Former DDIRNSA (who just retired) posted this today, and it accurately reflects his feelings on the VEP debate, I assume.
https://www.lawfareblog.com/no-us-government-should-not-disclose-all-vulnerabilities-its-possession
There's nothing in there that would surprise someone who regularly reads this blog though - essentially he does not hold any water with the argument that we should be giving up all our vulnerabilities to vendors.
Likewise, he appears to be miffed that people are blaming WannaCry/NotPetya on the NSA, as you might expect.
Oh, also I want to mention the things he didn't say would be good compromises, which tend to be offered as "halfway points" from people who have never been in this business. He didn't say "Let's only keep 0day for a few months" or "Let's only keep certain kinds of 0day - the not important ones". All those ideas are terrible, and get offered again and again by various policy arms as if they are going to magically get better over time.
No comments:
Post a Comment