N.S.A. Takes Step Toward Protecting World’s Computers, Not Just Hacking Them

And it happens the day Microsoft stopped updating Windows 7, forcing its users to "upgrade" to Windows 10! I never had a single security issue with Windows 7 ...

Strictly a PR move. It's about preserving the agency and its reputation (such as it is), not helping the rest of us who pay the taxes to keep the NSA going.

Automatic updates set the malware, with a false certificate. Only through automatic updating was this malware spread. Had automatic updating been off/disabled, the malware could not have been applied.

N.S.A. Takes Step Toward Protecting World’s Computers, Not Just Hacking Them. Face facts, we're talking about war, any type of war, including thermonuclear war, must have a winner and a loser. "And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information! And the world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data. It's all just electrons". - Cosmo to Martin Bishop..."Sneakers" 1992

From Kevin Beaumont (cyber-security researcher) on Twitter: The Microsoft advisory is out now. 1) it’s only rated Important 2) it’s a spoofing issue 3) to get RCE [Remote Code Execution] with it you would need auth[orization], and to have code exec[ecuting] already. The NSA did a big press tour so before announcement so expect big media play. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 The NSA is trying some PR here to make themselves look good. I wouldn't lose any sleep about the impact of this vulnerability.

" its experts could help fix the problem rather than exploit it." That is so cute !! I am sure Mr. Snowden will be amused.

Few would trust the NSA. While this is good that they reported the flaw, it's unclear that they didn't weaponize it first, and then get it fixed by Microsoft to protect government computers. This organization is a proven liar, spies on the American people against the Constitution's protections, inhibits free speech.

If the NSA could find the vulnerability, isn't it arrogant to assume no one else did, even before the NSA stumbled on it? From all the publications, it doesn't look like the NSA is the lead here, rather an also-ran. Why the NSA did not notify the software manufacturer of the vulnerabilities, leaving the world exposed, is another questionable decision. Depressing, really.

'SSL Certificates', used for 'https:' websites, are problematic because they authorize a middle-man to block access to a website. It's a handy way to 'turn off' someone the certification authority does not like (or politically does not agree with). And there doesn't seem to be anything to prevent a flunkie working for a third party, standing at a terminal at the certification authority, to moderate access to a website. That's because the Internet protocol essentially means that you ask permission to view the site. According to the article: "The vulnerability unearthed by the N.S.A. could potentially allow a hacker to add a fake signature that could allow malware to be inserted onto a vulnerable computer."

This is one good news in the election season.

This is an interesting development, because the U.S. military and the N.S.A. are barred by law - under the Posse Comitatus Act - from acting domestically. This is the reason for a number of U.S. Government front organizations, through which the N.S.A. is authorized to communicate with domestic companies. For example, in the financial sector the U.S. Secret Service operates domestically in its cyber security capacity. In some cases, companies were specifically created by the Congress for these purposes. For example, the MITRE Corporation is one such front company. They talk to the N.S.A., and then they talk to people inside the U.S. No direct communication is allowed. Also, many companies hire people with U.S. security clearances for these same purposes. This allows confidential information to be passed to the companies, with secrecy controlled under threat of the National Security laws.

The government has no right to intrude on one's personal computer and devices without reasonable suspicion and for once are using the NSA’s powers to genuinely protect citizens from potential hackers across the world to secure the privacy and data of Americans. The NSA and the U.S. government have a history of intruding on people’s privacy from their phone calls all the way to private files and messages between individuals in the United States. The United States has an obligation to protect its citizens from the private sector and their flaws especially in data security and if a breach is discovered that can be exploited by foreign enemies, the U.S. government should follow through and protect their citizens by notifying the said company, however, it should only be to the benefit of the individual. The United States and intelligence agencies have no right to assume the guilt of all Americans and run a pseudo-police state with American’s data. Data mining and technologically interrogating Americans should not be a priority of the intelligence agency. They should simply exist to execute these techniques and processes for when there is reasonable suspicion of a crime and not constantly monitor every American’s data with the intent of catching a criminal because that creates a false pretense of guilt before innocence. Hopefully, this change in attitude will be a true strategic shift of the NSA to foster greater trust in the government that has been torn apart in modern America.

Could it be that another entity also has knowledge of the vulnerability, decreasing its (secretive) value to the US?

Too little too late for me. The NSA is still unconstitutional, Windows is still why we now worry about ransomware, Microsoft is still a convicted monopolist (and despite Nice Guy Nadella puff-pieces is even WORSE at that now, especially with businesses and standards), and all three still need to be removed from your bedroom and office. You don't forgive the guys who groped you for not paying protection money,[1] and you certainly don't forgive a government "security" agency creep who's listened to your phone calls and snooped your emails every day when they suddenly finally do ONCE what they're always SUPPOSED to. Thank you, Edward Snowden. [1] Unless, apparently, the guys are the TSA in a vile-GOP government shutdown, the protection racket is PreCheck, and you're a Times reporter or commenter. But that's beside the point!

The nature of hacking requires the discovery and exploitation of "bugs" in software. It would be reasonable to assume that this alert was made because: 1) The NSA has a large enough exploit database that this one is more valuable for PR purposes, and/or 2) This vulnerability is dangerous enough that it threatens the NSA itself, and/or 3) Other groups are already using it and the NSA is using Microsoft to stop their competition. It would be unreasonable to assume that the NSA has suddenly decided that it no longer wants to have unrestricted access to all of the worlds data.

I wouldn't go so far as say NSA has changed it's focus on protecting businesses and customers using Win 10. Tbd... but more than likely that NSA has know about the vulnerability -- and exploited it -- but then found out that other/hostile actors discovered the vulnerability too... and that's when NSA stepped forward to help Microsoft.

So explain to me again why Attorney General Barr and others want tech companies (Apple) to install backdoors and jailbreaks???