Hacker News new | ask | show | jobs
by csandreasen 4343 days ago
I'd argue that sorry state of internet security is almost entirely the result of bad coding practices/protocol design, and the private sector in general neither has the will to fix it nor wants the NSA to assist in fixing it. In fact, as it stands right now, NSA isn't even responsible for fixing public sector network security issues - what little responsibility the government takes for that largely falls on DHS and NIST. According to their web page[1], NSA is responsible for securing classified government networks. Killing off their intelligence component isn't going to make the internet safer for US citizens.

[1] http://www.nsa.gov/about/faqs/index.shtml
1 comments
AnthonyMouse 4342 days ago
DUAL EC DRBG: No more of that.

Or as another example, consider what happens when the NSA discovers a security vulnerability in a common crypto library. If the NSA is allowed to use it for surveillance then they will do that instead of disclosing it, meanwhile the vulnerability persists in the wild just waiting for someone even worse to discover it. You can imagine the epic fail if the Chinese government got hold of Heartbleed six months before the OpenSSL maintainers.

link
csandreasen 4342 days ago
There haven't been any actual concrete disclosures showing that DUAL EC DRBG was backdoored, just loads of conjecture. Maybe it was, maybe it wasn't - the same conjectures were put forth regarding the manipulated S-boxes in DES and it turned out twenty years later that the NSA was actually strengthening the algorithm, not weakening it. If DUAL EC was backdoored, it was a pretty pathetic attempt: it was hardly ever used (only 720 confirmed vulnerable servers out of a survey of 21.8 million[1]) and due to its slow speed there were recommendations not to use it long before Snowden came along. One year later and nothing in the Snowden cache has been leaked providing concrete proof showing a backdoor; I'm not holding my breath for it.

Regarding Heartbleed, the NSA denied having knowledge of the bug before its disclosure. There was a follow up post on the Whitehouse blog[2] that discussed some of the criteria the administration would use in determining whether or not the NSA should disclose a 0-day.

It sounds like you're wanting them to actively search for vulnerabilities in software they didn't write and might not even be used by their targets (the Chinese government could have taken advantage of Heartbleed, but I don't know how many Chinese government sites use OpenSSL). That's not what we currently fund them to do, and I get the impression that most American tech companies wouldn't want the NSA's help anyways.

[1] http://dualec.org/

[2] http://www.whitehouse.gov/blog/2014/04/28/heartbleed-underst...

link