« The Sanders Letter: Is This the Dumbest NSA-Hating Stunt Yet? And Did Ted Cruz Fall For It? | Main | Tightening the Screws on Chinese Investment »

Jan 08, 2014


Maybe I misunderstand your point. When you say "a policy requiring that holes always be patched will not stop hacking by anyone other than the NSA", that makes no sense to me. If patches are available to vulnerabilities, then those who want to be diligent and patch can do so. When there is an unpatched vulnerability in the wild, there is no reason to believe the NSA are the ONLY ones who have found it or are the only ones capable of exploiting it. Organised criminals and hackers find and exploit vulnerabilities regularly. A key difference is that the NSA is nominally a law-abiding government agency that can be compelled to do things for the public good. If they report a vulnerability and vendors produce patches for it, then people can patch and be protected not only from the NSA's TAO folks, but also from cybercriminals who have the capability to find and exploit the same issue. The fewer exploits that are out there, the safer we all are. Although we might not be targets of the NSA, everyone is a potential target of cybercriminals who would use the very same exploits against us. Keeping the vulnerabilities alive by not reporting them consciously exposes individuals and businesses to the risk of exploitation by cybercriminals.

I concur with the above comment. There is no good reason to think that the NSA is the only one to have discovered a given zero-day vuln and that we are better served by the intel they gather using it than by the incidents we can avoid by them disclosing it. If cyber threats really are the biggest threat to national security, why is it in our best interest to not disclose vulnerabilities we uncover?

The comments to this entry are closed.