Gerard Meijssen wrote:
There are two conflicting approaches to vulnerabilities known to"government"; vulnerabilities make government vulnerable and therefore they need to be handled properly in code. The other approach is that a vulnerability is a vector to attack....
Well, the general problem is that government authorities have been paying malware authors for vulnerabilities which are kept unpatched for surveillance, which means the malware authors have them too. This is vigorously denied even after repeated proof. Lesser issues are that the CALEA law puts constraints on SS7 which make it impossible to prevent things like caller ID spoofing, and the fact that SSL certificate authorities are equivalent to key escrow without perfect forward encryption, which really didn't exist until the RSA compromise was exposed.
The Foundation's main security problem at present is that all of the reader logs with IP addresses get shipped off to a lab at Stanford which is under NDA, but even if we had a perfect warrant canary, nobody would know if one of the Stanford lab members gets (or has already been given) a National Security Letter, or if Stanford IT gets a subpoena on convincing letterhead, or a phone call from Turkey wanting to deal with their political purge.
I think Victoria could be very close to the best possible CTO if and only if she is willing to address these issues openly, including the Dell PowerEdge DIETYBOUNCE issue. I have very high hopes.
Best regards, Jim