Also interesting is splitting the repos: that the NSA and IAD have different repos, and that one seems focused on defensive tech while the other is publishing analysis tools.
I know there's a lot of people who aren't fans of the NSA (or what they do), but I think most of us can see a need for a military-grade organization to research defensive technologies for helping secure our infrastructure. I don't think many of us would be unhappy with the NSA if that's all they did. (Or phrased another way: most of us are unhappy because of how they conduct intel work or compromise defensive capability for offensive ones, eg, that whole business with ECC.)
So I think it's important to respond positively to things like the IAD github page, even if we're not fans in general.
Something, mostly common sense, tells me that we will not find some smoking gun to a crime here in these OSS repos...if anyone wanted that, they can refer to any number of leaks.
Ultimately, I'm happy to see this stuff shared, happy to see others use it and happy to see the OSS community build on it.
It's likely someone spent a fair amount of political capital to draw attention to the agency by emphasizing their public projects and trying to engage with the wider public. If there's a negative response to that, it only lends weight to the voices inside the agency who are against that sort of thing.
I, for one, prefer the NSA to be working on defensive technologies in collaboration with the tech community to any number of things they could be spending the resources on -- and think we badly need their expertise and help to secure domestic assets.
So I'm going to say "good job!" when they're doing things I like and save my criticism of their other behaviors for more appropriate moments.
I think collaboration is fundamentally more powerful an instrument of change than shunning is.
They are criminals and should be disbanded. The US intel community is full of cheats and liars, straight to the top.
In other words, military-grade means used by military, which has no meaningful correlation to security.
In days past the 'commercial grade' crypto was often not real crypto, like voice scramblers, using 40-bit DES (when govt was using Triple-DES), XORing against a non-cryptographic PRNG keystream repeatedly, all sorts of rubbish.
On the other hand, if you run your own CA and mostly care about your own users - using a cert signed by your own CA makes sense - to a certain extent.
So TLS (X.509) only allows serving a single certificate. You have to choose to serve one trusted by people you need not to be hacked (your own CA) or a commercial one to reduce in general the likelihood of being hacked. I can see why they chose the first option.
Obviously if websites were not signed by one of the 'root trust' paths but by several, and the reputation of each of those trust paths, and the host itself, was tracked in a decentralised secure database where trust was built over time, that would be better.
Oops, I just suggested blockchain snake oil would solve something.