[Shinkirou]

No system is perfect. Remember Heartbleed? Microsoft released a patch to correct this particular issue in March, however the IT infrastructure in companies is slow, the whole process is convoluted, yada yada.

The point is: the NSA caused this particular problem. Steps should be taken be everyone to ensure something like this doesn't happen ever again.

[fencepost]

The NSA did not cause this particular problem. The NSA may have identified the vulnerability, however there is certainly an argument that their other responsibilities outweigh any responsibility that they might have to act as a free security investigation team and report a security vulnerability to an outside corporation.

If Russian government intelligence agency security researchers found that bug first would you say that they have a responsibility to disclose it to Microsoft (notably a United States company)? Would you be surprised if they felt and acted differently?

[gech]

> however there is certainly an argument that their other responsibilities outweigh any responsibility that they might have to act as a free security investigation team and report a security vulnerability to an outside corporation.

Yeah, a shitty one. Free? No they're funded by tax payer dollars. I do think we need to argue about priority of responsibilities. Was this exploit used to spy on allies?

[fencepost]

> Was this exploit used to spy on allies?

Don't know, and unlikely to ever find out. If so, it was likely very targeted to avoid detection on modern systems. Was it ever used to spy on Iran's nuclear enrichment program?

> I do think we need to argue about priority of responsibilities.

Ok. What responsibilities does a US government agency have to disclose vulnerabilities? Should they be required to disclose all vulnerabilities found in software and equipment from US companies? Since a lot of that technology is used around the world, are you on with the corollary of it being harder for the US to spy on anyone using modern equipment?

How about disclosing problems found in tech products used by US companies? Should the NSA do that as well to keep those companies safe?

The US provides a fair amount of funding to organizations focused on finding and responsibly disclosing security problems, notably CERT[1] and US-CERT [2]. The NSA is a completely separate thing.

1: http://cert.org/about/ 2: https://www.us-cert.gov/

Edit: removed snark

[mrmondo]

Just because the media (including Microsoft) tagged those projects (that were maintained by small groups of core develops and are free (unpaid) software) with fancy names - those problems weren't anything like the massive, global impact of just one of Microsoft's ticking timebombs due to poor software design and lack of emphasis on security in their products. OpenSSL doesn't and didn't have the PR powerhouse of Microsoft and people didn't pay for their software let alone fund its development.

[threeseed]

> Microsoft's ticking timebombs due to poor software design and lack of emphasis on security in their products

I assume you know nothing about software with flippant comments like this.

Completely securing software is an incredibly difficult thing to do and merely throwing resources isn't going to change that. It is just as likely to affect well designed software as it is poorly designed. Especially given that all of us rely heavily on third party libraries and underlying infrastructure.