Re: The CIA mentions us

Rich Kulawiec <rsk@gsp.org> Sun, 12 March 2017 12:47 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC2AB128DF6 for <ietf@ietfa.amsl.com>; Sun, 12 Mar 2017 05:47:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NCBtGUP0HjL2 for <ietf@ietfa.amsl.com>; Sun, 12 Mar 2017 05:47:22 -0700 (PDT)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31B65128824 for <ietf@ietf.org>; Sun, 12 Mar 2017 05:47:21 -0700 (PDT)
Received: from gsp.org (localhost [127.0.0.1]) by taos.firemountain.net (8.15.1/8.14.9) with SMTP id v2CClKGo032086 for <ietf@ietf.org>; Sun, 12 Mar 2017 08:47:20 -0400 (EDT)
Date: Sun, 12 Mar 2017 08:47:20 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: IETF Discussion Mailing List <ietf@ietf.org>
Subject: Re: The CIA mentions us
Message-ID: <20170312124720.GA13596@gsp.org>
References: <20170307155346.fwhhpnsm4wl6zzoo@nic.fr> <CAMm+Lwh5E-NPXsVWQpK2tA8Rr+6SpvJJKxMbiks7_F1umxz2FQ@mail.gmail.com> <20170307160840.duv7wwg5sm23nrek@nic.fr> <44d06f90-0f38-f6de-8eb1-cf8262369cd5@bogus.com> <c6df6333-1a08-aa0c-c1de-55d335234f2a@si6networks.com> <alpine.LRH.2.01.1703071034050.3764@egate.xpasc.com> <CAMm+LwioHOJxDZudH8Ya9SYv5DT1fPMJ5ypDR8O5JGa4HwxPvg@mail.gmail.com> <F950C538-05E4-451B-8AC0-A42010DAA8D6@piuha.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <F950C538-05E4-451B-8AC0-A42010DAA8D6@piuha.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/Yns14MMK9A53mJPLNBp8VFLoNaY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 12:47:23 -0000

On Thu, Mar 09, 2017 at 10:36:07PM +0200, Jari Arkko wrote:
> 2. There is no such thing as privileged access to the good guys. It
> will leak / break / be shared.
> 
> 3. Secretly held vulnerabilities make us all less safe.


Two points:

A) Worth noting (h/t to Richard Forno):

	Rand: The Life and Times of Zero-Day Vulnerabilities and Their Exploits
	http://www.rand.org/pubs/research_reports/RR1751.html

The key findings are highly illuminating -- particularly the observation that
the median time -- the *median* time -- to develop an exploit for a zero-day
vulnerability is 22 days.

B) What one government knows, another will know soon.  There are enormous
resources available for this task and vulnerability information, unlike
some other forms of intelligence, can be immediately used with plausible
deniability and without attribution.

---rsk