The bug... More info.

Christopher J. Walters cwal989 at comcast.net
Mon Apr 14 21:42:54 CEST 2014


On 4/14/2014 3:27 PM, Robert J. Hansen wrote:

> Given the bug was introduced in March of 2012, that would mean the bug would
> have had to been discovered, an exploit tested, a product weaponized, a product
> distributed to end-users, and deployed by end-users against targets, all in
> under a month from the moment the bug was introduced.  I'm not saying it can't
> happen, but a healthy distrust would seem appropriate here.  Further, the use
> of "at least" two years is meant to imply it could have been substantially
> longer -- but it could not have been more than two years and a month.  Between
> that and the journo's mishandling of anonymous sources, I am not confident the
> Bloomberg journo did his homework.
>
> With respect to anonymous sources, the standard is generally --
>
>      1.  You give their background, broadly speaking
>      2.  You say something about where they got the information
>      3.  You specify they asked for anonymity -- it wasn't your idea
>      4.  You explain why you're granting anonymity
>
> If you can't meet those four requirements, you don't use the source.  If you
> can't give the public information about their background and the source of
> their information, then you can't give the public enough information to decide
> whether your source is credible.  And if you can't give the public enough
> information to decide whether your source is credible, why should the public
> believe you?
>
> (ObDisclosure: I used to work as a tech journo.  My four-point outline there
> was the standard we used, and my editor was fastidious about enforcement --
> whether it was as small as "one space after a colon and the word is
> capitalized" or "four-point process for anonymous sources," Terry was on top of
> things.  I never used an anonymous source.)

I tend to agree, actually.  As to Snowden, how exactly could a private 
contractor have that level of security clearance, anyway?  I said that the 
report "suggests" NSA involvement - not that I agree.  The anonymous sources 
are a major problem for believability.  The NSA has gotten a lot of bad press 
lately, and it looks to me like Bloomberg (not the best source of information, 
in general, IMHO) has jumped on the bandwagon.

Since I have NO security clearance with the NSA, I cannot comment on any 
involvement, and I doubt anyone on this list, or the 'sources' have such 
clearance to comment on it, either.  So, I retain my disbelief.

Note:  I only wanted to post those articles for people to be able to read and 
make up their own minds.  I will post no more here on this bug.



More information about the Gnupg-users mailing list