Schneier didn't discuss what is IMO the biggest reason for NSA not to report vulnerabilities: it's "pissing into the wind", it's futile. When 10 vulnerabilities are reported and fixed, 11 new ones are quickly found. The vulnerabilities are overwhelming us.<p>Back around the year 2000 Microsoft was being beaten up for all the vulnerabilities in their software. So in 2002 Bill Gates announced "Trustworthy Computing".[1][2]<p><pre><code> Microsoft Chairman Bill Gates announced a
major strategy shift across all its products,
including its flagship Windows software,
to emphasize security and privacy over new
capabilities.
</code></pre>
In 2014 Microsoft finally threw in the last towel, folding the group they formed into other units. They gave up. Microsoft lost not because they were incompetent, but because the problem is too big to attack in a conventional manner.<p>I don't know what the answer is, but we need to approach things very differently. To quote Dr. Peter Venkman: "the usual stuff isn't working".<p>[1] <a href="http://www.foxnews.com/story/2002/01/16/bill-gates-announces-microsoft-strategy-shift-toward-security-privacy.html" rel="nofollow">http://www.foxnews.com/story/2002/01/16/bill-gates-announces...</a>
[2] <a href="https://en.wikipedia.org/wiki/Trustworthy_computing" rel="nofollow">https://en.wikipedia.org/wiki/Trustworthy_computing</a>
There's a fourth reason NSA wouldn't have tipped off every vendor impacted by HT exploits: because they have no business breaking into commercial vulnerability research teams networks, grabbing their exploits, and burning them. It is in fact probably unlawful for them to do so (those actions having as they do an impact on US F-500 companies that use --- for better or worse --- tools from companies like HT to evaluate their own security).<p>This is a positive comment, not a normative one. I don't know how I feel about entities busting up companies like HT, but I do think I know that the world would be better off without companies like HT.
If you do not realize that we have always been monitored, usually without a legal vehicle, by government agancies, you are just too young. If you believe for one second that the NSA is more of a threat than the ultimate climate created by the aggregation of every set of data collected by ISPs, Cloud service providers, app makers, and social media, please start thinking and researching just a few more steps ahead. Attacks will be patched, the NSA will decrypt in real time until someone finds a way to embarras them. The natural growth of company driven data theft and distribution can only result in an environment with revoloutionary sceintific achievement and statistical analysis that poses unpresidented virtual and physical threats to individuals and groups. The simple fact is our users have been slowly trained to implement and act upon concepts and technology they do no understand. When a person that can hardly type can watch a video online with explicit instructions on how to hijack a cell phone, but easily use too much power and suspend service in an area, what do we really change when housese burn and heart attack victims die because they have no 911 service?
Schneier apparently doesn't even know what the NSA stands for (National Security <i>Administration</i>?) and yet seems it's safe to assume that they had infiltrated Hacking Team, and then proceeds to make a whole bunch of judgements and follow-on assumptions based off that first baseless assumption all while pandering to his userbase.<p>Well done, Bruce.
It would be interesting to know if the NSA has explicit special access or has infiltrated the bug reporting programs for important vendors. Are browser bugs or iphone bugs important enough that the NSA has some guy in Apple or Firefox feeding them bug reports on the side?