The NSA employs able people entirely capable of discovering "the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability".
It says, however, that it was not aware of this particular vulnerability; and I believe it. There is 1) no need to impute omniscience to the NSA; moreover, 2) it did not deny knowledge of any [other] vulnerability in OpenSSL. I suspect that there are a number of other such vulnerabilities, and if the NSA had knowledge of one or more of them its incentive to look for more would be much diminished, indeed exiguous. In the light of what we know about NSA capabilities, it would of course be prudent to assume that it can decrypt instances of the use of any and all of the packaged up, widely used key-based encryption schemes; and it would be imprudent not to do so; but this is very different from the sophomoric cynicism implicit in the notion that it is reading all of the encrypted signals it is squirrelling away. Worse, it gets the problem wrong. This problem, as always, is that of finding the significant in a welter of banal insignificance. It may well be true that the works of Shakespeare are to be found somewhere in the keyboard outputs of those monkeys, but the problem of finding them is still a daunting one. John Gilmore, Ashland, MA 01721 - USA ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
