The bug... More info.
Robert J. Hansen
rjh at sixdemonbag.org
Mon Apr 14 21:27:13 CEST 2014
> list), some more reports on it, that you may have not seen. These
> reports suggest the the NSA knew about and exploited the bug for "at
> least" two years, and may have even worked to stop it from being
> reported and fixed.
Given the bug was introduced in March of 2012, that would mean the bug
would have had to been discovered, an exploit tested, a product
weaponized, a product distributed to end-users, and deployed by
end-users against targets, all in under a month from the moment the
bug was introduced. I'm not saying it can't happen, but a healthy
distrust would seem appropriate here. Further, the use of "at least"
two years is meant to imply it could have been substantially longer --
but it could not have been more than two years and a month. Between
that and the journo's mishandling of anonymous sources, I am not
confident the Bloomberg journo did his homework.
With respect to anonymous sources, the standard is generally --
1. You give their background, broadly speaking
2. You say something about where they got the information
3. You specify they asked for anonymity -- it wasn't your idea
4. You explain why you're granting anonymity
If you can't meet those four requirements, you don't use the source.
If you can't give the public information about their background and
the source of their information, then you can't give the public enough
information to decide whether your source is credible. And if you
can't give the public enough information to decide whether your source
is credible, why should the public believe you?
(ObDisclosure: I used to work as a tech journo. My four-point outline
there was the standard we used, and my editor was fastidious about
enforcement -- whether it was as small as "one space after a colon and
the word is capitalized" or "four-point process for anonymous
sources," Terry was on top of things. I never used an anonymous
More information about the Gnupg-users