[sbierwagen]

Bruce Schneier has been complaining about this tradeoff for more than a decade: https://www.schneier.com/blog/archives/2014/05/disclosing_vs...

>The NSA can play either defense or offense. It can either alert the vendor and get a still-secret vulnerability fixed, or it can hold on to it and use it to eavesdrop on foreign computer systems. Both are important US policy goals, but the NSA has to choose which one to pursue. By fixing the vulnerability, it strengthens the security of the Internet against all attackers: other countries, criminals, hackers. By leaving the vulnerability open, it is better able to attack others on the Internet. But each use runs the risk of the target government learning of, and using for itself, the vulnerability — or of the vulnerability becoming public and criminals starting to use it.

Unsurprisingly, the NSA often chooses to keep zerodays for their own use.

[55555]

I know this would be hard to keep under wraps, and extremely difficult for closed source software, but it seems like the right answer here would be for the NSA to create patches for government use.

If the government only used open-source software, the NSA could create patches that only the government would use, while keeping zero days that can be used against everyone else.

If the government started requiring all/most software to be open-source, it would create a market. There's no way big government vendors would refuse to create open source software. They would just shift to monetizing more heavily using consulting services, or support, or something.

[Xylakant]

I think this would be even worse. The number of people that would need to have access to the patched versions would be too large to effectively secure and the patch would deliver knowledge about the vulnerability to any potential attacker. Government computers would be protected, but contractors and other businesses placed at higher risk.

[bayindirh]

Doesn't SELinux provide some of that?

Tightly enclose all running software with a beyond-root, kernel-level authority/sandbox, so even vulnerabilities only we know can't harm us if they're discovered?

[jl2718]

If only it was just one agency from one country plinking holes in things...

[NortySpock]

Makes me wonder if we should have a white-hat government org that notifies big corporations or software projects about critical vulnerabilities in their code.

[WrtCdEvrydy]

That was the point of the NSA, but the war on terror has corrupted that mission to the core.

[rdtwo]

The attack vector Makes more sense. Your enemies will always have new backdoors they don’t report so you need a many as you can get. Closing loop holes isn’t super effective because there will always be a new bug or exploit

[ackbar03]

There's another perspective on this that's often cited and if I remember correctly was used to argue against the release of stuxnet. who has the most to lose if there are widespread cyber attacks? Given the related attacks so far I'd say it's probably the US where most people are connected and everyone either wants to spy on or attack. But then again attacking sounds so much cooler which is why I guess we still do it