Hacker News new | past | comments | ask | show | jobs | submit login

It's very hard to take this initiative seriously. Software vulnerabilities are what software vulnerabilities are: the fundamental enabler of modern network signal intelligence. When you see Obama sign an executive order ending foreign signals intelligence, you can at that point start to believe that the USG is primarily in the business of fixing rather than stockpiling vulnerabilities.

NSA's first and overriding mission is in conducting signals intelligence against our adversaries. As people have pointed out here and elsewhere: regardless of what other missions NSA may have crept into in the last 40 years, when SIGINT comes into conflict with some other NSA mission, SIGINT wins.

(This analysis is descriptive, not normative.)




My expectation is that if they were serious about this initiative, they very likely would've stepped forward with some vulnerabilities for disclosure.

But it seems like it's just words and business as usual.

I'm curious what their response would be in the perfect storm scenario. A foreign country or criminal enterprise causes severe damage to much of the US. Both the intelligence agencies, government secrets, and the technology industry are severely impacted, crippled even. And the enabler? A series of vulnerabilities they didn't disclose.

How much damage has to be done before people wake up and realize that what NSA doing is effectively pointing armed nuclear warheads at high-value targets in the US and giving our enemies the controls? The fact that NSA refuses to disclose serious vulnerabilities is an indication to enemy governments and criminals that spending money finding these vulnerabilities is going to be an extremely effective tactic.

I mean this seriously: this is actively telling our enemies how to attack us. How is this not treason?

> Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.


Actually, I think this could be the basis for an effective political point. Simplify it to hammer this message home:

"If we have a policy of not disclosing the vulnerabilities we know, what we're really doing is promising foreign countries that the exploits they discover against us will work forever."


Take it seriously to the extent that they need to consider whether or not hoarding a vulnerability is likely to enable other powers to carry out SIGINT against important US sites.

Consider that while something like Heart Bleed would be an enormous asset to the NSA, if both NSA and a foreign powers found out about it at the same time it'd provide the foreign power with a disproportionate benefit because they'd likely have fewer other ways of infiltrating many sites.

I'm sure that in situations where they're confident they're the only ones with the knowledge, they'll still hold off on releasing anything.


> provide the foreign power with a disproportionate benefit because they'd likely have fewer other ways of infiltrating many sites.

You forget to mention the assumption that NSA willfully ignore the IA component of its mission.


> I'm sure that in situations where they're confident they're the only ones with the knowledge, they'll still hold off on releasing anything.

How can they be sure? They simply can't. And this means they're putting US business at risk for their own benefit.

(The other way to put US business at risk is via worldwide reputation damage.)

I doubt this makes US companies more interesting for investors.


> Take it seriously to the extent that they need to consider whether or not hoarding a vulnerability is likely to enable other powers to carry out SIGINT against important US sites.

And yet that didn't prevent them from sitting on heartbleed for two years (since approximately the moment it was introduced).


Dont be fooled.

This is a PR move.

Compare this to GITMO

"GITMO sucks, i vow to close it immediately" -- "Oh congress blocks me, my hands are tied! Tear!"

"Security vulnerabilities suck, i vow to make them open!" -- "oh look at that, the security apparatus says it makes US vulnerable, my hands are tied! Tear!"


His hands are tied aweful lot.

But when it comes to pure presidential powers like killing people in foreign countries from the skies his hands arnt tied.


The NSA may be trying to repair its image. This is a bit offtopic, but I think the NSA is in serious trouble because they need good hackers to join them, and it seems like almost nobody will want to after last year's revelations. (Even their salary offers seem to suck in comparison to an important SV engineer's salary, which struck me as odd.)

One way to start to repair their reputation would be to responsibly disclose some vulnerabilities and then take credit for their disclosure. That might motivate whitehats to join them, and whitehats are exactly the type of people they need.

In 10 years, the US is going to be in trouble unless they can continue recruiting good hackers. In 20 years, they'll be in serious trouble when foreign powers have clearly begun dominating the SIGINT arena. And at the rate technology is changing, those timelines seem optimistic.


I doubt the NSA's image problem is that large. I suspect many NSA recruits fall more toward the "black hat" end of the spectrum. They break into things without thinking about the consequences of their actions.

The NSA can likely get all the recruits it needs by just offering the chance to hack with legal immunity.


Snowden doesn't seem like a blackhat. Certainly looks can be deceiving, but it's hard to believe they'd be so shortsighted as to hire mostly people who are in it for the thrill of doing usually-illegal things.


Can't the NSA just monitor the whole network to detect anyone else using an exploit? So once they discover one, just use it to their heart's content until they start seeing it in the wild. At that point, disclose it.


Can't the NSA just monitor the whole network to detect anyone else using an exploit? So once they discover one, just use it to their heart's content until they start seeing it in the wild. At that point, disclose it.

We also kind of want the NSA to stop monitoring the whole network.


That would be a nice statement to make, if you lived in some small world were there's just America and its interests (well, the interest of SOME of its citizens, to be exact).

On the internet, and to global citizens, what you write amounts to "screw those people" (non-US Hacker News readers).


Agreed on what the NSA's mission is, but there are much better and easier ways of doing that than stockpiling exploits. Our government, with its mass amounts of data collection, could just as easily socially engineer someone (for example, impersonating a trusted associate) to give up the right information.

I don't believe the NSA's mission comes into conflict with Obama's order, it merely suggests the NSA change how they go about their mission. But it's still just as clear to me how one would solve it, and IMHO they would have an easier time going the social engineering route anyway.


Social engineering would be HUMINT, not SIGINT.


That was also my first reaction. It seems like just another lie even before it finishes leaving his mouth, another predictable broken promise, a priori.


I don't think he's lying. I don't think he understands what he's saying.


He's not dumb. Therefore, he's made a conscious decision not to.


I'm not dumb, but I'm capable of saying stupid things about podiatry.


Everyone puts their foot in their mouth from time to time, I guess.


That is an amazing non-sequitur.


https://en.wikipedia.org/wiki/Non_sequitur_(logic) Non sequitur (Latin for "it does not follow"), in formal logic, is an argument in which its conclusion does not follow from its premises.

Perhaps I should explain my reasoning a bit then.

midas007: It seems like just another lie

tptacek: I don't think he's lying. I don't think he understands what he's saying.

me: To paraphrase President Nixon, the President ought to know whether or not he himself is a crook.

So if tptacek is correct in that Obama doesn't actually understand what he is saying, the universe divides into two possibilities. In universe (1) Obama is so dumb as to be incapable of understanding the issues involved. In universe (B) Obama has the capability to understand the issues but has for some reason chosen not to exercise it.

Because Obama is a scholar, I assert that (1) is unlikely. Thus Obama, like many of us when confronted with complex but ultimately tractable problems (such as optimal Pokemon strategy), has made a conscious decision not to immerse himself deeply in the issue.

This represents a problem for Democracy because the President is our civilian leader who is supposed to be in command of the military. If in fact it is the military/intelligence that is leading him, then the Presidency has failed.

C.f. Reagan https://en.wikipedia.org/wiki/Iran%E2%80%93Contra_affair


Hrm. I can either argue with you about your continued lack of logic (moving from a non-sequitur to a false dichotomy where you presume a world of two types of people), or I can make a larger point. So I'll do the one that's more productive:

> This represents a problem for Democracy because the President is our civilian leader who is supposed to be in command of the military. If in fact it is the military/intelligence that is leading him, then the Presidency has failed.

Democracy is not a government of presidents. It is a government of people. I agree that you can usefully argue that "the Presidency has failed", but the existence of the Presidency was always a hack, in software terms. It was never a well-designed system; it was a convenience which has been subject to feature creep due to a long history of abuse and counter-abuse. Try to put yourself in the Founders' shoes and seriously think about the question of why the executive branch needs to be headed by a single person; it doesn't. It was just easier that way.

To fix this, the response isn't to whine about NSA overreach or Presidential doublespeak. It's to actually establish a democracy.

(P.S., it is inaccurate to characterize the POTUS as in command of the NSA. He is responsible and accountable for them, but he is not in command. The continued incapability of HNers to internalize basic facts listed on Wikipedia suggests either, how did you put it, that they are either "dumb" or choosing "not to exercise their capability" in understanding their government. I think I like your false dichotomy after all.)


POTUS is Commander-in-Chief of the US military. NSA is an organization under the US Department of Defense.

POTUS can fire the head of the NSA. Truman fired Macarthur.

It's an interesting discussion the extent to which reality matches the law, but according to the US Constitution Obama is in command of the NSA.


The Department of Defense is a civilian structure. It is not a military. This is a meaningful distinction, not least because it means NSA personnel do not necessarily waive the same constitutional rights that members of the United States Armed Forces do, nor do they necessarily swear to obey the POTUS, which is an explicit difference between the civilian and military oaths.

The authority that the POTUS has over the NSA is more analogous to that of a CEO over a departmental division than that of a general over a battalion. As I said, the POTUS is responsible and accountable for the NSA, in the same way he is responsible and accountable for what our diplomats and ambassadors say to foreign governments, in the same way he is responsible and accountable if the FCC fails to secure network neutrality.

One of the more interesting consequences of this is that, if you were to place the USAF under the authority of the NSA, it would not violate the principle of civilian control of the military.


The authority that the POTUS has over the NSA is more analogous to that of a CEO over a departmental division than that of a general over a battalion.

This is getting tiring.

Take a look at this list of former Directors of the NSA and count how many are ranking uniformed military officers. Spoiler: since the founding of the agency, all 17 of them.

https://en.wikipedia.org/wiki/Director_of_the_National_Secur...


It looks especially silly when the NSA has never been credited as reporting any vulnerability to any vendor, ever.

They could at least throw a few over the fence and get their names in some advisories to at least pretend there is a shred of truth to this.


And wasn't this already the policy?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: