[tptacek]

You've lost me. What are the glaring counterexamples to NOBUS? The NOBUS framework says that NSA introduces vulnerabilities and backdoors only when it has some assurance that only NSA will be able to exploit them. It doesn't follow that NSA would immediately disclose any vulnerabilities they discover.

[monocasa]

...the parent is literally talking about it in the context of today's crypt vulnerability and using that as example of their cohesive NOBUS framework.

> Clearly, no implementation flaw in Windows could qualify as a NOBUS backdoor; many thousands of people can read the underlying code in Ghidra or IDA and find the bug, once they're motivated to look for it.

The counter examples are the hordes of critical 0 days they've been sitting on, some of which have led to to a body count of five eyes citizens.

Like I said, disclosing is a step in the right direction, but they don't get a cookie for the first major disclosure in decades.

[tptacek]

I don't think anyone should give NSA a cookie. I think it's useful to be able to reason through where NSA is (relatively) trustworthy and where they aren't.