[Buttons840]

I've never heard anything about the NSA telling a company they have a security vulnerability. Have you?

[orr94]

Not the NSA, but I know of at least one time the FBI did: https://arstechnica.com/security/2024/01/chinese-malware-rem...

[rho138]

https://www.cbsnews.com/news/nsa-microsoft-vulnerabilities-m...

[bb88]

That was probably because the NSA and other critical government agencies use Microsoft Exchange and it was a bug found in the wild.

But if it wasn't a bug found in the wild, can you imagine the fights between the NSA red and blue teams on whether to alert Microsoft about it?

[rho138]

Probably not a lot at all tbf

[kyboren]

I don't have citations on hand, but it's commonly held that NSA fixed the S-boxes in IBM's "Lucifer" cipher design for DES to improve its resistance to (then publicly-unknown) differential cryptanalysis.

Of course they also crippled the key length to 56 bits...