The Instigator
Greg4586
Pro (for)
Winning
3 Points
The Contender
tsukiyomi
Con (against)
Losing
0 Points

Resolved: The NSA should disclose zero day vunerabilities to relevant vendors

Do you like this debate?NoYes+0
Add this debate to Google Add this debate to Delicious Add this debate to FaceBook Add this debate to Digg  
Post Voting Period
The voting period for this debate has ended.
after 1 vote the winner is...
Greg4586
Voting Style: Open Point System: 7 Point
Started: 4/1/2016 Category: Politics
Updated: 1 year ago Status: Post Voting Period
Viewed: 435 times Debate No: 89088
Debate Rounds (4)
Comments (0)
Votes (1)

 

Greg4586

Pro

Round 1: acceptance
Round 2: Pro and Con both present opening cases, no rebuttals
Round 3: Pro and Con are allowed to rebut their opponent's arguments with no new arguments
Round 4: Final statements.

Definitions
The NSA- The National Security Agency in the United States
Disclose- Reveal
Zero Day vulnerabilities- These are security holes in software that are unknown to the possessor of the software with the vulnerability. The NSA exploits these vulnerabilities to hack into software, instead of disclosing them to the vendor
Relevant vendors- The vendor who possesses the software which has the vulnerability in it.

Goodluck to whomever accepts this debate.
tsukiyomi

Con

I accept this debate.

Interesting topic and my position is going to be quite a challenge. Thank you for starting this debate and your good luck wish. I am looking forward to your arguments and to be exchanging ideas with you. Likewise, best of luck to you.
Debate Round No. 1
Greg4586

Pro

Sorry for being so late, I have been rather busy.

Now let's get started

These vulnerabilities compromise the cyber security of the US. Every second these potential breaches in our security go without action the risk of a cyber attack becomes more likely.

As Bruce Schiener, a chief technology officer of resilient systems, put it

"By fixing the vulnerability, it strengthens the security of the Internet against all attackers: other countries, criminals, hackers. By leaving the vulnerability open, it is better able to attack others on the Internet. But each use runs the risk of the target government learning of, and using for itself, the vulnerability"or of the vulnerability becoming public and criminals starting to use it." [1]

Disclosing these vulnerabilities to the vendors of the at risk software allows them to patch it, overall strengthening the security of the software we use and trust today.

Another source suggests that disclosing zero days and allowing them to be patched allows for a better, and more protected internet.

"The simple fact is that if the NSA were helping to stop zero days that would better protect everyone against anyone else using those zero days. In fact, closing zero days is just like disarming both sides, because it takes the vulnerability out of service. It's not about us giving up our "weapons," it's about building a better defense for the world." [2]

The reality of the situation is that we the NSA is currently putting ourselves and other at risk for cybercrime

1. http://www.theatlantic.com...
2. https://www.techdirt.com...]%20//khirn
tsukiyomi

Con

Glad to hear back Pro and appreciate that you are able to make time and presenting your challenging argument. I will promptly present my part.

The topic is entitled "The NSA should disclose the zero day vulnerabilities to relevant vendors." My position as Con is to disagree to that statement and hereby present my arguments.

According to Admiral Michael Rogers the Director of NSA, NSA discloses 91% of "Zero Day Vulnerability" that it has and the remaining 9% are divided with either these vulnerabilities are already patched and the remaining "is kept for National Security reason" [1]. Base on that reference, the 91%, I would argue to be deemed conclusive.

This leads to an expanded relative argument should the NSA release remaining single % of the zero day patches to vendors. As again fulfilling my role, I would have to disagree.

The remaining vulnerability are being use "for national security reasons" and one-way to deduce is this vulnerability are critical assets to national security. But are those zero-days posing great threats? Unlikely, according to an experience security researcher and the CEO of Netragard an Anti-Hacking and security company explains that "The actual usage of zero-days is quite limited, it is that they hold no real threat for the average business or citizen." [2][3].

Furthering that vulnerability above as stated as "no real threats for citizen or business" but it"s still a threat, but it does not mean that those threats are easily exploitable and in anyway like the unrealistic portraying of Hollywood or Anime. Its quite complex.

Very much like our "Networking technology" that we are using everyday are running through layers, including security layers as an example would be "Firewalls" to block intrusion and another layer are "weak / strong secure password detectors".

Big business with "PROPER" security system and IT teams are responsible to secure these threats, adding layers of security, and most importantly preventing any malicious hackers to obtain the requirements for a successful zero-day hacks and to delay malicious hackers to the point where hackers will retreat from pursuing their attacks.

My second argument Vendors should not rely on NSA for their product flaws, but should have the responsibility to provide and thrive to enhance their quality products, services, and maintaining the integrity and trust to buyers. Meaning taking "the time" to test out these products for security holes, providing top quality bug-free and logic proof codes, scrutinizing quality assurances, and hiring outside consultant, security professional, and especially security researchers. Many companies are taking their own responsibility by doing this via "reward bug bounty program" and through beta-release for testing [5].

My final argument as con is information on zero-day vulnerability cost. Thus, vendors are providing the "bug bounty program" through their own expenses by encouraging and supporting the economy of security researcher to discover those "hard to find zero-day" and as well for help of security professional. This essentially is a way prevents burden of NSA to purchase those vulnerabilities using our taxes and prevents any further violations of ethics as a governmental agency.

The reality is zero-days has high cost in the market with often with low probability threats. We are the one to protect ourselves, and our country by reporting threats and flaws to vendors and encourage vendors with our trust for the assurances of bug free products, and lastly to acknowledge and support security researchers and career professional to sustain themselves and the integrity, security, and confidentiality from cybercrimes.

[1]. https://fcw.com...
[2] http://www.netragard.com...
[3] http://arstechnica.com...
[5] https://en.wikipedia.org...
Debate Round No. 2
Greg4586

Pro

Greg4586 forfeited this round.
tsukiyomi

Con

It seems that my opponent has unfortunately forfeited the chance for rebuttal. I will go ahead present mine and be looking to Pro response in the conclusion final round.

Pro
"These vulnerabilities compromise the cyber security of the US. Every second these potential breaches in our security go without action the risk of a cyber attack becomes more likely."

My rebuttal as Con
Vulnerabilities as in plural meaning beyond zero-days seem to me out of scope of this subject. There is a fine difference between zero-day and vulnerabilities of human stupidity, poor firewall configuration, disgruntle employees, etc". Those are vulnerabilities that compromise the cyber-security of US.

Zero-days has low probability threat as I mentioned in my arguments, where Pro forfeited the rebuttal session. Again, there is a difference between compromise and Zero-day. Zero-day are commonly describe as "potentials" because it can happen, but most of the time it doesn"t.

By fixing the vulnerability, it strengthens the security of the Internet against all attackers: other countries, criminals, and hackers.

Wait, what strengthen the security of the internet against other countries, criminal, and hackers?
Are countries, criminal, and hackers trying to harm and break the Internet itself?

Countries and hackers are totally relying on the Internet. Ethical hackers are probably heavily relying on the Internet to make a living. Malicious hackers are relying on the Internet to break into computer remotely, and I am totally relying on the Internet to participate on this debate.

Breaking the Internet by 2 groups of hackers is like a taxi man burning his own car.

Pro
"....the vulnerability becoming public and criminals starting to use."

My rebuttal as Con
OK.... When a product or service is in the market and are sold on the market, in it's simplest and purest explanation is accessible to the public. Zero-day vulnerability has HUGE market for anybody to purchase, especially our trustee vendors (this info is included in my argument references [3]). Who definitely should.

Pro
"Another source suggests that disclosing zero days and allowing them to be patched allows for a better, and more protected Internet."

My rebuttal as Con
Seems like source has oversimplify the writing on complex topic of technology.

Now if this is so. if my household of 20 computers don"t update my software for 3 years where computer is filled with zero-days than 'The Internet' will be extremely slow as dial-up, eventually break, and die.

Even if, I assumed 50,000 zero-days vulnerable computers are online now somewhere around the world which is very likely, I can tell you the Internet will still work, it's working. For the love TCP?IP, I am still running XP and Win7 box, not-patch, with probably lots of zero-days on my network and holy smokes my Internet still works.

My point is: Zero-day exploit is not about protecting the Internet is about shutting access to computers whether they hold valuable data or not and whether it can access to control something of create value or not.

Looking forward to seeing you in the final round and hope all is well Pro, cheers :).
Debate Round No. 3
Greg4586

Pro

First off, I would like to apologize for my previous forfeit. I was very sick yesterday and ended up knocking out and sleeping straight through the time I had set aside to respond.

I hope we can resume this debate. Onto rebuttals,

My opponent claims that Zero days pose little threat to regular people. But actually a zero day exploit was used against adobe to spread ransomware very recently. [1]

My opponent also claims that we use firewalls to prevent this sort of exploit, but that's exactly what zero days are for. They are used to surpass those firewalls and find holes within them.

Next my opponent claims this: "Big business with "PROPER" security system and IT teams are responsible to secure these threats, adding layers of security, and most importantly preventing any malicious hackers to obtain the requirements for a successful zero-day hacks and to delay malicious hackers to the point where hackers will retreat from pursuing their attacks."

It is the IT teams responsibility to secure these threats, but doing so is not possible without knowing the problems exist. This often falls to white hat hackers which find the vulnerabilities and sells them to the company so they can patch them, but that is not a foolproof system as black hate hackers are perfectly able to find the exploits first. No amount of skill and competence an IT team can have will prevent that.

"My second argument Vendors should not rely on NSA for their product flaws,"
This isn't a question of reliance. The fact of the matter is, the NSA is aware of exploits the company isn't and the NSA isn't telling them. It's perfectly reasonable for the companies to expect to be made aware that their software is vulnerable especially because it makes their customers at risk of cybercrime.

They're not relying on the NSA because they have other methods of protection, but if the NSA is the only agent who can tell them about the zero days it is not wrong for them to expect the NSA to do so.

"My final argument as con is information on zero-day vulnerability cost. Thus, vendors are providing the "bug bounty program" through their own expenses by encouraging and supporting the economy of security researcher to discover those "hard to find zero-day" "
The problem with this argument is that Con seems to misunderstand how the market works. Their are white hat hackers and the criminal black hat hackers. The white hackers are fine, they are supporting the cyber security of companies, but black hat hackers are selling them to the highest bigger regardless of what they will use it for. This can be sold to repressive governments, or cybercriminals looking to steal from bank accounts. [2]

The black hats would be the one's hurt as the white hat hackers would be working for the same purpose as the NSA.
I doubt my opponent really is arguing that we should ensure a well working market for criminals and oppressive governments.

"There is a fine difference between zero-day and vulnerabilities of human stupidity, poor firewall configuration, disgruntle employees, etc". Those are vulnerabilities that compromise the cyber-security of US."

Not quite, regardless of how competent the staff is, their software is still vulnerable if their is a zero day exploit involved.

"Zero-day are commonly describe as "potentials" because it can happen, but most of the time it doesn"t."

I won't deny that they aren't used most of the time, but that doesn't mean we shouldn't eliminate the risk of them being used.

"Wait, what strengthen the security of the internet against other countries, criminal, and hackers?
Are countries, criminal, and hackers trying to harm and break the Internet itself?"

Lol no, bad wording on my part. But what is happening is that the software is at risk for being exploited which allows for cybercrime. Such as the ransomware mentioned in my first source. These zero days are targeting specific users often in order to steal information (eg. Credit cards)

The internet obviously can't be broken, that wouldn't make any sense and doesn't as it's just IPs connecting to common servers.

"Zero-day vulnerability has HUGE market for anybody to purchase, especially our trustee vendors "
I agree there and the NSA disclosing the zero days they have wouldn't prevent white hat hackers from continuing business as usual, because the way zero days work is they lose their value as soon as the vendor patches the exploit, because then it's no longer a zero day. White hat hackers SHOULD continue their work, strengthening cyber security.

"Now if this is so. if my household of 20 computers don"t update my software for 3 years where computer is filled with zero-days than 'The Internet' will be extremely slow as dial-up, eventually break, and die."

I'm just going to apologize for my use of the vague term 'the internet' I'm not claiming that zero days are literally going to destroy the internet, that would be absurd.

But, while your internet would not stop working what does happen is your computer and information is vulnerable if it is not patched. You could have your identity stolen, or your credit card info stolen. That is the risk we're running, not the internet itself crumbling.

"Looking forward to seeing you in the final round and hope all is well Pro, cheers :)"
Looking forward to your response as well, sorry again for my forfeit. Cheers. :)

[1] http://www.pcworld.com...
[2]
tsukiyomi

Con

Great to hear back from Pro, I am glad to know you are feeling better and I appreciates your responses. Of course, I will continue wit this final post.

"My opponent claims that Zero days pose little threat to regular people."

What Claims? I PROVIDED reference and citation in my argument that my opponent seem to missed.

Original references #3 http://arstechnica.com...

Paragraph 7: In short, then, the actual usage of zero-days is quite limited. "It's not that zero-days aren't being used," explained Adriel Desautels, an experienced security researcher and CEO of Netragard. "It's that they hold no real threat for the average business or citizen."

Not only did I just used it as reference I even took the trouble to verify the credibility of the quote => reference #2. http://www.netragard.com...

" My opponent also claims that we use firewalls to prevent this sort of exploit, but that's exactly what zero days are for. They are used to surpass those firewalls and find holes within them. "

What I mention is firewall being an example of security layer to 'delay exploit to the point of the attacker retreat' and NOT say that it is impossible to break through. This is the point of IT security, to prevent hacking by delaying the attempt to surpass it, and make it as impenetrable as possible. Unless my opponent can explain how firewall does NOT delay intrusion than this is not a claim.

What pro says is true zero day can surpass firewall, but my opponent does not understand how basics hacking exploits works for a complex hack, Black-hats needs to figure out where the zero-day software Is on the computer, plan it, and execute. Just like beating the henchmen and minions before meeting the boss. This requires multiple hacking phases that takes time to prob and see what best path to take in order to exploit [1]. These is something, commonly takes massive of time and effort to bypass. Many time if there a little to gain, even meaningless and a waste of time. This the reason zero-day threats on regular people and regular businesses.

This is very reason why zero-day exploits cost so much, because security researchers invest much time, efforts, requiring cultivated skills, and knowledge to nitpick through the system and figure out the exploits many times in groups. This can involve skill, constraints, and requirements to go through and discover such exploits and to execute[2]. Point it is not easy for Blackhats to discover their own zero day, to purchase it, to collect recon for exploit, and to EXTRACT the right data to perform a valuable zero-day attack.

""black hate hackers are perfectly able to find the exploits first. No amount of skill and competence an IT team can have will prevent that."

In order to find these exploits blackhat would to phases as I mention previous in order bypass and launch their exploits on [1]. Going through large business that has quite with complex security infrastructure would be much more challenging than exploiting regular people. There are many tools can detect exploit attempts and thus 'Proper security' and pattern recognition using honeypots, Intrusion Detection System, and Intrusion Prevention System are very common security tools [3]. Such tools are specifically design to detect of data gathering, intrusion, and prerequisite before launching exploits. This is what is are the tools that are keeping malicious hackers from needed info and recon as a prerequisite for a working hack They are able but to what troubles and whether they can avoid the radar.

"The problem with this argument is that Con seems to misunderstand how the market works."

Now compared to my opponent's references and citation to this debate. My references / citations included very elaborated explanation about markets, obviously in my arguments brought 'Markets' to light and did say how those information cost, especially cost in the blackmarket. The big cost of zero day is not something anyone can afford, including blackhats, when they do afford, it's a decision of great risk.

Likewise, I need to apologize for not making Blackhat and or even Grey Hat explicit enough. I use blackhat as 'malicious hackers' and white hats as 'security professionals' but I did make the imply of the blackmarket, perhaps my opponent missed that implication. => "This essentially is a way prevents burden of NSA to purchase those vulnerabilities using our taxes and prevents any FURTHER VIOLATIONS of ETHICS as a governmental agency."

Meaning I have a fairly good understanding of how the market works. Let me elaborate, this is the reason I am focusing on white hats and my point to this is vendors as a solution are already active on the zero-day market at there own expense without the needs for the NSA to use our tax money and avoid any chances of purchasing zero-day from questionable markets.

Now, my implication is logically that IF the NSA bought the zero-day from Blackhats (AKA criminal) it would be a 'violations of ethics' and makes the NSA criminal themselves. IF the NSA bought zero-day data from 'Grey Hats' if doesn't mean that Grey Hats wouldn't be selling it to 'malicious hackers' to; as probable conclusion to 'Grey Hat' as blackhat violation. This reinforces on why NSA should not buy zero-day vulnerability data and not spend more of our taxes to communicate, convince, and considering additional cost and the time to share report of "X" amount 0days to 'X' amount of vendors.

""...but black hat hackers are selling them to the highest bigger regardless of what they will use it for.""

This is exactly of my point (excluding the highest bigger) of zero-day cost and why vendors are buying it from white hats because it cost less and we should give our support and culture the growth security experts and not having the NSA as a competitor. Also for us not to allow any chances for the NSA or Government to unethically purchase it from them Blackhats and Grey Hats for ridiculous price. Thank you for bringing up my point.

I won't deny that they aren't used most of the time, but that doesn't mean we shouldn't eliminate the risk of them being used.

Sweet on that part. But in order to eliminate it, we would need to be obtain it and with a question of time, depending on the threats 0day can cost from $5000 to half a million for a single 0day [7]. Someone has to buy it from the market or Blackmarket. Meaning that for critical 0day, the NSA would have to determine its value, it's potential threat, go through costly bureaucratic process, find a seller, buy it, prey it hasn't been patched or used, and share it with vendors. That is reality.

"Not quite, regardless of how competent the staff is, their software is still vulnerable if their is a zero day exploit involved."

Its true zero day exploit are still vulnerable hence the name itself, but reinforcing my original argument and references used. Zero day vulnerabilities has little probability threats. Why? it would be profitable and easier for malicious hackers to use the easiest and quickest method than the hard road with zero-day. I have included 3 references of common hacking techniques that commonly and successfully use for cybercrimes. Including social engineering (human stupidity), wireless hacks, sql injection, etc... [4][5][6]. None of those include the low probability threat zero-day. This can deduce that zero-day is even harder than common hacking which already hard. Thus cybercrime has higher probability using commons hack without paying $$$$ and without learning how those 0days works.

Looks like this it for the debate and definitely has been a challenging and enjoyable one. All thanks to you Pro for starting it, presenting your argument, and a final rebuttals. It was short but awesome. Good luck to you, your debating journey, and kind regards.

[1] http://certifiedethicalhackerceh.blogspot.com...
[2] https://www.blackhat.com...
[3] http://csrc.nist.gov...
[4] http://www.computerworld.com...
[5] http://www.infoworld.com...
[6] http://www.securityweek.com...
[7] http://www.wired.com...
Debate Round No. 4
No comments have been posted on this debate.
1 votes has been placed for this debate.
Vote Placed by Hayd 1 year ago
Hayd
Greg4586tsukiyomiTied
Agreed with before the debate:--Vote Checkmark0 points
Agreed with after the debate:--Vote Checkmark0 points
Who had better conduct:--Vote Checkmark1 point
Had better spelling and grammar:--Vote Checkmark1 point
Made more convincing arguments:Vote Checkmark--3 points
Used the most reliable sources:--Vote Checkmark2 points
Total points awarded:30 
Reasons for voting decision: This vote is cast on behalf of the voters union. If you have an unvoted debate that passes the our standards, submit it by messaging tejretics, TUF or DK https://docs.google.com/document/d/17sAmvIvjO2_ZMYvyEZTI8xCMNbiH5hsTM6APSyYsH64/edit?usp=sharing