[AnthonyMouse]

> My main thought is that the US must stay ahead of other nations intelligence agencies.

The solution to this is to make surveillance hard for everybody. Pass laws and build technologies that make bulk surveillance not only prohibited but impractical regardless of third party lawlessness. The goal is not to thwart only the NSA, that barely accomplishes anything. You also have to thwart China, Russia, organized crime, malicious corporations, etc.

[csandreasen]

How does preventing the NSA from looking at traffic crossing an internet backbone serve to thwart China, Russia, organized crime, malicious corporations, etc.? If anything, I'd think it would give them an advantage.

(Note that I'm not saying that there shouldn't be limits on what the NSA can do, only that stopping other malicious actors isn't applicable in this case)

[AnthonyMouse]

> How does preventing the NSA from looking at traffic crossing an internet backbone serve to thwart China, Russia, organized crime, malicious corporations, etc.?

Because it gets the NSA and its budget out of the "make security worse" business and puts them back full in the "make security better" business. Because if they aren't allowed to do it then they won't want anyone else to be able to do it either.

[csandreasen]

I'd argue that sorry state of internet security is almost entirely the result of bad coding practices/protocol design, and the private sector in general neither has the will to fix it nor wants the NSA to assist in fixing it. In fact, as it stands right now, NSA isn't even responsible for fixing public sector network security issues - what little responsibility the government takes for that largely falls on DHS and NIST. According to their web page[1], NSA is responsible for securing classified government networks. Killing off their intelligence component isn't going to make the internet safer for US citizens.

[1] http://www.nsa.gov/about/faqs/index.shtml

[AnthonyMouse]

DUAL EC DRBG: No more of that.

Or as another example, consider what happens when the NSA discovers a security vulnerability in a common crypto library. If the NSA is allowed to use it for surveillance then they will do that instead of disclosing it, meanwhile the vulnerability persists in the wild just waiting for someone even worse to discover it. You can imagine the epic fail if the Chinese government got hold of Heartbleed six months before the OpenSSL maintainers.

[csandreasen]

There haven't been any actual concrete disclosures showing that DUAL EC DRBG was backdoored, just loads of conjecture. Maybe it was, maybe it wasn't - the same conjectures were put forth regarding the manipulated S-boxes in DES and it turned out twenty years later that the NSA was actually strengthening the algorithm, not weakening it. If DUAL EC was backdoored, it was a pretty pathetic attempt: it was hardly ever used (only 720 confirmed vulnerable servers out of a survey of 21.8 million[1]) and due to its slow speed there were recommendations not to use it long before Snowden came along. One year later and nothing in the Snowden cache has been leaked providing concrete proof showing a backdoor; I'm not holding my breath for it.

Regarding Heartbleed, the NSA denied having knowledge of the bug before its disclosure. There was a follow up post on the Whitehouse blog[2] that discussed some of the criteria the administration would use in determining whether or not the NSA should disclose a 0-day.

It sounds like you're wanting them to actively search for vulnerabilities in software they didn't write and might not even be used by their targets (the Chinese government could have taken advantage of Heartbleed, but I don't know how many Chinese government sites use OpenSSL). That's not what we currently fund them to do, and I get the impression that most American tech companies wouldn't want the NSA's help anyways.

[1] http://dualec.org/

[2] http://www.whitehouse.gov/blog/2014/04/28/heartbleed-underst...