[HN Gopher] NSA helps out Microsoft with critical Exchange Serve...
___________________________________________________________________
NSA helps out Microsoft with critical Exchange Server vulnerability
disclosures
Author : beermonster
Score : 42 points
Date : 2021-04-13 20:00 UTC (3 hours ago)
(HTM) web link (www.theregister.com)
(TXT) w3m dump (www.theregister.com)
| croutonwagon wrote:
| NSA is one of those orgs that very hard to asses their intent.
|
| On the one hand, they do things like this. And their
| hardening/setup guides or mitigation guides are generally well
| done.
|
| On the other hand they have tried to knowingly commit faulty
| logic to RSA's RNG, have acted as an APT actor in the past, and
| used their toolsets to surveil their own people...
|
| Which leads me to believe moves like this, especially with the
| press coverage, are more political than genuine and it was only
| disclosed because an adversary is aware of it.
|
| Because if the ends justified the means, they have held on to 0
| days as well for their own purposes in the past. And are
| generally tight lipped on their policies for disclosure.
|
| https://www.schneier.com/blog/archives/2021/03/chinese-hacke...
|
| https://www.schneier.com/blog/archives/2020/10/the-nsa-is-re...
|
| https://www.wired.com/2016/08/hackers-claim-auction-data-sto...
| hk1337 wrote:
| Trust but verify.
| HillRat wrote:
| Really, NSA is captive to the law that bureaucracies do
| _exactly_ what you tell them to do. NSA is budgeted to conduct
| cyber offense and governmental defense, so private-sector
| defense is outside the mission; in fact, it conflicts with the
| former even as it connects with the latter. So NSA is only
| going to help you if the risks to its defensive mission
| outweigh the value to its offensive mission (not that
| organizations have rigorous tests for these things, but whoever
| yells the loudest is usually a good proxy for it).
|
| The best approach, IMO, is to take cyberdefense out of NSA
| entirely and give someone like CISA an active mission to
| maximize whole-of-nation digital defense. While this doesn't
| entirely mitigate moral hazard between the offensive/defensive
| mission balance, at least you've got competing budgets that
| have an incentive to work against each other.
| klyrs wrote:
| If a friendly NSA agent offered to help tidy up around the
| house, it would certainly be a kindness. But it's definitely
| the sort of gift horse you want to look in the mouth. After
| all, they were just "helping out" securing random number
| generators, but Shumow and Ferguson discovered that they may
| have been helping themselves out, too.
|
| http://rump2007.cr.yp.to/15-shumow.pdf
| pianoben wrote:
| I mean, good? Defending the nation and its citizenry (including
| their businesses) is ostensibly one pillar of the NSA's mission.
| Glad to see them act upon it.
| trynton wrote:
| > I mean, good? Defending the nation and its citizenry
| (including their businesses) is ostensibly one pillar of the
| NSA's mission. Glad to see them act upon it.
|
| One backdoor got found-out so the NSA goes public with a
| pretend security announcement. Microsoft "security" is designed
| to keep the casual browser out but not prevent the state
| security apparatus getting access to your data, anytime
| anywhere. Anyone who says different is a fool or is invested in
| the "cyber security" business.
| not2b wrote:
| They'll help that way if some state actor is using the hole to
| attack US government sites. If they think that only they, the
| NSA, know about a bug they won't disclose it.
|
| https://en.wikipedia.org/wiki/NOBUS
| trynton wrote:
| "Not even Microsofties trust Microsoft's approach to privacy"
|
| https://www.csoonline.com/article/2225488/not-even-microsoft...
___________________________________________________________________
(page generated 2021-04-13 23:01 UTC)