Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What "goodwill" would be involved here? NSA is chartered to exploit things like Heartbleed.


They're also chartered to provide information assurance.


I'm not sure anyone really takes the IAD mission seriously. The actual purpose of the organization is to do offensive SIGINT.


They don't try to take information assurance seriously?

Are projects like SELinux[1], SE for Android[2], or the STM/PE[3] serious enough?

[1]: "Retrospective: 26 Years of Flexible MAC" https://www.youtube.com/watch?v=AKWFbxbsU3o

[2]: https://selinuxproject.org/page/SEforAndroid

[3]: https://www.cyberscoop.com/nsa-firmware-open-source-coreboot...


Oh, they requisition budget for the IAD mission, and they use it on IAD things. In reality, the most important thing NSA does is get budget allocated to itself! But does anyone believe that in a conflict between IAD and CNO/SIGINT, IAD has ever won?


I think they got some retroactive goodwill from the DES thing when it was discovered that they legitimately made it stronger.

Of course, they've more than squandered that by now, but it's not like they always completely ignored the IAD.


I mean, I don't really have any sympathy for them writing off half their mission, despite the impunity with which they do so.


Right, which is why any denial they make about this sort of thing is meaningless.


One of those goals benefits the people with power who are above the NSA. The other provides a benefit to the public at large that few will notice. Which goal do you think is likely to be top priority?


Well, in the case of heartbleed where first the NSA found it, and an independent researcher found it, and the DoD uses Linux and OpenSSL all over the place, you'd think that the information assurance side would be better represented. Who knows how many adversaries were using that as well before it was public (hence the whole point of responsible disclosure).

Edit: Like, stuff like cryptanalysis of SM4 is for sure on the table. I can even see their neat Diffie-Hellman hack that costs $100m per nonce. But a trivially remotely exploitable memory safety bug in software that runs large sections of the military? Like, come on.


To be fair, I bet the NSA knows better than anyone if any given exploit is being used in the wild.


Sure, if indeed the InfoSec arm is just for show and not the thrust of the organization, then they were chartered in such a way as to be incapable of cultivating goodwill, and incapable of existing in a just and free society.

And as such, the NSA (along with the CIA and perhaps, looking forward, the ONI, MIC, etc) are subject to deprecation.

In order for peace to come to earth in the information age, we must mature beyond a perceived need to have state agencies keeping secrets on the public dime and fomenting reasonable paranoia among the populous.


Well, yes, but the problem is that (unlike Dual EC-DRBG) other people can also exploit these things when open. For instance, I suppose, would the USA be better if Project Zero shipped all their stuff to the NSA and they both kept it quiet or would the USA be better if they fixed these things.

The point is to gain differential advantage. When you're the rich guy you don't want everyone's doors to be unlockable. When you're the poor guy you do. The USA is the rich guy.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: