Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Are you suggesting the NSA should be a government funded QA department for large corps and open source?

For commercial software the companies who are not finding these bugs on their own are to blame. For open source, the cheapskates who mooch free software without contributing are too blame.



Yes and no. They are tasked with protecting national security assets within the US, most of which rely on commercial systems. When they find a dangerous flaw in those systems, especially one loose in the wild, they are to help fix it. To not fix it is to leave US systems at risk.

"in almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection" ( quote from the 2013 panel report, not wired.)

http://www.wired.com/wp-content/uploads/2014/04/White-House-...


Not all 0-days affect national security assets. Heck, I'm sure there's plenty of software out in the world that isn't even used in the US at all.


NSA, no. But a non-NSA influenced USG, or some other new agency that should be in charge of cyber-security and not cyber-war (like NSA is) should be responsible for that. Developing strong security policies, finding about loopholes, and then nagging companies and government about fixing those loopholes and implementing those strong security policies (such as: "Go enable HTTPS for your site already god damn it, EPA!!"). NSA doesnt do anything like that right now, yet they keep yelling from the rooftops about "cyber security".

The NSA should have absolutely no relationship with this agency. If NSA finds out about some "catastrophic" loophole, then they should disclose it to multiple agencies at the same time, including this new cybersecurity agency, and should have no "special" relationship with it.

Also this new agency should be a civil agency, not a military or a spy one. NSA is and has always been a "war-time" agency, even if it has been used for non-war purposes (in my opinion wrongfully). Security is in most cases not about war. So why do we let a war-time agency try to militarize the Internet and treat it as a battleground, with everyone's computers as collateral damage, even if there's no immediate danger of "war"?


No, except the NSA/WhiteHouse has themselves said they would be the QA dept for corps.

http://icontherecord.tumblr.com/post/82416436703/statement-o...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: