So what? The IAD part of NSA helped invent INFOSEC, did some of best stuff in COMSEC for long time, did TEMPEST sheilding, evaluated early high-security systems (some never broken), made guides for securing many COTS tech, funded work like Galois Inc’s that regularly gets FOSS’d, and some other stuff Im probably forgetting.
They’ve done far more good in IAD than bad with the one subversion that was probably NOBUS in practice. They also published methods to build stuff they can’t beat most of the time under TCSEC B3/A1 and Common Criteria EAL6/7 High Robustness. If we’re being honest, the FOSS and commercial developers ignoring such advice from NSA and others in high-assance for decades did more for NSA SIGINT division than TAO subversions ever did. NSA just finds the avoidable problems people leave in there.
So, this meme of “Oh, it’s NSA!” needs to stop unless they’re supplying a closed-source solution or asking for backdoors/escrow. Anything else should simply be rigorously analyzed by 3rd parties like every other source. Funny enough, that’s one of NSA’s certification requirements.
“Our research on LandHere was made possible by funding from the NSA.”
So what? The IAD part of NSA helped invent INFOSEC, did some of best stuff in COMSEC for long time, did TEMPEST sheilding, evaluated early high-security systems (some never broken), made guides for securing many COTS tech, funded work like Galois Inc’s that regularly gets FOSS’d, and some other stuff Im probably forgetting.
They’ve done far more good in IAD than bad with the one subversion that was probably NOBUS in practice. They also published methods to build stuff they can’t beat most of the time under TCSEC B3/A1 and Common Criteria EAL6/7 High Robustness. If we’re being honest, the FOSS and commercial developers ignoring such advice from NSA and others in high-assance for decades did more for NSA SIGINT division than TAO subversions ever did. NSA just finds the avoidable problems people leave in there.
So, this meme of “Oh, it’s NSA!” needs to stop unless they’re supplying a closed-source solution or asking for backdoors/escrow. Anything else should simply be rigorously analyzed by 3rd parties like every other source. Funny enough, that’s one of NSA’s certification requirements.