NSA Director Says Agency Shares Most, But Not All, Bugs It Finds

← Back to Stories (view on slashdot.org)

NSA Director Says Agency Shares Most, But Not All, Bugs It Finds

Posted by Soulskill on Wednesday November 5, 2014 @04:48AM from the you-can-trust-us dept.

Trailrunner7 writes: When the National Security Agency discovers a new vulnerability that looks like it might be of use in penetrating target networks, the agency considers a number of factors, including how popular the affected software is and where it's typically deployed, before deciding whether to share the new bug. The agency shares most of the bugs it finds, NSA Director Mike Rogers said, but not all of them.

Speaking at an event at Stanford University, Rogers said that the NSA has been told by President Barack Obama that the default decision should be to share information on new vulnerabilities "The president has been very specific to us in saying, look, the balance I want you to strike will be largely focused on when you find vulnerabilities, we're going to share them. By orders of magnitude, when we find new vulnerabilities, we share them," Rogers said.

170 comments

Min score:

Reason:

Sort:

Gee thanks by Anonymous Coward · 2014-11-05 04:51 · Score: 0

It's nice to know they care.
1. Re:Gee thanks by davester666 · 2014-11-05 06:16 · Score: 1
  
  ...using a definition of "most" that normal people would use the phrase "a few".
  
  --
  Sleep your way to a whiter smile...date a dentist!
2. Re:Gee thanks by Shalhav · 2014-11-10 11:26 · Score: 0
  
  They said "orders of magnitude" more were shared than were not shared. Of course, they neglected to say it was orders in base 1, not base 10, but hey.
That sounds nice... by daemonhunter · 2014-11-05 04:51 · Score: 5, Insightful

That sounds good. Except for one tiny thing:
I DON'T BELIEVE YOU.
1. Re:That sounds nice... by meerling · 2014-11-05 06:14 · Score: 3, Insightful
  
  Exactly. With their culture and policy of black box secrecy and the number of times they've been caught lying both to the public, as well as to their supposed bosses (congress, senate, president) is there anyone left dumb enough to believe anything they say?
2. Re:That sounds nice... by Anonymous Coward · 2014-11-05 06:21 · Score: 0
  
  Why not? You only need one hole to get in, and maybe a few more as insurance should it get closed. Hoarding more than that just increases the chance someone else will get in.
3. Re:That sounds nice... by Anonymous Coward · 2014-11-05 06:44 · Score: 0
  
  Technically, the exploits might reside with USSTRATCOM JSOC. Not NSA. So just an NSA lie. Not a real lie. Whatever.
4. Re:That sounds nice... by Phreakiture · 2014-11-05 06:54 · Score: 2
  
  Not sure why you're currently modded redundant as I came to say pretty much the same thing.
  That sounds like something Yogi Berra would say.
  
  --
  www.wavefront-av.com
5. Re:That sounds nice... by aaaaaaargh! · 2014-11-05 07:06 · Score: 1
  
  I believe him. Here my interpretation of what he said: "We share all bugs we find with large corporations except a small number of 0-day exploits for each system that we keep to ourselves and always up-to-date."
6. Re:That sounds nice... by s.petry · 2014-11-05 07:30 · Score: 1
  
  The second message "I came to say the same" is redundant, not the first message in the stack.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
7. Re:That sounds nice... by Phreakiture · 2014-11-05 09:18 · Score: 1
  
  Alright, fair enough.
  
  --
  www.wavefront-av.com
8. Re: That sounds nice... by Redbehrend · 2014-11-05 09:21 · Score: 1
  
  It could be worse, they could have said "all" bugs lol
9. Re:That sounds nice... by tchdab1 · 2014-11-05 11:12 · Score: 1
  
  But they never lie. And they're always right.
10. Re:That sounds nice... by rtb61 · 2014-11-05 12:45 · Score: 1
  
  Well, you see, it is all down to the literal interpretation of the words used. "we share the bugs we find", now exactly what does that mean, does it mean they detail the bugs and provide a solution to the company that produces the software or do the 'share' the bug by creating a exploit and 'sharing' the consequence's of that bug with as many people as possible. You can bet you bottom US$ that when it comes to all foreign countries, screw allies, the second version of sharing is much preferred and when it comes to US interests it depends upon how likely others are to discover the bug and exploit it. Low probability of discovery based upon nothing but guesses of course and zero disclosure, high probability of discovery then they can't really exploit it anyhow so they might as well release it.
  This is guaranteed by the NSAs decision to keep defensive and offensive divisions together, rather than keeping them completely separate and logically in direct competition with each other.
  
  --
  Chaos - everything, everywhere, everywhen
11. Re:That sounds nice... by penguinoid · 2014-11-05 18:26 · Score: 1
  
  I'm sure they monitor every bug they found for abuse, and report it after it is exploited in the wild. Never said they released it immediately did they?
  
  --
  Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
12. Re:That sounds nice... by MarbleMunkey · 2014-11-07 03:37 · Score: 1
  
  Exactly. With their culture and policy of black box secrecy and the number of times they've been caught lying both to the public, as well as to their supposed bosses (congress, senate, president) is there anyone left dumb enough to believe anything they say?
  I think you answered that yourself: congress, senate, president
Positive spin by koan · 2014-11-05 04:52 · Score: 0

In addition, I'm fairly certain they have partnerships with major corps to "introduce" specific "vulnerabilities" into massively popular software.... like iOS and Windows.

--
"If any question why we died, Tell them because our fathers lied."
1. Re:Positive spin by Ralph+Wiggam · 2014-11-05 05:05 · Score: 0
  
  Do you have a citation for that?
2. Re:Positive spin by Thanshin · 2014-11-05 05:16 · Score: 4, Funny
  
  Do you have a citation for that?
  Yes. Mike Rogers said they din't do that. Which is tantamount to proof of the contrary.
  I'm pretty sure that the guy could end world poverty just by acknowledging its existence.
3. Re:Positive spin by GameboyRMH · 2014-11-05 05:16 · Score: 0
  
  NSA's BULLRUN program
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
4. Re:Positive spin by Anonymous Coward · 2014-11-05 05:17 · Score: 0
  
  That is possible, but I don't think it has ever been indisputably proven.
5. Re:Positive spin by Anonymous Coward · 2014-11-05 05:26 · Score: 0
  
  Why do you leave out Android from your list? Interesting omission... As if to spread fanboi FUD.
6. Re:Positive spin by koan · 2014-11-05 05:33 · Score: 1
  
  Do you have one that shows they don't?
  
  --
  "If any question why we died, Tell them because our fathers lied."
7. Re:Positive spin by fustakrakich · 2014-11-05 05:45 · Score: 1
  
  Yeah really, what do they mean "bugs"?
  
  --
  “He’s not deformed, he’s just drunk!”
8. Re:Positive spin by Ralph+Wiggam · 2014-11-05 05:46 · Score: 1
  
  That page doesn't mention anything about commercial OSes.
9. Re:Positive spin by Ralph+Wiggam · 2014-11-05 05:48 · Score: 2
  
  You made the claim. You back it up. That's how basic logic works.
  I realize that's a foreign concept of Slashdot these days.
10. Re:Positive spin by Ralph+Wiggam · 2014-11-05 05:49 · Score: 1
  
  And Saddam Hussein definitely has a chemical weapons program because he says he doesn't.
11. Re:Positive spin by GameboyRMH · 2014-11-05 05:52 · Score: 1
  
  It's worth considering that they were all affected by the NSA's sabotaging of NIST standards.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
12. Re: Positive spin by Anonymous Coward · 2014-11-05 05:54 · Score: 0
  
  Since when did Saddam work for the NSA?
13. Re:Positive spin by koan · 2014-11-05 05:59 · Score: 1
  
  Redirecting the conversation? Strawman?
  
  --
  "If any question why we died, Tell them because our fathers lied."
14. Re: Positive spin by Anonymous Coward · 2014-11-05 06:31 · Score: 0
  
  This.
  BTW Wiggam, how does it feel that your butt buddies are morally inferior to Saddam Hussein? Knowing you, that probably gives you a stiffy, you treasonous traitor.
15. Re:Positive spin by JohnFen · 2014-11-05 06:35 · Score: 1
  
  You made the claim. You back it up. That's how basic logic works.
  Logic that the NSA director apparently feels doesn't apply to him.
16. Re:Positive spin by Anonymous Coward · 2014-11-05 06:50 · Score: 0
  
  Works by way of Linux kernel TCP/IP stack exploit, it must be assumed.
17. Re:Positive spin by Ralph+Wiggam · 2014-11-05 06:59 · Score: 1
  
  Same conversation. You're using the same ridiculous "logic" that George W. Bush did. It has some fancy latin fallacy name that I'm not going to look up.
18. Re:Positive spin by Anonymous Coward · 2014-11-05 07:29 · Score: 0
  
  At least Powell had a power point presentation with some rusty old trailers. What does Mike Rogers have?
19. Re: Positive spin by Anonymous Coward · 2014-11-05 07:51 · Score: 0
  
  Look. Logic doesn't apply when it comes to secret agencies. They lie about everything and it's impossible to prove anything. So, no, nothing can be backed up. Except we know they spy on their own citizens and they lie to congress.
20. Re:Positive spin by Anonymous Coward · 2014-11-05 08:47 · Score: 0
  
  You made the claim. You back it up. That's how basic logic works.
  Logic that the NSA director apparently feels doesn't apply to him.
  I think you just proved the parent's point by that non-logical and still unsupported statement.
21. Re:Positive spin by Anonymous Coward · 2014-11-05 09:16 · Score: 0
  
  well he did, don't you read the news? problem is that definitive proof and actually finding a cache of materials didn't happen until fairly recently, not when it was used as basis for invading that country.
22. Re:Positive spin by Ralph+Wiggam · 2014-11-05 09:21 · Score: 1
  
  Chemicals shells from the 80s have been found several times. It was pretty clear that he had chemical weapons in the 80s because he used them against the Kurds and Iranian soldiers.
  There has been zero evidence that Iraq was involved in any banned weapons programs after the mid 90s- which is what George W. Bush told us.
23. Re: Positive spin by Ralph+Wiggam · 2014-11-05 09:23 · Score: 2
  
  They lie about everything and it's impossible to prove anything.
  
  The root post says that the NSA had vulnerabilities put into iOS and Windows. That's very provable.
24. Re:Positive spin by koan · 2014-11-05 10:29 · Score: 1
  
  http://www.spiegel.de/internat...
  https://en.wikipedia.org/wiki/...
  http://www.spiegel.de/internat...
  https://www.eff.org/document/2...
  http://www.spiegel.de/internat...
  
  --
  "If any question why we died, Tell them because our fathers lied."
25. Re:Positive spin by koan · 2014-11-05 10:30 · Score: 1
  
  http://slashdot.org/comments.p...
  
  --
  "If any question why we died, Tell them because our fathers lied."
26. Re: Positive spin by koan · 2014-11-05 10:34 · Score: 1
  
  That isn't what I said.
  
  In addition, I'm fairly certain they have partnerships with major corps to "introduce" specific "vulnerabilities" into massively popular software.... like iOS and Windows.
  But here.
  http://slashdot.org/comments.p...
  But even better, do you have any reason to think this is not going on? In this day and age why would anyone argue against it?
  Also a lot of the stuff Snowden got has not been released, there could very well be proof of this
  You must have some Apple stock or something.
  
  --
  "If any question why we died, Tell them because our fathers lied."
27. Re:Positive spin by koan · 2014-11-05 10:46 · Score: 1
  
  Google NSA ANT
  And remember, most of what Snowden got out has not been released, and there several very good reasons for that.
  
  --
  "If any question why we died, Tell them because our fathers lied."
28. Re:Positive spin by Anonymous Coward · 2014-11-05 10:50 · Score: 0
  
  Stuff like strong firewalls, malware scanners, anything that picks up keylogger activity...
29. Re: Positive spin by Ralph+Wiggam · 2014-11-05 11:15 · Score: 2
  
  But even better, do you have any reason to think this is not going on?
  Do you have any reason to believe that the government is not secretly controlled by the Pod People? They say they're not, but that's exactly what Pod People would say.
  I base my opinions on facts and evidence. You base your opinions on how well they fit into your existing worldview.
  And none of those links have anything to do with your original statement.
30. Re:Positive spin by Anonymous Coward · 2014-11-05 12:18 · Score: 0
  
  Re: "... the guy could end world poverty just by acknowledging its existence."
  Say, this isn't the worst idea in the world. I mean it's probability of success is at or near zero, but at least it supports a brighter future. And the downside of being wrong (failure) is zero.
  However let's increase the odds of success. Let's put "End World Poverty" into the NSA's mandate and mission statement. It must go into the exact same documents that state that the NSA will "Obey the Constitution, Respect Privacy, and Act in Accordance with Due Process." Given their recent behaviour I expect that world poverty will disappear within the year!
31. Re:Positive spin by AHuxley · 2014-11-05 13:03 · Score: 1
  
  Any cell phone product would be open to a telco by default for law enforcement as shipped and sold.
  Why mess around with user applications when the hardware layer is open?
  Just get every message sent, gps, camera, voice, text as entered before an app encrypts.
  
  --
  Domestic spying is now "Benign Information Gathering"
32. Re:Positive spin by BLKMGK · 2014-11-05 14:10 · Score: 1
  
  Pieces of various weapons have apparently been found in junkyards around the Middle East (Jordan for one), some with UN tags and some without. A quick Google finds this but there's other information out there including some pictures if memory serves.
  http://www.worldtribune.com/wo... A poor citation for sure but there have been others.
  Here's a more recent article about weapons being found http://www.nytimes.com/interac...
  Another http://cjonline.com/stories/09... Seems a few missles and chemical processing equipment were shipped out. the answer isn't so black and white it seems.
  Worth noting is that Iraq DID use chem weapons during the first war, Desert Storm. I know someone who wrote a book about it after extensive research and the Govt. did all they could to shut him up. Look up "Gassed In The Gulf", it's pretty well referenced and many of the things he claimed were slowly proven in the years after.
  
  --
  Build it, Drive it, Improve it! Hybridz.org
33. Re:Positive spin by Nehmo · 2014-11-08 21:52 · Score: 1
  
  Pieces of various weapons have apparently been found...the answer isn't so black and white it seems..
  You can argue that Saddam was a bad guy needing to be gone, and therefore the Bush admin was justified in generating a pretext to get the American public on board. But you can't seriously claim the pretext was valid. Even if your scant evidence is true, it's not enough. The Bush admin told us Saddam had a major operation going on.
  
  --
  (||) Nehmo (||)
Number is irrelevant compared to severity by ibpooks · 2014-11-05 04:52 · Score: 5, Insightful

By orders of magnitude, when we find new vulnerabilities, we share them
Number is irrelevant compared to severity, and you can be damn sure they keep the severe ones to themselves.
1. Re:Number is irrelevant compared to severity by jones_supa · 2014-11-05 05:07 · Score: 3, Insightful
  
  Exactly. They need only a handful of the most juicy vulnerabilities.
  Besides, that we are having this whole discussion is ridiculous. "Yeah, know a bunch of secrets that we could use to crack into your computer...but we do reveal most of them -- honest!"
2. Re:Number is irrelevant compared to severity by Charliemopps · 2014-11-05 05:46 · Score: 3, Insightful
  
  By orders of magnitude, when we find new vulnerabilities, we share them
  Number is irrelevant compared to severity, and you can be damn sure they keep the severe ones to themselves.
  Assuming this wasn't a bold faced lie. Which it more than likely was.
  Assume that this statement was made for some other carefully designed purpose.
3. Re:Number is irrelevant compared to severity by Xtifr · 2014-11-05 07:50 · Score: 1
  
  The NSA's mandate includes both data penetration and data protection! For this reason, I suspect it's not the severity, but the obscurity that matters. A vulnerability that's easy to find is going to make government machines easier to penetrate, so they're likely to want to close them. A vulnerability that requires standing on one leg while juggling two white cats and wearing a clown nose is something they can keep to themselves, because it's so unlikely that anyone else will stumble across it.
4. Re:Number is irrelevant compared to severity by skids · 2014-11-05 08:21 · Score: 1
  
  A vulnerability that requires standing on one leg while juggling two white cats and wearing a clown nose is something they can keep to themselves, because it's so unlikely that anyone else will stumble across it.
  ...and they have an ample supply of cats and clown noses.
  
  --
  Someone had to do it.
5. Re:Number is irrelevant compared to severity by Anonymous Coward · 2014-11-05 08:46 · Score: 0
  
  Cat juggling!
  That's it, the NSA has definitely gone too far!
6. Re:Number is irrelevant compared to severity by w_dragon · 2014-11-05 12:11 · Score: 1
  
  I would guess that they release when it is likely that they themselves are exposed, or when it is possible that the exploit is already used by others, which may increase their chance of being caught. Their ideal exploit to keep secret is probably in the realm of mathematical cryptographic weaknesses, random number generators being weighted, and other things that are really hard to find and hard to determine if your data has been exposed.
7. Re:Number is irrelevant compared to severity by jep77 · 2014-11-05 14:40 · Score: 1
  
  Roll the ugliness
  http://youtu.be/1bGVT4-1DBU
"Balance" is not 100% by Anonymous Coward · 2014-11-05 04:56 · Score: 0

Politicians.
Most. But not all. by Thanshin · 2014-11-05 04:56 · Score: 0

In other news: "Most of our citizens are as free as in America, North Korea's supreme commander Kim Jon Un said, but not all of them."
1. Re:Most. But not all. by Anonymous Coward · 2014-11-05 06:52 · Score: 0
  
  I would not be surprised to learn the incarceration rate with the Norks is lower than in the "land of the free".
2. Re:Most. But not all. by Anonymous Coward · 2014-11-05 08:08 · Score: 0
  
  A counter-intuitive effect of executions.
We'll share all the bugs we find.... by Anonymous Coward · 2014-11-05 04:57 · Score: 0

except the one or two really useful ones that let us attack and gain access to any computer we want.
Trust me by JohnFen · 2014-11-05 04:58 · Score: 1

And why should we believe what Rogers says?
1. Re:Trust me by Anonymous Coward · 2014-11-05 05:58 · Score: 0
  
  The truth which he just confirmed is that they keep some very severe bugs that make our technology vulnerable to attack to themselves and are doing nothing to make our systems more secure against potential exploits of those bugs. That is a good summary of what he said minus the spin.
  They probably do make a best effort value judgement about whether it is more valuable to retain the knowledge for intelligence gathering purposes versus securing our own nation's infrastructure.
  Instead of a policy that says you get to choose which secrets you get to keep, the best policy would be to set a time limit on how long the NSA can go without working with vendors to fix security bugs. Give the NSA time to exploit security vulnerabilities for intelligence gathering purposes, so they have incentive to find them in the first place, but then after 12 months or 18 months then the policy should be to disclose the bugs to the developers to fix. Anything that is known about for that long starts to become a real likelihood of becoming known outside the NSA anyway. So it is better to disclose than to leave our own infrastructure open to attack.
2. Re:Trust me by Anonymous Coward · 2014-11-05 06:54 · Score: 0
  
  The truth is that they value their ability to penetrate ANY system higher than protecting Americans. They even accept that the Russkie mafia and Chicom intel gets into American systems.
  As long as they have their snout in the trough, they accept the Russian and Chinese co-swines.
3. Re:Trust me by dunkindave · 2014-11-05 08:56 · Score: 1
  
  The truth is that they value their ability to penetrate ANY system higher than protecting Americans.
  Your flawed logic is premised on the assumption that the ability to penetrate an adversary's computer isn't at times necessary in order to protect Americans. It is also premised on the assumption that they do not monitor for adversaries using the withheld flaws.
To what Standard? by Triklyn · 2014-11-05 04:59 · Score: 3, Insightful

To what standard do you hold the US government as opposed to other governments? You can be damn sure that every other intelligence agency is doing exactly the same thing... but you're criticizing NSA why exactly?
My government protects me as I expect your government to protect you. Can't believe I'm going to do this... quoting blacklist quoting orwell, because i've certainly never read the mans essays myself, “Those who abjure violence can only do so by others committing violence on their behalf.”
I laughed at the Merkel spying thing... as if they didn't expect us to get as much information as possible, and as if we didn't expect them to return the favor. Faux outrage over common practices. IMO. If you don't want your leaders getting spied on... spend more money on your own agencies.
1. Re:To what Standard? by iceperson · 2014-11-05 05:09 · Score: 3, Insightful
  
  The US government sitting on knowledge of vulnerabilities is to public safety as not putting out a wet floor sign in the hopes that a terrorist will slip and fall is to crime prevention.
2. Re:To what Standard? by Anonymous Coward · 2014-11-05 05:10 · Score: 1
  
  The issue here is that the NSA went beyond spying on other leaders, and into rampant data collection on US citizens. There are very specific laws about how data can be gathered on US citizens by each part of the spy agencies, and the NSA was acting in aggressive violation of those laws.
  Yes, the mock-outrage about US spies knowing how many mistresses the French president keeps is purely political with an effort toward keeping their own populaces ignorant.
3. Re:To what Standard? by jones_supa · 2014-11-05 05:10 · Score: 1
  
  To what standard do you hold the US government as opposed to other governments? You can be damn sure that every other intelligence agency is doing exactly the same thing... but you're criticizing NSA why exactly?
  Most of the big web services that we are using are located in USA.
4. Re:To what Standard? by Triklyn · 2014-11-05 05:22 · Score: 0
  
  so pay to relocate. They're in the US for a reason. If you don't want the services in the US, incentivize them to leave or fund your own. that's what china's doing. and they're also engaging in state sponsored corporate espionage, which, you know, pisses me off. but there's reality for you.
5. Re:To what Standard? by amaurea · 2014-11-05 05:24 · Score: 1
  
  Why would you think they're all exactly the same or even similar? Usually when you compare countries you find that there is a large scatter in whatever metric you choose to use. Why should espionage be any different? Do you have any reason to think the scatter would be less than a factor of 2, or a factor of 5 or a factor of 20? If I were to hazard a guess, I would expect it to show similar variability as military budgets do (and I wouldn't be surprised to see a large covariance between the two). But I don't have any direct data on this. Do you?
6. Re:To what Standard? by Triklyn · 2014-11-05 05:28 · Score: 4, Insightful
  
  In that yes, if a vulnerability does not afford strategic value internationally, yeah, release it if it'll increase public security. But i'm inclined to believe we'd all agree that there's a cost benefit going on.
  If it lets you spy on the iranians... or you know, cause their centrifuges to spin themselves apart. I don't want my intelligence agencies to release that vulnerability until they've spun those fuckers down.
  It's really not in the NSA's job description to be exposing vulnerabilities in public systems so much as exploiting them. We don't have an agency whose job description touches cyber security.
7. Re:To what Standard? by Anonymous Coward · 2014-11-05 05:31 · Score: 5, Insightful
  
  To what standard do you hold the US government as opposed to other governments?
  
  The standard it proclaims for itself about being a beacon of freedom oh and that whole "Land of the free. Home of the brave" stuff.
  
  You can be damn sure that every other intelligence agency is doing exactly the same thing... but you're criticizing NSA why exactly?
  Because the US holds itself up as being morally superior to others? Because its Head of State is proclaimed to be the "Leader of the Free World" in hilariously Orwellian doublespeak.
  
  My government protects me as I expect your government to protect you.
  Dictatorships always proclaim this. That they only do what they do for the "good of the people".
  
  I laughed at the Merkel spying thing... as if they didn't expect us to get as much information as possible, and as if we didn't expect them to return the favor.
  
  Will you continue laughing when your allies no longer want to come to your aid because you treat them no differently than enemies?
8. Re:To what Standard? by Lunix+Nutcase · 2014-11-05 05:33 · Score: 1
  
  so pay to relocate.
  People are and it's going to cost our economy big time.
9. Re:To what Standard? by Triklyn · 2014-11-05 05:36 · Score: 1
  
  i don't. but i also believe you get what you pay for... sometimes. We turn around and germany's been spying on brazil.
  We are nations of men, not angels. I don't believe for a second that any nation is so pure that given the resources they would not be doing exactly the same thing.
  name any country you can think of, and i'll name the country they'd give their eyeteeth to know everything about.
10. Re:To what Standard? by Triklyn · 2014-11-05 05:39 · Score: 1, Insightful
  
  meh, i'm not particularly troubled by that, i'm more worried about google knowing everything about me... or facebook. something inherently dirtier about having my information sold for profit... and the whole profit motive strongly implying the spread of such information widely. My government will do a lot of things... but it won't sells what it finds out about me. It'll just sit on it.
11. Re:To what Standard? by Triklyn · 2014-11-05 05:41 · Score: 0
  
  that's the way the cookie crumbles. Those who are were going to do it eventually anyway... because you know. economics is zero sum in certain instances and this one is one of them.
12. Re:To what Standard? by Overzeetop · 2014-11-05 05:41 · Score: 4, Interesting
  
  Doubtful.
  Have you seen the economy of the rest of the world? Europe makes US manpower look practically 3rd world, and their energy costs are through the roof. Asia is starting to get expensive for manpower, and the environmental problems they're having are making it hard to attract and retain top global talent because nobody wants shitty water and air. Are you going to go to Russia to avoid domestic spying, 'cause that's not really the first place I think of when I list free and open discourse on privacy matters. Africa...yeah, right.
  The US is the worst place to do business, except when you count just about everywhere else in the world. In which case it turns out to be pretty high on the list. And, honestly, it's not really dropping in the rankings.
  
  --
  Is it just my observation, or are there way too many stupid people in the world?
13. Re:To what Standard? by Lunix+Nutcase · 2014-11-05 05:43 · Score: 4, Interesting
  
  If it lets you spy on the iranians... or you know, cause their centrifuges to spin themselves apart. I don't want my intelligence agencies to release that vulnerability until they've spun those fuckers down.
  You do realize that your statement here completely misses their point, right? How naive are you that you think only the NSA knows about these vulnerabilities? You really think criminals and other countries like China don't also know them and aren't using them against corporations and individuals in the US?
  
  It's really not in the NSA's job description to be exposing vulnerabilities in public systems so much as exploiting them. We don't have an agency whose job description touches cyber security.
  Hahahaha. That's so wrong it's hilarious. A central tent of the NSA's mission is to protect the security of the networks in this country.
14. Re:To what Standard? by Lunix+Nutcase · 2014-11-05 05:44 · Score: 1
  
  i'm more worried about google knowing everything about me... or facebook. something inherently dirtier about having my information sold for profit...
  
  Why would you worry about it? Google shares all that info with the NSA who you seem to love constantly surveilling your whole life.
15. Re:To what Standard? by Anonymous Coward · 2014-11-05 05:45 · Score: 1
  
  That honor goes to US-CERT.
16. Re:To what Standard? by Lunix+Nutcase · 2014-11-05 05:47 · Score: 2
  
  Doubtful.
  Then you've not been reading the news. This isn't even particularly new news.
17. Re:To what Standard? by Anonymous Coward · 2014-11-05 05:48 · Score: 3, Informative
  
  Hahahaha. That's so wrong it's hilarious. A central tent of the NSA's mission is to protect the security of the networks in this country.
  That's not what he said. He said specifically that the NSA's job description isn't to expose vulns, and he's correct. Where he slipped is in saying that there's no agency which handles that. The truth is that this role does belong to US-CERT, and they do it all the time. They also coordinate heavily with NIST's NVD.
18. Re:To what Standard? by Lunix+Nutcase · 2014-11-05 05:49 · Score: 1
  
  that's the way the cookie crumbles.
  
  So you're definitely trolling. I really doubt you'll be saying the same thing once your job is lost due to lost business.
  
  Those who are were going to do it eventually anyway...
  [citation needed] Companies like Cisco have directly attributed lost business to the revelations of the NSA spying. There is no reason to believe such business loss would have happened otherwise.
19. Re:To what Standard? by Triklyn · 2014-11-05 05:50 · Score: 0
  
  1. talk is cheap. on the other hand the US has kinda stood on the opposite side of fascism and stalinism for a pretty long while now. politics will be politics but some things are still true.
  2. morality is a tricky thing, and something we're now finally fleshing out. I certainly don't believe we're more moral, but it does sound good no? :) our enemies certainly view us as such. We've been the great satan for a while now, but they hate you too :)
  3. dictatorships also proclaim that food makes you less hungry, what's your point?
  4. I can't laugh that long. which allies do you think will leave... because of the espionage? lemme know.
20. Re: To what Standard? by Anonymous Coward · 2014-11-05 05:52 · Score: 1
  
  You have a government to create and enforce laws regarding commerce, privacy, and use of personal data by corporations. When a government spies on all its citizens, who has your back?
  "It's okay if you have nothing to hide" and "it's okay, they would never use it against me" and "it's okay because everyone else does it" are war cries of the beaten.
21. Re:To what Standard? by geekmux · 2014-11-05 05:53 · Score: 1
  
  To what standard do you hold the US government as opposed to other governments? You can be damn sure that every other intelligence agency is doing exactly the same thing... but you're criticizing NSA why exactly?
  What standard you ask?
  Most other countries do not uphold and swear by the same Constitution that the US does. That's why.
  Perhaps other intelligence agencies are doing the same thing. Then again, perhaps those countries do not have such protections as the 4th Amendment. Or the 1st. Or the 2nd to help ensure the rest of it doesn't go to shit.
  And I cannot believe I still have to explain that to people. If you want to forget about everything you learned in history class that's fine. But at least remember the very fucking basis of the argument here when attempting to table it.
22. Re:To what Standard? by Anonymous Coward · 2014-11-05 05:58 · Score: 1
  
  1. talk is cheap. on the other hand the US has kinda stood on the opposite side of fascism and stalinism for a pretty long while now. politics will be politics but some things are still true.
  35 countries where the U.S. has supported fascists, drug lords and terrorists
  . I'm surprised you could even type such tripe with a straight face.
  
  2. morality is a tricky thing, and something we're now finally fleshing out. I certainly don't believe we're more moral, but it does sound good no? :) our enemies certainly view us as such. We've been the great satan for a while now, but they hate you too :)
  No, most people actually don't view your country as such. They see you as an amoral, imperialistic bully.
  
  3. dictatorships also proclaim that food makes you less hungry, what's your point?
  That your claims are bullshit. As much so as North Korea proclaiming itself to be a Democratic Republic.
  
  4. I can't laugh that long. which allies do you think will leave... because of the espionage? lemme know.
  You can't laugh hard enough about something even US officials agree with?
  http://online.wsj.com/articles...
  
  Mr. Kerry acknowledged the countries have been through a "rough period," after leaked documents from the fugitive former intelligence contractor Edward Snowden showed the U.S. National Security Agency monitored the German leader's cellphone.
  
  And that's before you get into strained ties with Brazil, France, etc.
23. Re:To what Standard? by Triklyn · 2014-11-05 06:04 · Score: 1
  
  ... wait so which amendment guarantees that my meta-data isn't going to be recorded en-masse? or that foreign nationals can't be spied on?
24. Re:To what Standard? by Triklyn · 2014-11-05 06:08 · Score: 1
  
  :) i wasn't aware, don't hear much about them :)
25. Re:To what Standard? by Triklyn · 2014-11-05 06:13 · Score: 2
  
  browsed it... the article says that companies that are worried about US tech companies are looking to Chinese companies... with strong ties to the military and government... wtf? Don't they have straight up state sponsored corporate espionage?
26. Re:To what Standard? by geekmux · 2014-11-05 06:21 · Score: 1
  
  ... wait so which amendment guarantees that my meta-data isn't going to be recorded en-masse? or that foreign nationals can't be spied on?
  Ah, you are clearly the one here who continues to support and allow your government to specifically and exactly define "meta-data" as something that can bypass the 4th Amendment, not me.
  Foreign nationals are not the greater cause of concern here. Somewhat "legitimized" spying has been going on for a very long time against external entities. Only with the advent of abusive laws cast in the faceless shadow of "terrorism" do we find all our own citizens being spied on en masse and in automated fashion.
  And calling that information "meta data" was just a bullshit excuse to legitimize those illegal actions and minimize the push back.
  Of course, what should have been more shocking was the lack of push back that apathy created.
  Let me put that another way. Not a single thing has changed since Snowden. Not one fucking thing.
27. Re:To what Standard? by JohnFen · 2014-11-05 06:40 · Score: 3, Insightful
  
  To what standard do you hold the US government as opposed to other governments? You can be damn sure that every other intelligence agency is doing exactly the same thing... but you're criticizing NSA why exactly?
  For two reasons: The NSA is part of my own government, and the other governments aren't, and the US government is in a position to cause me a lot more harm than other governments are. That other nations may be doing the same thing is irrelevant to the issue at hand. We cannot set our standards of freedom and liberty based on the global lowest common denominator.
28. Re:To what Standard? by JohnFen · 2014-11-05 06:42 · Score: 1
  
  i'm more worried about google knowing everything about me... or facebook.
  Well then, you're in luck. You can avoid being spied on by the likes of Google and Facebook. You have no such choice about being spied on by the government.
29. Re:To what Standard? by Anonymous Coward · 2014-11-05 06:57 · Score: 0
  
  In other words, the Media Trommelfeuer has done its nasty work in your brain. Your "ally" Saudi-Wahabistan is a much more nasty nation. But they pay your politicos off, so thats all Fine And Dandy.
  In Iran women can drive and Jews live. Not so BY LAW with your Saudi Bastard Friends.
30. Re:To what Standard? by Anonymous Coward · 2014-11-05 07:06 · Score: 0
  
  Oh yeah. Just "sit on it". From which parallel universe do you write this ?
  If you ever open your mouth too often, it WILL be used against you. All the 20 years of SMS and emails which they have accumulated. Do you by chance have a psychological weakness ? Bam, will be used.
  Did you ever have contact to a drug dealer ? Maybe we can stick something onto you.
  Did you ever date a girl from Iran ? Haa, lets revoke the clearance for your job.
31. Re:To what Standard? by Anonymous Coward · 2014-11-05 07:07 · Score: 0
  
  "doing exactly the same thing."
  Russia and Germany also dropped nuclear weapons on cities with living humans. Yeah. 100% truth.
32. Re:To what Standard? by Anonymous Coward · 2014-11-05 07:10 · Score: 0
  
  And we are made to believe you Americans dont use the gathered intelligence for economic advantage ? How dumb do you expect us to be ?
33. Re:To what Standard? by bigpat · 2014-11-05 07:12 · Score: 1
  
  I think it is great that the NSA has an incentive to find exploits for intelligence gathering purposes. The incentive is then problematic for the greater good of national security because there is a perverse incentive to not fix the security vulnerabilities so the NSA can continue to exploit them. If we were talking about vulnerabilities that only affected foreign systems that would be one thing, but we are often talking about vulnerabilities in key US IT infrastructure that is potentially going unfixed.
34. Re:To what Standard? by poetmatt · 2014-11-05 07:25 · Score: 1
  
  Economics involving internet business is not and has never been zero sum. Please don't ever post here.
35. Re:To what Standard? by Anonymous Coward · 2014-11-05 07:33 · Score: 0
  
  " strong ties to the military and government"
  This ALLEGATION against Huawei has never been SUBSTANTIATED.
  Instead, they EXTRAPOLATED from their own criminal behaviour in intercepting+bugging U.S. technology and assumed the Chinese do the same thing. Then they sold it to us as "facts".
  Also, look up "Crypto AG" to open your little eyes.
36. Re:To what Standard? by Triklyn · 2014-11-05 07:40 · Score: 1
  
  because your will is not the will of the american people. neither is mine.
  i'm not particularly concerned about the wiretaps... because i have nothing to hide in that regard. The anonymity of being one of 300 million people. What i have to say is no better or worse than the average joe next door. It is not an erosion of my civil liberties that the government knows who i'm talking to. I only believe in the right of privacy in so much as it concerns due process.
  I don't believe in a faceless government "out to get me" because ultimately, i believe that it is composed of individuals just like you and me and similarly motivated as you and me. I believe in human goodness, human logic and human greed. And the greed thing is a bit more disconcerting in respect to large corporations. If the people are greedy, they don't go in for government work :).
  I'm concerned about a lot of things my government does, but spying on me isn't really one of them.
  Apparently even the proponents of the right to privacy don't use the 4th as an argument for. all the protections of the bill of rights were regarding actions taken to infringe them, not knowledge.
37. Re:To what Standard? by Triklyn · 2014-11-05 07:42 · Score: 1
  
  depends on what aspect you're looking at...
  there's a limited customer pool for the same service. If they employ me, they have no incentive to also employ you too.
38. Re:To what Standard? by Triklyn · 2014-11-05 07:46 · Score: 1
  
  it's a cost benefit. what's the risk to the american public from a vulnerability versus the gain from exploiting it. money money money vs security security security
39. Re:To what Standard? by s.petry · 2014-11-05 07:48 · Score: 1
  
  To what standard do you hold the US government as opposed to other governments?
  A much higher standard, since I am actually supposed to be able to influence my Government. In fact it is my constitutional right to influence my Government, and my civic duty to do so. I have no constitutional rights to influence Cuba, or DPRK, or any other Government. Further, it is hoped that our Government functions so well that we are the model for others to adopt.
  
  You can be damn sure that every other intelligence agency is doing exactly the same thing... but you're criticizing NSA why exactly?
  The old "Two wrongs don't make a right" pops immediately to mind, but let us go a step further. The job of my Government is to protect me from foreign spies, not spy on me right along with them.
  
  My government protects me as I expect your government to protect you.
  This statement is completely asinine, because there is absolutely no measure involved. Kim Jong Un protects his people too, but the measures we use to determine how valid that is demonstrate that he is a tyrant, not a good guy just protecting his people. Notice I didn't even bother to quote your "quote" due to a lack of relevance.
  
  I laughed at the Merkel spying thing... as if they didn't expect us to get as much information as possible, and as if we didn't expect them to return the favor. Faux outrage over common practices. IMO. If you don't want your leaders getting spied on... spend more money on your own agencies.
  Well now, this does not jive up at all with you claiming that the US should be spying on it's own people. Completely different topic and relates to what I said in my second paragraph. The Government's job is to protect it's people from spying, not build databases on their activity and use that as weaponry against it's own citizens (as we have seen happen numerous times in the US in numerous conditions).
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
40. Re:To what Standard? by Anonymous Coward · 2014-11-05 07:59 · Score: 0
  
  Posting AC as this would probably land me a huge karma hit..so.. Yes you are correct, and it's a no win fight since people in the US are brainwashed from very young that certain countries are just "evil". Iran has not invaded any other country in 200 years, but to the US/UK mind they are all out to get the rest of the world all the time. Facts don't bother these people
  Lets not forget that a big reason for the free exchange between the US and Saudi's is the child sex trafficking that occurs. Most US people have never heard of these things happening, and would not believe you even if you handed them pictures with the negatives. It would be very harmful if certain politicians were shown to visit and partake in this activity.
41. Re:To what Standard? by bigpat · 2014-11-05 08:22 · Score: 2
  
  it's a cost benefit. what's the risk to the american public from a vulnerability versus the gain from exploiting it. money money money vs security security security
  Assume foreign intelligence knows what you know and the only advantage might be that you know it first.
  I don't think working with the developers to fix vulnerabilities is about money while keeping secrets is about security. It is about weighing the risk to national security in leaving American IT infrastructure and individuals vulnerable to exploits versus your own ability to exploit the vulnerabilities for foreign intelligence gathering. The problem is that there will be a bias in the analysis which will always make us more vulnerable overall by favoring intelligence gathering over our own security. The NSA can deflect blame for attacks by foreign intelligence agencies, terrorists and criminal gangs (especially attacks on industry and individuals), but if they come up short on intelligence then Congress will question their budget.
  The policy simply needs to be a bit more without exception to be effective at protecting American infrastructure to counter the bias towards intelligence gathering
42. Re:To what Standard? by Anonymous Coward · 2014-11-05 08:31 · Score: 0
  
  My gut reaction to your child sex trafficking allegations was "conspiracy nut". But then I considered how the most vocal homophobes on Capitol Hill later got caught soliciting their young male pages or random men in airport bathrooms. So, taking into account how loud many politicians are about punishing pedophiles... hmm.....
43. Re:To what Standard? by Triklyn · 2014-11-05 08:35 · Score: 1
  
  the relevance of the quote is that we can afford to be upset by the actions that our government takes, because they have taken them before on our behalf.
  My protection does not necessarily mean my absolute privacy.
  I will be the first to admit that i don't know all the ramifications of domestic surveillance. But i trust in our form of government and our judicial system to muddle through. Each new decade brings with it new challenges. Our understanding of how we interact with each other and how the government interacts with us will eventually get there, but the complexity of the problems isn't getting any easier. There's very little black and white here, it's all grey. I'll leave balancing domestic terrorism, a global economy, an interconnected world, new forms of communication, and the vagaries of existing case-law to people better equipped to handle it.
  All i say is, I like my country, but I view my government as a collection of well-intentioned individuals with all the flaws that that entails. I never bought into the idea of the "city on the hill." Try not to break that many laws in keeping us safe, and where there are no laws, do your best to write good ones.
44. Re:To what Standard? by Triklyn · 2014-11-05 08:38 · Score: 1
  
  good point, never considered the incentives in that light.
  my money money money, was about financial risk and loss. Basically credit card theft and corporate espionage.
  security security security was kinda self evident :)
45. Re: To what Standard? by Anonymous Coward · 2014-11-05 08:48 · Score: 0
  
  Your government can arrest you and put you in jail, or a blacklist, knowledge is power, and powerful governments become tyranical. I would rather my information in the hands of Google.
46. Re:To what Standard? by s.petry · 2014-11-05 09:04 · Score: 1
  
  I will be the first to admit that i don't know all the ramifications of domestic surveillance
  
  All i say is, I like my country, but I view my government as a collection of well-intentioned individuals with all the flaws that that entails.
  I'm glad you admit your ignorance, but the second quote is a fools belief. If you believe that all people in authority are well intentioned, you really have not paid any attention to the world you live in.
  Perhaps _you_ have not been abused (to your knowledge) but countless other people have been abused by these so called "well intentioned" people. You only have to read a bit to find what I'm referring to.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
47. Re:To what Standard? by geekmux · 2014-11-05 09:39 · Score: 1
  
  because your will is not the will of the american people. neither is mine.
  i'm not particularly concerned about the wiretaps... because i have nothing to hide in that regard. The anonymity of being one of 300 million people. What i have to say is no better or worse than the average joe next door. It is not an erosion of my civil liberties that the government knows who i'm talking to. I only believe in the right of privacy in so much as it concerns due process.
  I don't believe in a faceless government "out to get me" because ultimately, i believe that it is composed of individuals just like you and me and similarly motivated as you and me. I believe in human goodness, human logic and human greed. And the greed thing is a bit more disconcerting in respect to large corporations. If the people are greedy, they don't go in for government work :).
  I'm concerned about a lot of things my government does, but spying on me isn't really one of them.
  Apparently even the proponents of the right to privacy don't use the 4th as an argument for. all the protections of the bill of rights were regarding actions taken to infringe them, not knowledge.
  When the government retains the ability to accuse someone by mistake simply due to the massive amount of information they collect on every citizen, it's rather disturbing.
  Here's a good example. Talk to anyone who has ever been accidentally added to the no-fly list. They have zero recourse to try and understand why they were, or get the issue corrected. It's funny you mention due process, since that was pretty much fucked the instant the government started assuming everyone might just be some kind of terrorist, as evidenced here.
  I'm glad you still find faith in government. Know that you're likely in the minority these days.
48. Re:To what Standard? by tnk1 · 2014-11-05 09:39 · Score: 1
  
  Both Iran and Saudi are a mess. Pay offs aside, we're only allied with Saudi because Iran decided it hates our guts at the governmental level and we can't simply walk out of the Middle East. It's not really much use to complain about Saudi when we have little choice in the matter.
  If Iran wants to come forward and dismantle their nuclear weapons program and come to an agreement with the West, I am sure everyone will be happy to have them join the fold. The ball is entirely in their court. Until then, we can't very well allow them to continue their weapons program and their clandestine efforts to support militias that further destabilize Palestine, Lebanon, and Iraq.
  Don't forget, 170 of that 200 years of peaceable affairs was under an entirely different type of government than what we have had since 1979. The Iranian Revolution was just that, a large change which those who were involved had hoped would spread across borders. The fact that it did not owes much to the fact that Iran has been on the defensive since 1979.
49. Re:To what Standard? by tnk1 · 2014-11-05 09:48 · Score: 1
  
  And other national companies would lose business if their own spy agencies were exposed.
  If it was a French company and the DGSE was exposed as doing this, people might leave that company too.
  The thing is... the DGSE is almost certainly doing something similar. As well as most other countries who have spy agencies. And those countries that don't have spy agencies... well they're almost worse because they have no defense against other countries' spy agencies.
  Having Cisco move does nobody any good whatsoever. They'll just be strongarmed by the country that they move to in order to allow the same access.
  Don't get me wrong. Cisco could decide to move, but it would be less about real safety, and more about how little people know about how things really work. They'd be no safer in Iceland than they would be in the US. The only way to get out of the US sphere of influence is to go to China and Russia, and then all you are doing is changing who is telling you what to do.
50. Re:To what Standard? by tnk1 · 2014-11-05 09:59 · Score: 1
  
  China is run by the Communist Party. There is no need for allegations to be substantiated for a Chinese company, they're more fundamentally at the mercy of the government than even the most cooperative US company is.
  China's Free Market existence is at the whim of the same governmental structure that gave you the Great Leap Forward and the Cultural Revolution, they're just a lot less ideological and a lot more technocratic than Mao was. Economics aside, there is almost zero public accountability in China and there is only one principle: the government decides what is best for China and the Communist Party apparatus decides what the government does. Period.
  Do we really believe that the NSA, rogue as it might be, is actually worse than a state where they don't even pretend that they aren't spying on you?
51. Re:To what Standard? by Triklyn · 2014-11-05 10:09 · Score: 1
  
  fine, a collection of well-intentioned individuals with some bad apples sprinkled in. It may be willful delusion, but i prefer to view my society as one that striving to be better, as opposed to one on the brink of collapse.
  That i have not been abused (to my knowledge) seems to be indicative that I am living in a society that for the most part is better than many of the ones i could have lived in before.
  We're arguing about domestic surveillance... as opposed to outright oppression. About the state of our recovery, as opposed to the state of our collapse. I'm a minority in a country that protects my rights, for the most part. This would not be true for the majority of modern countries even. And the important ones, free speech, freedom of association, the right to due process; they are afforded to me even though I'm a minority. When we stop arguing about the morality of the actions taken by our government, then i'll really start to question my belief that people are good.
52. Re:To what Standard? by tnk1 · 2014-11-05 10:12 · Score: 1
  
  Sorry, but no one is going to leave NATO for this. They have to act shocked because it is expected. If they could get a bug in the Oval Office, they would. And I wouldn't expect them to act any differently.
  "Strained ties" is certainly not positive, but its sort of like siblings fighting as children. You're not leaving the family for something like that. If you look at history, real alliance failure requires something fundamental at its core like hard resource or economic factors, and this doesn't change the calculus at all. Even if Merkel wanted to jump ship personally, she'd be pushed back into line quickly by her cabinet and her party.
  Obama and Benjamin Netanyahu don't like each other at all and the US has imprisoned Mossad agents for spying on the US in the past. Do you think that the US and Israel are in any danger of dissolving their alliance? Not a chance.
  Oh yes, the Germans will be unhappy and Merkel in particular will probably harbor a bit of a personal grudge, but that usually just turns into sniping and concessions, not all out alliance failure.
53. Re:To what Standard? by Anonymous Coward · 2014-11-05 10:21 · Score: 0
  
  The problem here is that people here sometimes make strange statements like:
  "My data would be safer in Russia!"
  Which means that people are missing the point. If you are outraged about the fact that the US may not be maintaining its advertised high standards, that is one thing. It is another thing to suggest that even those somewhat lower standards are worse than countries where there are no standards.
  Should we be upset that we aren't maintaining high standards? Yes. Are they still better than just about everywhere else? Yes.
  A country that has standards but fails them occasionally can be brought back into line. Countries that don't even start with those standards never achieved them to begin with, and short of a revolution, never will.
54. Re:To what Standard? by Triklyn · 2014-11-05 10:22 · Score: 1
  
  well that's slightly disturbing, and they should correct that.
  don't throw the baby out with the bathwater.
55. Re:To what Standard? by Anonymous Coward · 2014-11-05 10:26 · Score: 0
  
  Nuclear weapons are just high powered one-off weapons. They're horrible, but let's face it, Russia and Germany killed a lot more of each other's populations in WWII than two atomic bombs ever did.
  Your comment makes it sound like you think being killed by a nuclear weapon is somehow worse than being killed by a 500 lbs iron bomb.
  People actually live in both Hiroshima and Nagasaki to this day, so don't throw that "OMG radiation" at me either. War sucks, and the US didn't start it, so don't start getting morally superior because we finished it.
56. Re:To what Standard? by s.petry · 2014-11-05 10:43 · Score: 1
  
  No, the point is that virtually none of these people are well intentioned. This is an unfortunate nature of politics, we have known about this nature for at least 2,600 years when our earliest writings of political thoughts started. I'm guessing, that like most Americans you have never been exposed to Plato and "The Republic". Ask why you have been dissuaded from reading this book, and why it's not part of your studies. Read the book, cover to cover and see what it says.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
57. Re:To what Standard? by davydagger · 2014-11-05 11:05 · Score: 1
  
  >In that yes, if a vulnerability does not afford strategic value internationally, yeah, release it if it'll increase public security. But i'm inclined to believe we'd all agree that there's a cost benefit going on.
  
  the war is not an international struggle against a foreign enemy, but a perpetual war against her own people.
  
  Given that the NSA got caught red handed basicly spying on everyone in the USA, and then lied about it, its very reasonable to assume they have domestic targets.
  
  The FBI has been caught red handed making up terrorist plots by bribing and conning the poor and desperate into fake terrorist plots.
  
  Its only reasonable to assume that the NSA would at least be partially complicit in framing poor, outcast, and downtrodden Americans to further the homeland security state.
  
  Its also not unreasonable to combine the above with a very large schism between written law and values of the populace to explain the largest prison system in the world, and highest incarceration rate in the world.
  
  There is no benefit to the American people. The percieved beenfit, is that most of us *like to think* we are a class above, or superior to the class of people being harrassed, arrested, incarcerated by the system, until we find out we are not.
  
  >It's really not in the NSA's job description to be exposing vulnerabilities in public systems so much as exploiting them.
  
  it is. It is their job. Its why they established the DES, AES, SHA standards. I frankly would like to see more transparency in the agency, as well as public funds used to further security projects that actually protect the people, protect vital infrastructure, and increase transparency, instead of fear mongering and cloak and dagger bullshit. This is not a video game or a movie.
  
  If the NSA spent their time soley finding exploits and fixing them in software and hardware that ran essential infrastructure and consumer goods(think payment systems), they'd do more to deter crime(making cracking far harder, and harder to break into systems), protect national intrests(chineese hackers won't be able to get in, peroid), than they would leaving backdoors open to attack people.
  
  What they miss is that most exploits are not discovered, they are leaked. Oppertunist and disgruntled employees leak exploits. Spies steal them. Cloak and Dagger shit gets far messier than seen in the movies. Spies are not always found.
  
  They won't do this, because the biggest threat to NSA, is disgruntled citizens, not attacking anyone, but voicing dissent, and people demanding the government actually live up to its own stated values.
58. Re:To what Standard? by Anonymous Coward · 2014-11-05 12:36 · Score: 0
  
  The problem with your statement is diplomacy, politics, and basic manners. Also reciprocity, and assumes facts not in evidence.
  Let's say that, for the sake of argument, "...every other intelligence agency is doing exactly the same thing..." You cannot do this openly. They are allies. It's insulting and disrespectful to treat an ally like every other country. And quite frankly, if you spy on an ally, you'd better have a damn good (i.e. specific) reason, and your public story is that you did not. Diplomatically you lie your ass off. And if you get caught you take your lumps. It looks bad because it is bad.
  Look at it this way. You have friends and family and spouses and so on. Do you treat them exactly the same as strangers or enemies? If so, your life is crap. Seriously, you cannot sustain close relationships that way, or else you expose yourself to unnecessary danger from enemies.
  Second, it's actually unlikely that "every other intelligence agency is doing exactly the same thing". The US is in rare company in terms of their intelligence capabilities. Only a handful of countries have the international capability of the US. Only the worst dictatorships have the domestic capability of the US. Spying is common, that much is true. It does not follow that everyone is doing the same thing or even has the capacity to do the same thing.
  You sound like you want to brush off the episode, so essentially you are giving the middle finger to the Germans, and accusing them of spying on the US President's phone too. Gee, way to piss off the Germans even more! With allies like that who needs enemies?
  You sound like a drunk driver who got caught and will say anything to get out of it. "Well that pedestrian I hit shouldn't have been crossing the street there. I get a free pass because of some wild accusation I just made up!"
59. Re:To what Standard? by AHuxley · 2014-11-05 13:29 · Score: 1
  
  The problem for that is the NSA staff and friendly nations around the world.
  What the NSA holds back from US OS and US tame telcos is shipped as international standards.
  The cyber security tools get handed around for international and domestic use. Australia, Canada, the UK, NZ, then down to the third party nations and some other nations. Thats a lot of local staff using tools, methods, systems everyday on and with US telco and computing standards.
  At some time the staff enter the private sector and take their skills with them. A bank, security firm, political party or rival telco now has the same deep gov skills and telco methods.
  At some time the a staff member gets removed and is less welcome in the the private sector with their skills. No bank, security firm, political party or rival telco job.
  So other nations and other groups make great offers. The cash is good and the work is as interesting. Now some random people or nation has the same deep gov skills and telco methods for cash.
  That is why telco and computer crypto standards need to be very good. Too many ex or former staff, nations, groups and people can afford the same skills if the keys, codes and tools are just left in the open or are designed as junk standards.
  The US and UK govs have guided very weak telco and junk computer standards over decades. Tame OS and telcos have allowed junk crypto to spread under their own brands.
  What was crypto junk for an embassy in the 1950's buying communications hardware is now the global standard. Everyone with cash and connections can now track or get plain text too. Are the police in a phone network? Are the police sending a request to watch a list of numbers? Get a real time update and escape before the telco even sets up the tracking and logging.
  All thanks to junk telco and OS standards by updated tame global staff. What was great for hunting spies on any telco network can now be used to track police intercept requests by any group with cash.
  Want to track political leaders or protesters for any reason? Just have the right codes and a national cell network is for sale by ex or former staff.
  What the NSA and GCHQ saw as instant, real time access for their own is now open to all. Thats why good telco standards are so vital. If one group can get in, everyone can.
  
  --
  Domestic spying is now "Benign Information Gathering"
60. Re:To what Standard? by Anonymous Coward · 2014-11-05 13:53 · Score: 0
  
  A central tent of the NSA's mission is to protect the security of the networks in this country.
  Their defensive mandate is secure DoD networks. Not "networks in this country".
61. Re:To what Standard? by Vitriol+Angst · 2014-11-05 15:11 · Score: 1
  
  My government protects me as I expect your government to protect you. Can't believe I'm going to do this... quoting blacklist quoting orwell, because i've certainly never read the mans essays myself, “Those who abjure violence can only do so by others committing violence on their behalf.”
  We live in a representative Democracy -- we are NOT SUPPOSED TO TRUST OUR GOVERNMENT. We are supposed to be informed and we decide. If I can't handle the truth -- then the truth is that someone got out of hand and was doing the wrong thing.
  Security is when people have hope and opportunity -- the only reason you need to spy on people is if you plan to cheat and manipulate them. Unenlightened people think that everyone is untrustworthy and cannot handle the truth -- because they are projecting their own issues. It is obviously a controversial thing; but if America treated other people the way we wanted to be treated, we wouldn't need so much military and espionage. Of course, we invade countries for security purposes because they don't like being cheated out of resources. The same thing that harms other countries and causes a wealth gap and destruction of the environment is the same global cancer that is making America a miserable country to live in.
  
  --
  >>"ad space available -- low rates!!!"
62. Re:To what Standard? by geekmux · 2014-11-05 23:05 · Score: 1
  
  well that's slightly disturbing, and they should correct that.
  It's only slightly disturbing? Well, I guess that's why we don't have a cure for Ebola. After all, it's only been slightly disturbing to first world countries.
  To be fair, you probably would have a different viewpoint if you had to go stand on the floor of Congress to try and plead your case of mistaken terrorist identity. You'll probably hound them to find out why you were flagged as a terrorist, which they'll refuse to disclose based on "National Security". Perhaps you'll go home and start blogging about your woes online, and start digging for answers to your solution. Perhaps they'll respond in kind with an NSL. You know, those secret legal directives generated by the illegal FISA courts, whom are guaranteed protections from the PATRIOT Act.
  All examples of just how bad the entire process is. Or has gotten.
  
  don't throw the baby out with the bathwater.
  Curious, which baby are you referring to, the puppets on strings sitting in Congressional seats, or the corporate leaders and their million-man lobbyist army pulling the strings? Perhaps it's best to understand who is truly in charge here before pointing fingers.
63. Re:To what Standard? by strikethree · 2014-11-06 16:48 · Score: 1
  
  My government protects me as I expect your government to protect you.
  Your government does not protect you and my government does not protect me. Our governments protect themselves and their direct money streams. If either of us happen to be part of the government or part of the direct money stream, we enjoy fairly good protection.
  As citizens, we are a herd to be slaughtered. No single one of us is of any importance and we will not be defended unless our respective government sees a direct advantage for itself in doing so.
  
  --
  "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
Why are you telling the truth this time? by FlyHelicopters · 2014-11-05 05:00 · Score: 0

Honestly, why should we believe you this time? After all the lies, after breaking the law, after your mass data collections... What possible reason should we have to believe you?
1. Re:Why are you telling the truth this time? by Overzeetop · 2014-11-05 05:44 · Score: 1
  
  What reason do they have to lie? They've just told you that they keep the cream of the crop for themselves, and they let all the little fish go (sorry for the mixed metaphor). Keeping just one in a hundred exploits would be sufficient. If you get to pick the very best, the most obscure, and you let the community close the rest, that seems to work in their favor.
  
  --
  Is it just my observation, or are there way too many stupid people in the world?
Double speak by Kardos · 2014-11-05 05:00 · Score: 4, Interesting

So I assume all the deliberately introduced vulnerabilities are excluded from the tally because they technically "did not find them" ?
1. Re:Double speak by Dagger2 · 2014-11-05 05:18 · Score: 2
  
  Or perhaps most of their bug searching is done by subcontractors, so it's not technically the NSA finding any of them.
2. Re:Double speak by Kardos · 2014-11-05 05:47 · Score: 2
  
  > "By orders of magnitude, when we find new vulnerabilities, we share them"
  I wonder how many ways they've thought of to misclassify freshly discovered vulnerabilities as old.
Useless by Opportunist · 2014-11-05 05:20 · Score: 1

That's like saying most, but not all, chain links are made of steel. I'd still not want to rely on that chain.
Or would you want to buy a castle that has 3 well secured walls and one made out of plywood?

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
A short reminder by Anonymous Coward · 2014-11-05 05:23 · Score: 5, Informative

"(TS//SI//REL) DEITYBOUNCE provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads."
"(TS//SI//REL) This technique supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and XP. It currently targets Dell PowerEdge 1850/2850/1950/2950 RAID servers, using BIOS versions A02, A05, A06, 1.1.0, 1.2.0, or 1.3.7."
"(TS//SI//REL) Through remote access or interdiction, ARKSTREAM is used to reflash the BIOS on a target machine to implant DEITYBOUNCE and its payload (the implant installer). Implantation via interdiction may be accomplished by nontechnical operator through use of a USB thumb drive. Once implanted, DEITYBOUNCE's frequency of execution (dropping the payload) is configurable and will occur when the target machine powers on."
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
So there was an explot on the BIOS of Dell Power Edge servers, and it allowed them to re-flash the bios with their own code, and they didn't disclose that, they kept it secret to use for themselves, and every semi-tech country like China and Russia to use, undermining Dell, one of the major US exporters.
Well f*** you, NSA.
Look at the lastest disclosure, GCHQ can spy on Americans via commercially obtained data and access to the NSA database, NSA must be aware of this and does nothing because GCHQ is in 5-eyes and so they get the data too. So regardless of how Congress and the Courts rules, NSA can bypass that decision.
What's happening within the NSA is they follow a cult, the cult of General Alexander, and so there is the laws of the USA, and the laws of the EU and there is the cult, and the cult trumps to the laws, and in doing so it trumps the democracy. The NSA and GCHQ staff need to get their shit together and think for themselves and realize they pose the biggest threat to the free world.
How do we know... by Adeptus_Luminati · 2014-11-05 05:25 · Score: 2

... when the NSA is lying to us?
A: Anytime their lips are moving.

--
No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
Condoms by Scottingham · 2014-11-05 05:27 · Score: 1

The condom stopped most, but not all of the sperm.
Obama by Anonymous Coward · 2014-11-05 05:28 · Score: 0

I don't care what people say-- Obama is doing a good job, especially when it comes to social issues.
Whore by AndyKron · 2014-11-05 05:47 · Score: 1

The NSA sounds like a dirty prostitute.
Share bugs with the White House by Anonymous Coward · 2014-11-05 06:12 · Score: 0

That is all.
NSA = scum by Anonymous Coward · 2014-11-05 06:15 · Score: 1

NSA is like an organization full of sick perverts who, had we not advanced to the technological point we have today, would be leering into strangers' windows to catch a glimpse of them naked.
NSAs impossible mission by MobyDisk · 2014-11-05 06:28 · Score: 3, Insightful

The NSA has a dual mission of information assurance–protecting American networks–and signals intelligence–gathering electronic data on foreign networks.
Unfortunately for them, both American networks and foreign networks use the same software. So their mission is "make sure nobody can get in that safe, including you" and also "break into that safe." This is a no win situation.
1. Re:NSAs impossible mission by AHuxley · 2014-11-05 13:36 · Score: 1
  
  The only plus is in the constant new funding, new missions and expansion.
  Why just support other mil and gov needs as requested when the NSA can now plan and run the operation.
  NSA 'totalitarian,' ex-staffer tells German parliament
  http://www.dw.de/nsa-totalitar...
  Binney: 'The NSA's main motives: power and money'
  http://www.dw.de/binney-the-ns...
  "Money. It takes a lot of money, you have to build up Bluffdale [the location of the NSA's data storage center, in Utah] to store all the data. If you collect all the data, you've got to store it, you have to hire more people to analyze it, you have to hire more contractors, managers to manage the flow. You have to start a big data initiative. It's an empire. Look at what they've built! Have you ever looked around all the buildings they've built up because of 9/11?"
  The world now understands the state of the art junk crypto for free or for sale from trusted brand :)
  
  --
  Domestic spying is now "Benign Information Gathering"
That sounds nice... by Shirgall · 2014-11-05 06:37 · Score: 3, Insightful

They only report the bugs they find, not the ones they create.
Then why are virtually none reported by the NSA? by Anonymous Coward · 2014-11-05 06:37 · Score: 0

In spite of unknown billions in funding they find fewer bugs than any of dozens of companies or OSS groups alone, and never any interesting bugs in highly technical specaities (e.g. cryptosystem implementation bugs)... so, we get to choose if we believe they are liars or ineffective and incompetent.
Trusting the NSA by kylef · 2014-11-05 06:37 · Score: 1

I believe them. Why, just the other day I got a very helpful email from the NSA suggesting that I fix a few spelling errors in my weekly status report before I send it to my manager. They've got my back.
A Bunch of LIARS by Anonymous Coward · 2014-11-05 06:42 · Score: 0

Why should we believe this guy ? His predecessor and his boss have been caught lying more than once. They have a FILE ON EVERYBODY. "Just in case" - you might be a "problem" in one of their illegal wars in 10 years time, ya know.
Also, all three branches of the Armed Forces intend to "dominate cyberspace". What that means is that they want the ability to PENETRATE EVERY SINGLE CONNECTED SYSTEM.
They store the "full take" of Emails and SMSs FOREVER, but they claimed otherwise.
So - Liars.
They needn't be lying by dhaen · 2014-11-05 07:02 · Score: 1

They probably pass on the chaff and keep the juicy ones. But let me ask you this: If you had their brief, would you do anything different?
I can't blame them for that... by Karmashock · 2014-11-05 07:39 · Score: 1

Its their job.
I wish they'd stop fucking with civilians but short of that... they can go hog wild with that crap.

--
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
1. Re:I can't blame them for that... by Cardoor · 2014-11-05 07:57 · Score: 1
  
  hey, they're just 'following orders', right?
Which should be split out into two agencies by alispguru · 2014-11-05 07:43 · Score: 1

There shouldn't be just one organization with those two jobs. There should be an open, well-funded office in, say the National Institute for Standards and Technology that searches for vulnerabilities and has a responsible disclosure policy for everything it finds.
The Government has had this problem before - there used to be one body that handled both promotion and regulation of atomic energy in the US, the US Atomic Energy Commission. In 1974 it got broken up into two agencies, the Nuclear Regulatory Commission (the regulator) and the Energy Research and Development Administration (the promoter).

--

To a Lisp hacker, XML is S-expressions in drag.
President by brunes69 · 2014-11-05 07:54 · Score: 2

The fact that a POTUS would even understand what a software vulnerability is speaks volumes.
I can't even imagine what this conversation would have sounded like with the two previous presidents.
1. Re:President by bhiestand · 2014-11-06 15:45 · Score: 1
  
  The fact that a POTUS would even understand what a software vulnerability is speaks volumes.
  I can't even imagine what this conversation would have sounded like with the two previous presidents.
  I don't know, I can imagine a few dozen ways Dubya would have mispronounced "vulnerabilities"
  
  --
  SWM seeks new sig for a brief fling
Share with whom? by dccase · 2014-11-05 08:26 · Score: 2

He doesn't say.
Safe to assume he meant "share with other intelligence agencies", rather than "share with you"?
1. Re:Share with whom? by AHuxley · 2014-11-05 13:38 · Score: 1
  
  "Third Party Partners Allow NSA to Tap Fiber-Optic Cables" as a list http://leaksource.info/2014/07...
  
  --
  Domestic spying is now "Benign Information Gathering"
Sounds Legit! by ChilyWily · 2014-11-05 08:34 · Score: 1

Ok, so what part of that* are you now not sharing with us?
* the answer to this question, vulnerabilities contained therein etc.
I haven't received any NSA reports by Anonymous Coward · 2014-11-05 08:42 · Score: 0

I was *the* man who took vulnerability reports for a massive software company. I received between 3 and 60 legitimate (sounding) vulnerability reports every day.
Exactly zero reports came from the NSA.
Unless they had a special back channel I didn't know about, they didn't report anything.
On the other hand, we do have evidence of US intelligence agencies exploiting our software in attacks. I suppose that's an indirect way to report vulnerabilities, right?
Re: NSA and Rogers by Anonymous Coward · 2014-11-05 10:38 · Score: 0

Your words are as empty as your soul. Mankind ill needs a savior such as you.
To what Standard? by Anonymous Coward · 2014-11-05 11:37 · Score: 0

To what standard do you hold the US government as opposed to other governments?
A higher one. I expect better out of my government than that of any other in the world. Which includes not needing to spy on its' citizenry. And should include not needing to spy on others.
Share? by Anonymous Coward · 2014-11-05 14:50 · Score: 0

Yep, we will share it. With mossad.
That sounds nice... by Anonymous Coward · 2014-11-06 05:47 · Score: 0

Agreed! How can any reasonable person believe you?!
That sounds nice... by Anonymous Coward · 2014-11-06 05:51 · Score: 0

Create?! They cannot create bugs in software published and sold by others. Merely discover them. They can create hacks to discover and exploit bugs. A 'bug' is an inherent flaw in the application, usually an overlooked potential for trouble.
Tactically, this makes sense by FreedomFirstThenPeac · 2014-11-07 04:07 · Score: 1

Bugs are for the most part bad ... and NSA is probably quite happy keeping us all on a path we feel is safe. If they left the bugs in, they would face a combinatorially expanding complexity of problems to solve.

--
"There is no god but allah" - well, they got it half right.