Lambda the Ultimate

I guessed it might have been an unlink exploit, but good to see it has been reverse engineered.

My money's on "fuzz it 'til it breaks" being the discovery vector rather than any analytical method.

Why not make it easy on yourself. And anyway, since Windows is critical to the US infrastructure it makes more sense to simply obtain the source code or plant someone there. It wouldn't even surprise me if they simply pay a contractor a million bucks for an exploit, no questions asked.

I have the idea that you look at the problem in the wrong manner; i.e., your assumption is that the NSA consists of very smart people doing extremely smart analysis. No doubt they are capable of that but for I think for a spying and military organisation the problem is far easier.

What is the price of a Tomahawk missile? They're willing to pay probably at least that for a cyber weapon. What would you do? You hire a subcontractor on a 'I don't want to know what you did' basis, who will probably get someone to simply expose or even plant a small exploit and write a program for that. Probably two weeks of work for people who know what they are doing.

That's a lot easier than hiring staff and fuzzing every protocol and reverse engineering the code.

Well, yeah... there probably are a lot of smart people in the NSA. What they have in common with other smart people is that they are probably really quite lazy. Which is less work in the long-run?

1. Writing a linting tool for some crusty old libraries that you have the source code for. Passing the thousands of hits to an intern to check for exploitability.
2. Hiring an external contractor, giving them the code and letting them find the exploit, arranging a believable car accident afterwards so that the exploit remains valuable.

Can you imagine how many meetings are involved in commissioning wet-work? More seriously - they wrote custom firmware for the 12 most common brands of hard-disk so that they can put a back-door into the storage system. That is - hide data on the drive that cannot be recovered by any level of privilege on the target system, only by someone that knows how to access the secret firmware. They also wrote trojans that implement a dead-drop system in secret to overcome airgaps in networks. These are quite sophisticated pieces of software, it is safe to say that they do employ some smart engineers.

The typical life-cycle of these exploits is long. Both the recently publicised exploits are old: they were used for surveillance up until 2008. The more they are used the higher the probability of discovery, so they become less valuable as they age. When they loss enough value they are handed off to external teams.

Oh, I am pretty sure they have the source code but I don't think they would pass that to a subcontractor. But that's not my point. It's a (counter-)espionage organization. So you shouldn't be thinking code and math, you should be thinking money, drugs, and hookers.

Pretty sure you can get a lot done if you find someone with the right knowledge and connections and just pass him money to 'fix the problem'.

Yes. Assuming sane managers, they should use efficient methods for developing exploits. I assume they'd develop a study of efficient methods—"exploit engineering"—like we have software engineering.

Hence, buy what you can and fuzz (or whatever) what you can't buy. But honestly, I'd use the spies to steal the source (or any intel) of Windows (or OS X, or any other tool worth hacking), and then get my analysts to do most of the work with whatever analysis tool. I might buy exploits externally sometimes, but they seem to need exclusive 0-days, and discovering them internally sounds easiest for the NSA.
Especially if it's true that they have some of the best analysts and most other good analysts work for other (enemy) countries like Russia and China.