[rosenjon]

The problem is it undermines trust in American technology products in general. If the Snowden revelations were that the United States was bugging Iran, Libya and North Korea and monitoring all their communications, that would be one thing. However, we know now that EVERYONE is under surveillance. Therefore, how do we know they aren't doing this to everyone as well?

[yeahyeah]

Fair enough - although with this set of revelations at least it's been credited at least to mail interdictions. I was responding in a limited matter to this project, this is an example of what I'm personally fine with them doing. Other people may very well have more trouble mentally compartmentalizing the broad range of activities that the NSA (and other digital espionage agencies within the US government) are up to. Many of which are clearly unconstitutional and should be (and appear to, in some cases) now being scaled back.

In any case, to answer the specific question, we can be pretty sure that our we're not infected with official US government 0day malware by the practical considerations - they go to pretty considerable lengths to keep the spread limited (per the reporting) because once Kaspersky or any other researcher gets their hands on it the utility of the toolsets goes away or becomes highly limited.

[fnordfnordfnord]

This malware isn't needed to infect every individual machine. This is just another tool in the long list of tools that the NSA has. Compromise the CA's and a few other key infrastructure machines, and now all our communications are laid as bare as plaintext. The fact that I'm not interesting enough for the NSA to target me individually does not mean that my communications are secure.

[asuffield]

CAs are not magic decryption boxes. If you compromise a CA, you can generate a false certificate, but this certificate is non-repudiable: it is a sequence of bytes which you must present to the system you are attacking, and which is conclusive, independently-verifiable evidence that the CA has been compromised. While the NSA almost certainly could do something like this, they would run a very high risk of detection every time they did it.

[junto]

Exactly. See this as a case in point: http://www.windpowermonthly.com/article/960011/trans-atlanti...

[Estragon]

Yes, who's going to plug removeable media from the US into their machine after reading this story about the conference CDs?

[grkvlt]

Pretty much everyone is going to carry on plugging in US-sourced media just as they did before, and be happy and unconcerned about it.

To borrow from James Mickens [1] the vast majority of people's thread modelling falls into the 'NOT-MOSSAD' category. People with a 'MOSSAD' threat model should not have been inserting arbitrary removable media into their secure computers in the first place, so their habits don't need to change. Although obviously some people either incorrectly assessed their threats, and need to upgrade them, or were careless and need to be more careful...

[1] http://research.microsoft.com/en-us/people/mickens/thisworld...