Un interessante riflessione sulla scelta di NSA di non informare gli interessati del leak di zeroday. The NSA's Hubris and the Shadow Brokers 0-day <https://www.lawfareblog.com/nsas-hubris-and-shadow-brokers-0-day> Reuters has a possibly incendiary report on the FBI investigation into the "Shadow Brokers" dump of NSA tools. According to a Reuters exclusive, the NSA was aware that their tools may have been exposed almost immediately after it occurred, and yet never notified Cisco and Fortinet about the vulnerabilities in their system. There is a defensible argument for not informing a vendor about a zero-day where the Agency is confident nobody else knows about it. But if the NSA has reason to suspect an adversary has captured a zero-day—the use of which could substantially impact US interests—it is critical that the NSA report it to the vendors in the interest of defense. Apparently the NSA disagrees, appearing to claim that they are able to detect usage and therefore only need to alert vendors or otherwise respond to the breach once there is evidence someone else is using the stolen zero day. From Reuters: After the discovery, the NSA tuned its sensors to detect use of any of the tools by other parties, especially foreign adversaries with strong cyber espionage operations, such as China and Russia. That could have helped identify rival powers’ hacking targets, potentially leading them to be defended better. It might also have allowed U.S officials to see deeper into rival hacking operations while enabling the NSA itself to continue using the tools for its own operations. Because the sensors did not detect foreign spies or criminals using the tools on U.S. or allied targets, the NSA did not feel obligated to immediately warn the U.S. manufacturers, an official and one other person familiar with the matter said. The problem with this logic lies in the nature of the vulnerabilities released by the Shadow Brokers. Two exploits in particular challenge the “we’d know if it were used” premise—the EXTRABACON exploit targeting Cisco equipment and the EGREGIOUSBLUNDER exploit targeting Fortigate. Both of the vulnerabilities directly impact systems used in the United States—including the national security systems NSA is tasked with defending—and, more critically, would not be able to be detected in the wild by NSA’s sensors. []