[yeahyeah]

Fair enough - although with this set of revelations at least it's been credited at least to mail interdictions. I was responding in a limited matter to this project, this is an example of what I'm personally fine with them doing. Other people may very well have more trouble mentally compartmentalizing the broad range of activities that the NSA (and other digital espionage agencies within the US government) are up to. Many of which are clearly unconstitutional and should be (and appear to, in some cases) now being scaled back.

In any case, to answer the specific question, we can be pretty sure that our we're not infected with official US government 0day malware by the practical considerations - they go to pretty considerable lengths to keep the spread limited (per the reporting) because once Kaspersky or any other researcher gets their hands on it the utility of the toolsets goes away or becomes highly limited.

[fnordfnordfnord]

This malware isn't needed to infect every individual machine. This is just another tool in the long list of tools that the NSA has. Compromise the CA's and a few other key infrastructure machines, and now all our communications are laid as bare as plaintext. The fact that I'm not interesting enough for the NSA to target me individually does not mean that my communications are secure.

[asuffield]

CAs are not magic decryption boxes. If you compromise a CA, you can generate a false certificate, but this certificate is non-repudiable: it is a sequence of bytes which you must present to the system you are attacking, and which is conclusive, independently-verifiable evidence that the CA has been compromised. While the NSA almost certainly could do something like this, they would run a very high risk of detection every time they did it.