[julie78787]

No, it's pretty spot-on.

People try to divide security vulnerabilities into "super-obviously-bad" and "no one will ever find / exploit / do much of anything with it."

The problem is that rather often little holes can be leveraged into bigger holes. The argument against the change I'd requested was that no one would ever write a program which would process the trace hook events. Because they just wouldn't. Except no one needed to - there was a program that took trace identifiers and dumped the events for all to see.

That's an argument to "difficulty to exploit". The same thing has happened with various race-related exploits -- a race that's fractions of a millisecond long is considered "unexploitable" until process scheduling, and how to control it via various means is discussed.

It doesn't matter the problem space - fixing bugs in code, configuring servers securely, proper OPSEC, choice of programming languages or development methodologies. It always comes down to security versus convenience. Sometimes "convenience" is replaced by "cost" or "resources". In this case, the NSA didn't have the "resources", which is a proxy for "convenience" because if giving Clinton a secure BlackBerry had been dead simple and free ("convenient") she'd have gotten one.

As for being "well-rehearsed", yeah, I've spoken publicly on security and try to make my little anecdotes fun to read or hear.

[lamontcg]

No, you're still making category errors and still completely blind to them.

You slide from race conditions and attaching debuggers, to a policy decision by a bureaucrat not to come up with the resources.

You fundamentally cannot be held responsible for the existence of debuggers in the universe. That is just silly.

The bureaucrat who said 'no' to the request from the state department can be held responsible for justifying that decision. With a $4T budget I can't believe that the US government couldn't find a few bucks under a cushion someplace to dig up another blackberry for the Secretary of State. In fact, its pretty much negligence that they couldn't.

And when you make pure policy decision about security you cannot abdicate responsibility over users deciding to work around those policy decisions when you make bad decision.