Yeah, the NSA has both an offensive and a defensive mission. The trouble is, they have previously exploited the trust they get from their defensive mission to advance their offensive mission.
For example, they pushed hard for the random number generator algorithm Dual_EC_DRBG to be included in lots of FLOSS and commercial crypto software, and I think people assumed they were pushing it because they knew something from a defensive side about the alternatives. Dual_EC_DRBG included large constants with no explanation where they came from, and warnings from independent researchers that certain number choices in generating parameters could mean it is unsafe. Snowden whistleblowing confirmed Dual_EC_DRBG was in fact a disguised PKRNG (encrypt the random seed with a public key to get the random output, in such a way someone with the private key - which the NSA had because they came up with the keypair - can decrypt the seed from random output and hence future ‘random’ output, e.g. future randomly generated crypto keys.
NSA also both has a mission to warn people about security vulnerabilities that put them at risk, and a tendency to hoard 0-days so they can use them against other people.
So it probably isn’t too far fetched that they might include some kind of vulnerability in their FLOSS software. The Dual_EC_DRBG style is to find one that NSA can use but no one else can. Making sure you have other layers of defense is probably a good practice.
Yeah, the NSA has both an offensive and a defensive mission. The trouble is, they have previously exploited the trust they get from their defensive mission to advance their offensive mission.
For example, they pushed hard for the random number generator algorithm Dual_EC_DRBG to be included in lots of FLOSS and commercial crypto software, and I think people assumed they were pushing it because they knew something from a defensive side about the alternatives. Dual_EC_DRBG included large constants with no explanation where they came from, and warnings from independent researchers that certain number choices in generating parameters could mean it is unsafe. Snowden whistleblowing confirmed Dual_EC_DRBG was in fact a disguised PKRNG (encrypt the random seed with a public key to get the random output, in such a way someone with the private key - which the NSA had because they came up with the keypair - can decrypt the seed from random output and hence future ‘random’ output, e.g. future randomly generated crypto keys.
NSA also both has a mission to warn people about security vulnerabilities that put them at risk, and a tendency to hoard 0-days so they can use them against other people.
So it probably isn’t too far fetched that they might include some kind of vulnerability in their FLOSS software. The Dual_EC_DRBG style is to find one that NSA can use but no one else can. Making sure you have other layers of defense is probably a good practice.