Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

on the balance of probabilities, it is probably true. I would expect NSA to make use of any vulnerabilities they find, because their job is to hack others, not to keep us safe. Unfortunately.


NSA is resposible for so-called SIGINT and SIGSEC, acronyms for signals intelligence, to which you refer, and signals security, which IS to keep our communications safe.

It seems of course that SIGINT is what's "popular" in news.


I don't think it's only popular in news.

I work on a web platform team, and I've seen many vulnerability reports over the years (well over 100). I've never seen a report from the NSA or US government. Actually, the only government I've seen reports from are the UK, so credit to them for actually doing something to keep people secure. But most reports I see are from project zero or Chinese companies.

Either the US government doesn't care at all about browser security or they are keeping vulnerabilities for themselves.


No, the US government has taken the position that it’s always best to have a few tricks up your sleeve when the chips are down. It is most certainly intentional stock piling of zero days for strategic advantage.


French gov (CERT-FR and ANSII) made recommendations about heartbleed.


I would argue that such a clear conflict in these two priorities should necessitate having a bespoke separate governmental organization for SIGSEC, so that the NSA can freely focus on SIGINT.


What is the conflict in priorities that you mean?

I ask because I considered code breaking and code making complimentary, in the sense they debug one another somewhat.

My guess is that this chance to debug one another motivates their coresidence in a single agency.


The SIGINT arm of the NSA has an incentive to take any exploitable vulnerabilities in existing software and keep them secret, so they can use them against their enemies, rather than disclosing them so they can be fixed.


Disclosing vulnerabilities.


They should definitely disclose vulnerabilities in American made software for SIGSEC. If it’s foreign then not disclosing it would be SIGINT


If the software is foreign made and used in US, americans are still vulnerable. And opensource isn't American/national


The problem with that is there's a lot of software that's American made that is also used by potential targets of SIGINT.


Well the real question isn't if NSA used it but if they knew about it long before everyone else and never reported it.


That's how CNO exploitation works. They generally can't report; their adversaries are recording their own networks, and will retrospectively detect intrusions.


It's their SOP. See: eternal blue. https://en.m.wikipedia.org/wiki/EternalBlue




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: