The bug... More info.

[Robert J. Hansen]

> list), some more reports on it, that you may have not seen.  These  
> reports suggest the the NSA knew about and exploited the bug for "at  
> least" two years, and may have even worked to stop it from being  
> reported and fixed.

Given the bug was introduced in March of 2012, that would mean the bug  
would have had to been discovered, an exploit tested, a product  
weaponized, a product distributed to end-users, and deployed by  
end-users against targets, all in under a month from the moment the  
bug was introduced.  I'm not saying it can't happen, but a healthy  
distrust would seem appropriate here.  Further, the use of "at least"  
two years is meant to imply it could have been substantially longer --  
but it could not have been more than two years and a month.  Between  
that and the journo's mishandling of anonymous sources, I am not  
confident the Bloomberg journo did his homework.

With respect to anonymous sources, the standard is generally --

     1.  You give their background, broadly speaking
     2.  You say something about where they got the information
     3.  You specify they asked for anonymity -- it wasn't your idea
     4.  You explain why you're granting anonymity

If you can't meet those four requirements, you don't use the source.   
If you can't give the public information about their background and  
the source of their information, then you can't give the public enough  
information to decide whether your source is credible.  And if you  
can't give the public enough information to decide whether your source  
is credible, why should the public believe you?

(ObDisclosure: I used to work as a tech journo.  My four-point outline  
there was the standard we used, and my editor was fastidious about  
enforcement -- whether it was as small as "one space after a colon and  
the word is capitalized" or "four-point process for anonymous  
sources," Terry was on top of things.  I never used an anonymous  
source.)