The U.S. Government And Zero-Day Vulnerabilities: From Pre-Heartbleed To Shadow Brokers by Jason Healey. (PDF version)
I have seldom seen this many weasel words used by a non-lawyer, at least in one sentence:
We estimate with moderate confidence that the current U.S. arsenal of zero-day vulnerabilities is probably in the dozens.
In fuller context, followed by more weaseling:
…
We estimate with moderate confidence that the current U.S. arsenal of zero-day vulnerabilities is probably in the dozens. The arsenal is a function of several factors, an equation through which it is difficult to get much higher than 50 or 60. The factors include how many years the United States has been retaining zero days (at least fifteen), how many are retained per year (dozens before 2014 and single digits since), the average number burned per year (say 50 percent), the average life of a zero day once used (approximately 300 days[39]), the average number of zero days discovered by vendors or used by other actors which thereby renders them useless for the United States (25 percent), and the average half-life of a zero-day vulnerability if not used (approximately 12 months). Note that this count critically depends on the “single digit per year” assessment discussed above. This count does not include battlefield and non-commercial systems, non-U.S. systems (such as the TopSec firewall vulnerabilities in the Shadow Brokers’ release), or U.S. government exploits that utilize vulnerabilities that have already been made public. (emphasis in original)
…
The critical lesson I take from Healey is that sovereigns don’t voluntarily disarm to their disadvantage. Ever.
Reciprocity. Isn’t that when you treat others as they treat you?
Governments that put users at risk have no reasonable expectation of any better treatment from others.
Considering that all of the major breaches of the last 24 months involved no zero-day exploits, you have to wonder who the U.S. government intends to hack that is all that clever?
Hire Fancy Bear to send them a GMail phishing email. 😉
PS: Don’t hire the FBI. It took them two weeks and custom software sort emails. (Clinton/Abedin/Weiner laptop)