SoylentNews is people
SoylentNews
The US National Security Agency (NSA) will not always disclose security vulnerabilities, such as Heartbleed, and said it assesses each case individually, according to a blog post on the White House website.
"Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks," government cyber security co-ordinator Michael Daniel explained. "We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This inter-agency process helps ensure that all of the pros and cons are properly considered and weighed."
The article continues with a list of factors used to assess disclosure:
- How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else was exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
Assuming these are the only factors they use, how reasonable do you think they are? What, if anything, would you change and why?
(Score: 5, Insightful) by Lagg on Thursday May 01 2014, @11:26PM
It really shows how disgustingly arrogant they are now when they don't even try to hide this stuff. In order of emphasis: "an opportunity to crack someone who we deem a terrorist", "it's only 'industrial espionage' when other people do it", "security researchers or some random guy who ran across it", "we carefully decide what will be easy or hard to spin off as 'but teh terrorists!'".
The unfortunate thing is that this quote will fool the majority of people. Too bad.
http://lagg.me [lagg.me] 🗿
(Score: 2) by LookIntoTheFuture on Thursday May 01 2014, @11:47PM
That's sad but true. When I RTBP, it came out as: "When President Truman created the National Security Agency in 1952, its very existence was not publicly disclosed. Earlier this month, the NSA sent out a Tweet making clear that it did not know about the [PR RECOVERY MODE ACTIVATED] lies, lies, lies, lies, lies, lies, lies, lies."
(Score: 3, Insightful) by mth on Friday May 02 2014, @12:25AM
The argument doesn't even make sense in the defensive case: if they don't disclose, the vulnerability won't get patched and it's only a matter of time before the bad guys find the same flaw, assuming they haven't found it already. Keeping a vulnerability secret is only useful if you plan to use it offensively; it's counter-productive for keeping friendly computers safe.
(Score: 3, Funny) by FatPhil on Friday May 02 2014, @09:16PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1) by gidds on Friday May 02 2014, @12:53PM
How long will it be before we start assuming that anyone invoking the bogeyman of terrorism has automatically lost the argument?
[sig redacted]
(Score: 0) by Anonymous Coward on Friday May 02 2014, @07:33PM
s/Godwin's Law/Gidd's law
(Score: 2) by FatPhil on Friday May 02 2014, @09:14PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves