In Security Now episode 603, Steve dives into the Vault 7 leaks. And while I trust Steve’s technical analysis of the information, the conversation takes a sharp turn into two completely unrelated topics: Cryptographic backdoors for law enforcement use, and the vulnerability equities process (VEP).
Steve’s assertion, and main take-away from Vault 7 leaks was that if CIA and NSA can’t keep their own stuff secure, then they can’t keep any kind of backdoor (or frontdoor) universal key secure either. The “going dark” debate is an interesting one, and frankly requires a lot of nuance, and I see both sides. But Steve’s argument here is not a valid one. First and foremost, I don’t think the argument holds in general. Yahoo! has had a breach, therefore we shouldn’t trust Google with our stuff. Or, if the argument is that no one can secure things, then we need to have a real conversation about the level of trust given to the manufacturers themselves.
But the part that gets me yelling at my podcast app is that Steve still doesn’t understand what law enforcement is, a mistake he’s been consistently making for 10 years now. The CIA and NSA are intelligence agencies. Law enforcement refers to groups such as local police, state police, sheriffs. The confusion on Steve’s part may come from the fact that FBI has both law enforcement and intelligence functions. But understanding that NSA and CIA are not law enforcement, the analogy changes from Target didn’t properly secure their credit card readers one time, so therefore the government can’t secure crypto keys.
The other equally silly line of reasoning came about the Vulnerability Equities Process, or VEP. Steve starts the Vault 7 discussion by saying that it was as if CIA had listened to all 602 episodes of Security Now and documented all the things they heard, because there was nothing in this dump that wasn’t discussed on the show. So what does this have to do with VEP? Well, what is VEP? Quoting from the Electronic Privacy Information Center:
The United States government has established a Vulnerability Equities Process (VEP) to determine whether to withhold or disclose information about computer software security vulnerabilities. Under the VEP, the government will evaluate whether to disclose a vulnerability it has obtained or discovered—so that the software developer has a chance to fix the problem—or the government may choose to withhold the information to use it for purposes including law enforcement, intelligence gathering, and “offensive” exploitation.
The rest of that article is focused on the definition of zero-day, and how vulnerabilities are acquired/discovered. By definition, VEP is about zero-days. What’s the point of discussing disclosing vulnerabilities that are already known?
Yet somehow, Leo and Steve both go on for minutes talking about VEP, a process about disclosing zero-days, almost immediately after saying that there were no zero days in the leak. Regardless of the arguments that followed, the fact that they got the conversation there shows that they either just didn’t all at understand, or were trying to drive to a political point.