons in any cyberwar arsenal because no one knows they exist. Many governments will pay a premium for these vulnerabilities, which they can then use in cyberattacks of their own.
Zero day attacks can remain undetected for months or years after they are first launched. Stuxnet, a computer worm that sabotaged Iran’s nuclear program, worked for as many as five years before detection in 2010.
The EFF specifically cited the April 2014 Heartbleed bug, a vulnerability that existed for years, as a potentially crucial zero day attack. Bloomberg News reported that the NSA secretly exploited the bug for two years, a charge that the agency vehemently denied.
“In the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest,” Michael Daniel, the White House cybersecurity coordinator, wrote in response to the charges. “This has been and continues to be the case.”
There are exceptions—an opportunity to collect crucial intelligence to thwart a terrorist attack or to stop the theft of intellectual property, for instance—and the White House says it has “established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.”
Daniel did not reveal any other specifics about how the U.S. decides which vulnerabilities to keep secret.
The U.S. government’s use of zero days affects domestic policing as well. The Department of Justice is currently pushing the U.S. Courts’ Committee on Rules of Practice and Procedure to allow law enforcement to use zero days to hack into computers using malware.
“The use of zero days by law enforcement poses significant risks,” Nathan Freed Wessler, Staff Attorney at the ACLU wrote, “because by exploiting these vulnerabilities rather than notifying the companies responsible for the software, the government leaves the rest of the internet vulnerable to malicious attacks.”
Wessler argues that the use of zero days also undermines the Fourth Amendment of the U.S. Constitution against unreasonable search and seizure.
The EFF insists that the public ought to be able to take part in the debate over vulnerability disclosure, which remains obscured by government secrecy.
Photo via Robert Nelson/Flickr (CC BY 2.0)
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.