
US Contractors Scale Up Search for Heartbleed-Like Flaws - dthal
http://www.bloomberg.com/news/2014-05-02/us-contractors-scale-up-search-for-heartbleed-like-flaws.html
======
ihsw
The debate has always been essentially whether to fix the exploit to more
effectively secure our communications, or to use the exploit to eavesdrop on
our adversaries. Thanks to post-9/11 FUD, dual-use technologies are usually
treated as single-use -- offence at the expense of defence.

Hopefully we will realize that our pride in having more exploits than others
is simple and narrow-minded hubris. No three-letter agency or defence
contractor can offer any assurance that an exploit left open will be used only
by us, but they will argue that leaving it open is an acceptable risk.

Who are they to argue what is acceptable risk? They are driven by self-
interest and nothing more.

[https://www.schneier.com/blog/archives/2012/06/the_vulnerabi...](https://www.schneier.com/blog/archives/2012/06/the_vulnerabili.html)

[https://www.eff.org/deeplinks/2012/03/zero-day-exploit-
sales...](https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-
be-key-point-cybersecurity-debate)

My advice is to make defence and offence compete, with no sharing of
resources, and no double-checking whether they are stepping on each-other's
toes.

~~~
yeukhon
I agree with you that we should fix problems. But I am not sure about _no
sharing of resources, no double-checking whether they are stepping on each
other 's toes_. Are you trying to say once we discover a flaw, we just report
and have developers to fix it, and don't mention it?

If so, there is zero way to avoid that. In fact, any company that keeps me
away from their product updates is not doing a good job :/

And to the "acceptable risk." I find irony when the government says that =.
People often say how companies like Ford or Google or Apple are spending
millions in Washington trying to get the WhiteHouse and the Congress to do
something "better". The fact that the government and many Congressmen believe
that national security requires people to keep exploits a secret for national
defense is putting the government, the Army, big corporations and everyone
else business at risk.

