• mriguy@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    5 months ago

    The NSA has two jobs.

    The first is to break into any computer or communications stream that they feel the need to for “national security needs”. A lot of leeway for bad behavior there, and yes, they’ve done, and almost certainly continue to do, bad things. Note that in theory that is only allowed for foreign targets, but they always seem to find ways around that.

    The second, and less well known, job is to ensure that nobody but them can do that to US computers and communications streams. So if they say something will make your computer more secure, it’s probably true, with the important addition of “except from them”.

    I won’t pretend I like any of this, but most people are much more likely to be targeted by scammers, bitcoin miners, and ransomware than they are by the NSA itself, so in that sense, following the NSA’s recommendation here is probably better than not.

    • azuth@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      ·
      5 months ago

      Exploits don’t care if you are actually the NSA or not. The NSA certainly knowns that yet they keep exploits secret at least from the public.

      They have argued for key escrow for God’s shake.

      They are primarily an intelligence agency. If you are not likely to be targeted by the NSA you are also unlikely to be targeted by any of their adversaries. They don’t give a shit if you get scammed, they are not the FBI, who also keep secret exploits and are anti-encryption.

      Additionally using their “best” exploits on more simple targets still poses a risk to them being discovered and fixed. Therefore it’s beneficial to them for everybody’s security to be compromised. It also provides deniability.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        Right. Their advice for the general public is a mix of “best practice” and risk. If an exploit is not actively exploited in the wild, they’ll probably sit on it for intelligence purposes and instead recommend best practices (which are good) that doesn’t impact their ability to use the exploit.

        So trust them when they say do X, but don’t take silence to mean you’re good.