image: luxembourg

A zero day exploit is a way to break computer security that is unknown to anyone apart from the attackers.

What I say below is a response to this article by Roger Grimes (InfoWorld, July 2013), so read it before you go any further.

I simply don’t believe the claim of thousands of zero days in single applications.

Back in the day, when Diffie Helman first patented their two factor encryption algorithm, they didn’t get a patent in the UK because GCHQ had got there first. They did get those patents elsewhere. In other words, the commercial world is not dreadful, it’s quite capable of being among the best.

One of the few examples we have of military level naughtyware is Stuxnet / Flame, used to attack the Iran nuclear programme. That used a number of zero days including completely new cryptography to break certificate signing (arstechnica). Completely new cryptography? The authors had to use completely new cryptography to produce a zero day? If they had thousands of zero days in single applications, then why on earth risk telling the world something so significant? Either they screwed it completely, or they had no choice but to risk the mathematics becoming known because there were no tens of thousands of zero days to hand.

The interviewee also comments that every few lines of code contains a bug. Having contracted for many companies over the years, and seen a great deal of source code, I can’t argue with that. Very few programmers even properly understand the language they use. But there’s one hell of a difference between a bug and an exploit. An exploit is a bug you can get to and abuse. Yes, I can believe a quantity in an normal product, but tens of thousands? Really?

Anyway, all that is beside the point. The spy agencies absolutely have to firefight attention away from the message put out by Snowden’s leak. This means putting out lots of other stories, and I reckon this is one such. There will be elements of truth in it, given the best lie is the truth, but given the goal is attention, there will be exaggeration. That’s another reason I doubt ‘the tens of thousands of zero–days bugs in single applications’.

But I reckon there’s an unintended consequence in this. Another message that comes out of all those zero–days is that the attackers have the overwhelming hand, so there’s effectively no chance of being able to defend against attack. In other words, why bother? And since the article also says the secret squirrels themselves don’t bother, the messages the ultimately comes out is that defence as defence is hopeless, but that offence works, so the only defence is offence. Cue far more commercial and criminal arming.

Anyway, there’s going to be lots of checking out colleagues of Snowden, and some jobs will no doubt be lost. There’s always a need for recruiting new people, even more now. This story reads rather like a Stross novel, it’s rather exciting, just the right background for recruiting young impressionable, shapeable, minds. So I reckon you should read this article as an ad for vacancies for the young, naïf & clever.