Hacker News new | ask | show | jobs
by fencepost 3323 days ago
The NSA did not cause this particular problem. The NSA may have identified the vulnerability, however there is certainly an argument that their other responsibilities outweigh any responsibility that they might have to act as a free security investigation team and report a security vulnerability to an outside corporation.

If Russian government intelligence agency security researchers found that bug first would you say that they have a responsibility to disclose it to Microsoft (notably a United States company)? Would you be surprised if they felt and acted differently?
1 comments
gech 3323 days ago
> however there is certainly an argument that their other responsibilities outweigh any responsibility that they might have to act as a free security investigation team and report a security vulnerability to an outside corporation.

Yeah, a shitty one. Free? No they're funded by tax payer dollars. I do think we need to argue about priority of responsibilities. Was this exploit used to spy on allies?

link
fencepost 3323 days ago
> Was this exploit used to spy on allies?

Don't know, and unlikely to ever find out. If so, it was likely very targeted to avoid detection on modern systems. Was it ever used to spy on Iran's nuclear enrichment program?

> I do think we need to argue about priority of responsibilities.

Ok. What responsibilities does a US government agency have to disclose vulnerabilities? Should they be required to disclose all vulnerabilities found in software and equipment from US companies? Since a lot of that technology is used around the world, are you on with the corollary of it being harder for the US to spy on anyone using modern equipment?

How about disclosing problems found in tech products used by US companies? Should the NSA do that as well to keep those companies safe?

The US provides a fair amount of funding to organizations focused on finding and responsibly disclosing security problems, notably CERT[1] and US-CERT [2]. The NSA is a completely separate thing.

1: http://cert.org/about/ 2: https://www.us-cert.gov/

Edit: removed snark

link