Boosted by soatok@furry.engineer ("Soatok Dreamseeker"):
david_chisnall@infosec.exchange ("David Chisnall (*Now with 50% more sarcasm!*)") wrote:
The NSA is handicapped by being a dual-mission agency. The same organisation is responsible for:
- Making sure that the USA's signals are secure.
- Making sure that no other country's signals are secure from the USA.
These are in obvious tension when the USA and everyone else are using the same off-the-shelf standards and implementations of those standards.
I'm generally happy that they now prioritise the former over the latter, if only because they now know that there is a good chance that any weakness that they put in will be exploited by the Chinese, but I'd be a lot more comfortable if they properly separated the two concerns.
I am still curious about Heartbleed because a lot of the US government was vulnerable and I know the NSA did some review of OpenSSL, so I don't know which of the following options was true:
- They didn't bother to review a core piece of security-critical software that a lot of the government's security depended on (I have some evidence that it wasn't this one).
- They did review it and missed a really important bug.
- They did review it, found the bug, and made a staggeringly bad call about whether it was better to fix the bug or keep it as a thing to attack other people with.
None of these possibilities makes them look especially competent.