Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Any chance this bug originated with the NSA? It seems like it would fall under their goal of subverting the infrastructure that keeps secrets on the internet. Of course this is exactly why such a goal is a bad idea - an unprotected internet causes widespread damage.


I don't know -- why don't you try reasoning it out since you're the one lobbing the accusation. Upon a very simple review of the code change/patch, one can see this is a relatively new feature, agreed upon and passed by the publicly available IETF, implemented naively.

"Never attribute to malice that which can be adequately explained by incompetence" -- slightly-butchered quote, from someone smarter than me.


It's not an accusation, it's a speculation. I don't have the ability to judge it for myself, i.e. "a simple review of the code change/patch". That's why I put it out there. I don't mind being refuted, but I wish it would be refuted rather than just downvoted blindly.

P.S. I think your quote doesn't capture the situation properly when someone is known to have malicious intent.


I don't think so - while the NSA would dearly like to have the access that this vulnerability would allow, they would dislike even more if anyone could have it. If they're going to insert a backdoor they're going to be damn sure only they have the key.


I knew I was going to be attacked for saying this, but isn't it a real possibility? We already know that they tried to weaken RSA.


they did not try to "weaken RSA", as in the RSA algorithm. They paid off and/or infiltrated RSA the corporation. You were not attacked, your posts simply contained wrong information and useless speculation.

Screaming about the NSA every time a security bug comes up is not interesting, productive, insightful, or useful, please stop.


It is evil to make totally unsupported accusations, even against the NSA. I've downvoted you, twice.


Asking "did they do this?" is not an accusation, seriously.

And even then, the NSA has had their fingers in enough places and lied about it enough times (infiltrating FOSS projects was explicitly one of their goals, IIRC) that the sane default position would be to assume shenanigans on their part unless proven otherwise.

The vetting process does absolutely nothing to prevent something like this from happening, especially since some very sneaky and pernicious bugs can be introduced in the guise of simple mistakes. It would be foolish to assume this isn't part of the standard playbook, and just as foolish to discount the possibility of maliciously introduced bugs just because the evidence doesn't immediately point to malicious intent - that is the nature of the attacker.

The alternative is remaining ignorant and vulnerable to the single most well funded and experienced adversary a crypto user will ever likely face.


>Asking "did they do this?" is not an accusation, seriously.

Nonsense. Are you a child-molester? I'm just asking, not accusing you of anything.


The difference being I don't have a history of doing such things and then repeatedly lying about it....




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: