More on the Equities Debate

This is an interesting back-and-forth: initial post by Dave Aitel and Matt Tait, a reply by Mailyn Filder, a short reply by Aitel, and a reply to the reply by Filder.

Posted on September 20, 2016 at 7:34 AM • 6 Comments

Comments

AndySeptember 20, 2016 11:26 AM

What a bunch of hubris from our IC. What does the tax payer actually get out of the (still secret?) double-digit billion dollar security-services budget? Other than bloated employment that is.

Ever heard of throwing stones from inside a glass house? Didn't they get embarrassed already by the OPM data breach ?

Yeah, right.September 20, 2016 11:42 AM

The solution to "power corrupts, absolute power corrupts absolutely," is not more oversight, it's more limits on concentrations of power. It's also the very solution that the most already-powerful and already-corrupted people will always fight the hardest...

My InfoSeptember 20, 2016 5:34 PM

"Didn't they get embarrassed already by the OPM data breach ?"

They're already succumbing to the blackmail.

DroneSeptember 21, 2016 5:09 AM

I think the current U.S. Government should continue to keep all the vulnerabilities and exploits they discover 100% secret, then use them to spy on their own people for political gain, and to use the information to divide us further by race, class, gender and age. They're so bad at doing this, it will eventually bring about their demise. Then we can pick up our tattered Flag and Constitution from the blood stained streets, and start all over again.

rSeptember 27, 2016 11:12 PM

http://www.reuters.com/article/us-cyber-nsa-tools-idUSKCN11S2MF

Since this didn't make it's way into here, I'm pulling it back out of the current squid.

Because the sensors did not detect foreign spies or criminals using the tools on U.S. or allied targets, the NSA did not feel obligated to immediately warn the U.S. manufacturers, an official and one other person familiar with the matter said.

I'll just leave it at that.

Jean CampSeptember 28, 2016 11:11 PM

The debates are interesting but do not address diffusion or even existence of a patch. Look at Oracle not even patching a serious zero day with more than a month of warning. If it is something that can be patched? If there is an extant patching infrastructure? Is recovery even possible? How difficult is the attack?

The debate about intelligence disclosure cannot be separated from the debates about consumer protection, patching technologies and patching behaviors, as well as the potential uses of the technologies for profit.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2601191

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.