Matt Blaze, a well-known public cryptographer and NSA critic, offered what seemed like a modest concession in the relentless campaign against NSA intelligence gathering:
The NSA’s tools are very sharp indeed, even in the presence of communications networks that are well hardened against eavesdropping. How can this be good news? It isn’t if you’re a target, to be sure. But it means that there is no good reason to give in to demands that we weaken cryptography, put backdoors in communications networks, or otherwise make the infrastructure we depend on be more “wiretap friendly”. The NSA will still be able to do its job, and the sun need not set on targeted intelligence gathering.
Don’t get me wrong, as a security specialist, the NSA’s Tailored Access Operations (TAO) scare the daylights of me. I would never want these capabilities used against me or any other innocent person. But these tools, as frightening and abusable as they are, represent far less of a threat to our privacy and security than almost anything else we’ve learned recently about what the NSA has been doing.
TAO is retail rather than wholesale.
A day later he revealed just how modest this olive branch was, making clear that he wants to take away the NSA’s best hacking tools. He told the Washington Post that NSA should be required to surrender any undiscovered vulnerability it finds:
Among the weapons in the NSA’s arsenal are “zero day” exploits, tools that take advantage of previously unknown vulnerabilities in software and hardware to break into a computer system. The panel recommended that U.S. policy aim to block zero-day attacks by having the NSA and other government agencies alert companies to vulnerabilities in their hardware and software. That recommendation has drawn praise from security experts such as Matt Blaze, a University of Pennsylvania computer scientist, who said it would allow software developers and vendors to patch their systems and protect consumers from attacks by others who may try to exploit the same vulnerabilities.
Matt tries to square that circle by saying that NSA can keep exploiting the vulnerability at the same time that it reports. So at least we’ll have good intelligence on really stupid targets who don’t update their software. That’s some compromise.
The zero-day problem is a thorny one, to be sure. There are times when it’s in the country’s interest to patch rather than exploit a hole, but a policy requiring that holes always be patched will not stop hacking by anyone other than NSA.