Gerard Meijssen wrote:
There are two conflicting approaches to vulnerabilities known
to"government"; vulnerabilities make government vulnerable
and therefore they need to be handled properly in code. The
other approach is that a vulnerability is a vector to attack....
Well, the general problem is that government authorities have been
paying malware authors for vulnerabilities which are kept unpatched
for surveillance, which means the malware authors have them too. This
is vigorously denied even after repeated proof. Lesser issues are that
the CALEA law puts constraints on SS7 which make it impossible to
prevent things like caller ID spoofing, and the fact that SSL
certificate authorities are equivalent to key escrow without perfect
forward encryption, which really didn't exist until the RSA compromise
was exposed.
The Foundation's main security problem at present is that all of the
reader logs with IP addresses get shipped off to a lab at Stanford
which is under NDA, but even if we had a perfect warrant canary,
nobody would know if one of the Stanford lab members gets (or has
already been given) a National Security Letter, or if Stanford IT gets
a subpoena on convincing letterhead, or a phone call from Turkey
wanting to deal with their political purge.
I think Victoria could be very close to the best possible CTO if and
only if she is willing to address these issues openly, including the
Dell PowerEdge DIETYBOUNCE issue. I have very high hopes.
Best regards,
Jim