[davesque]

If I understand correctly, there were no backdoors used here. Only zero-days. If the NSA is guilty of anything, they're guilty of not informing system designers of exploitable vulnerabilities. But then the argument becomes entirely ideological and naive since we all know the NSA's mission is almost entirely counter to that outcome.

Edit: Apparently, not zero days. Vulnerabilities were patched months ago. I think the point still stands, which is that this outcome really has little to do with debate over encryption backdoors.

2nd Edit: On second thought, there is an argument that, if a backdoor were in place that only government agencies had access to, the means to access it could be leaked just as easily and in a similar manner to the way that information about these vulnerabilities was leaked. Then, we'd really be fucked since a backdoor could likely not be "fixed" with a simple patch (it might be fundamental to the design of a system). Considering this, I'll have to walk back my earlier statement and agree that the topic of backdoors is quite relevant here.

[uxp]

> Only zero-days.

The exploits released by Wikileaks' Vault 7 dump went public months ago. They're as much a 0-day as JFK's assassination was just a few days ago.

[matt_wulfeck]

I've seen a lot of security people sticking to "this is not an 0day you idiots" retort, downplaying the importance of the leak. Frankly I think that's a pedantic argument that ignores too much of the real world.

The NSA leaks contained previously undisclosed security vulnerabilities that were patched only because they were stolen. In MSFT's case it was less than 30 days, and they basically skipped a patch week to make it happen.

It's manifestly obvious that 0day and 30day can both be considered extremely dangerous in the real world.

[3pt14159]

The difference is that at least five nationstates could have gotten in a 30 day window without much trouble.

[willstrafach]

Small correction: Nearly everything in WikiLeaks Vault 7 material was already patched (With the exception of something Cisco related which has since been patched I believe). The Vault 7 content was from CIA.

This issue is apparently based on a more recent leak by the Shadow Brokers, containing content from NSA and some other DoD elements who worked on offensive cyber operations.

[ConroyBumpus]

Just because patches are available does not mean that they have been applied. Legacy applications, specialized hardware, vendor shenanigans, and organizational inertia can be significant impediments to keeping operating systems at current runlevels.

[sbov]

No zero days were used. This was patched in March.

[hoschicz]

Yes, but exploits for these bugs has been published now.