Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.
posted by martyb on Thursday May 01 2014, @10:42PM   Printer-friendly
from the who's-henhouse-is-being-guarded? dept.

The US National Security Agency (NSA) will not always disclose security vulnerabilities, such as Heartbleed, and said it assesses each case individually, according to a blog post on the White House website.

"Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks," government cyber security co-ordinator Michael Daniel explained. "We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This inter-agency process helps ensure that all of the pros and cons are properly considered and weighed."

The article continues with a list of factors used to assess disclosure:

  • How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
  • Does the vulnerability, if left unpatched, impose significant risk?
  • How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
  • How likely is it that we would know if someone else was exploiting it?
  • How badly do we need the intelligence we think we can get from exploiting the vulnerability?
  • Are there other ways we can get it?
  • Could we utilize the vulnerability for a short period of time before we disclose it?
  • How likely is it that someone else will discover the vulnerability?
  • Can the vulnerability be patched or otherwise mitigated?

Assuming these are the only factors they use, how reasonable do you think they are? What, if anything, would you change and why?

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by LookIntoTheFuture on Thursday May 01 2014, @11:36PM

    by LookIntoTheFuture (462) on Thursday May 01 2014, @11:36PM (#38687)
    Trust is a fragile thing. Once lost, it can be extremely difficult to get back. In the case of the NSA, where they have abused secrecy laws and LIED about spying on their own innocent people, trust in them will never return.

    We need protection online. But, it is a complete conflict of interest to have our protection come from the same people trying to undermine it. We need a separate group of people defending us from those that wish to cause us harm (harm that includes killing our privacy). A group that has the authority to even deny "lawful intercept".

    But, that is a utopia that will never happen the way things are.
    Starting Score:    1  point
    Moderation   +4  
       Insightful=4, Total=4
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by FakeBeldin on Friday May 02 2014, @09:17AM

    by FakeBeldin (3360) on Friday May 02 2014, @09:17AM (#38815) Journal

    "Trust is a fragile thing. Once lost, it can be extremely difficult to get back."
    The lesson one can learn from politics (and corporate politics) in the US seems to be:
    "The object of this game is not to not lose trust. The object of this game is to make sure the public loses more trust in the other poor bastard."
    </Patton-Paraphrased>