[cbp]

This kind of comment always makes me smile. Half-assed complaints that people make because no one gives a crap about what happens in the world unless it personally affects them. In my opinion it's as simple as "do you think it's good to spy on people?". And if you truly care and your answer is no then you will go out of your way to make it stop. Half measures don't change anything.

[timsally]

I care deeply about what happens in the world and I also think countries having intelligence agencies is ok. This may seem contradictory to you but I don't think it is. I recognize that there are people who do not believe spying is ok, a sentiment most famously summed up by "gentlemen do not read each other's mail." Based on how that doctrine worked out, I simply can't support it. I'm willing to have that debate though.

[untog]

There's nothing half-assed about it. To my mind, half-assed is saying "spying is bad and we should stop doing it".

If we stop, how do we make everyone else stop? We can't. So we're not living in a world without spying, we're just living a world where we're at competitive disadvantage to other entities spying on us.

[Zigurd]

> If we stop, how do we make everyone else stop?

Yet, somehow, dozens of governments that do not spy, because they do not have either the resources to do an effective job of it, or they do not have a mandate to do it, manage to continue to operate. The economies they govern continue to operate. Some of them very prosperously.

Spying by the US government could be cut back VERY sharply and do the US no harm, especially against those governments that are both friendly and that cannot support an effective spying mechanism against the US.

There is a ton of Hobbesian bullshit floating around here. We'd be cheating on all our treaties, too, just because some countries do that, if this whole "state of nature" bullshit actually applied.

[ewoodrich]

> dozens of governments that do not spy, because they do not have either the resources to do an effective job of it, or they do not have a mandate to do it,

Which countries are these? As far as I can tell, every country in the UN has an intelligence agency. Which would mean they spy on somebody, and "effectiveness" seems like a bit of a weasel-y standard.

http://en.wikipedia.org/wiki/List_of_intelligence_agencies

[Zigurd]

Latvian secret agency has potato for your zero day!

[tptacek]

Latvia spends hundreds of millions of dollars on its military. You think they can't afford an IE remote?

[Zigurd]

Which, these days, buys fewer than 5000 active duty personnel. Total. Including officers, enlisted, logistics, medics, etc. This is a speed bump between Putin and Riga. It is symbolic, to show Latvia could contribute some personnel to joint operations. Some parts, like the air force, are probably below minimum table stakes and are completely militarily ineffective.

I expect the signals intelligence effort to be proportionate and be similarly militarily relevant.

[hrjet]

> If we stop, how do we make everyone else stop?

By diverting the resources currently used for hacking towards securing. Instead of spending billions in discovering (or injecting) vulnerabilities, why not spend money in fixing and securing infrastructure for all?

[tptacek]

How, exactly, do you propose they do that?

[hrjet]

* Publish a list of vulnerabilities to manufacturers first and, in time, to public.

* Make an open-source scanner that reports (to the user) vulnerabilities in user's hardware / software.

* Spread awareness about security to the general public. This includes making them aware of the above two, as well as low-hanging fruits such as "stronger passwords", "don't reuse passwords", etc.

* Have regulatory bodies that shame / ban manufacturers that don't publish security updates. I am not a fan of regulation, but this is much more appropriate regulation than banning manufacturers for designing round-corners around screens.

* Create an agency where white-hat hackers can independently submit their findings and sponsor their work.

These are just the top off my head; would love if someone criticizes them.

[tptacek]

There are some interesting ideas in here. Comments:

* Even private vulnerability research venues don't reliably publish to the public. When vendors pay bounties, they often keep the vulnerabilities quiet.

* NSA already does security awareness. For instance, they publish a highly-regarded series of documents on secure standard configurations for Unix and Windows systems.

* NSA can't regulate industry; they have no such authority.

* You're really comfortable with the idea of NSA outbidding private venues for vulnerabilities? (Note that the USG already does sponsor "white hat hackers" through the DARPA grant system).

[nitrogen]

The approach suggested by the parent comment needn't be contained entirely within the NSA, or even involve the NSA at all.