I've seen a lot of anti-NSA rants after the new @symantec report about EternalSynergy and DoublePulsar. Exploits serve an obvious purpose which we should all agree is valuable - gaining intelligence on those who wish us harm. Those arguments miss this. 1/9 arstechnica.com/information-…

So exploits have a place, but they *are* fundamentally dangerous. If you use the same vulnerable code on your network, you aren't protecting yourself either. You can't deploy IDS signatures to find the exploit or people will reverse engineer them. 2/9

You can't create your own binary patches just to protect yourself - that alone can lead to disclosure of the vulnerability's existence. It's a hard thing to reconcile - keeping an exploit for your use while being vulnerable yourself. 3/9

That's what the vulnerabilities equities process (VEP) was created to address. Members of the VEP get a say in whether the likely gains outweigh the likely risks. I think the odds are good that the VEP works well most of the time. It isn't discussed much, so there's that. 4/9

But this case is a clear example of why we may need to reassess the VEP. Based on @nakashimae reporting, it's clear that once the Shadow Brokers disclosed they had the exploits (but before they were made public), NSA rushed to notify Microsoft. 5/9 washingtonpost.com/business/…

Now we know that yet another party was actively exploiting the same vulnerabilities. Did the VEP know this? I seriously doubt it. Would it have changed when the vulnerabilities were reported to Microsoft? I definitely think so. A lot of the VEP relies on the NOBUS argument. 6/9

NOBUS = Nobody But Us, meaning nobody else could construct exploits so complex. But that's not reality anymore. It appears they were intercepted in the wild and turned back on US targets. I think the VEP failed in this case, but I say that with imperfect knowledge. 7/9

It may be that if I had details about what was being gained with these exploits (as VEP members did) I would feel differently. But without that knowledge (which we'll never get), we can't independently critique the decisions. I think that's a problem. 8/9

Unfortunately, I don't have a solution for it. I can only hope that our leaders examine this apparent failure and consider how to improve the VEP to keep us safer in the future. I also hope that this forces a re-evaluation of how to deploy these cyber weapons safely. 9/9