list), some more reports on it, that you may have not seen. These reports suggest the the NSA knew about and exploited the bug for "at least" two years, and may have even worked to stop it from being reported and fixed.

Given the bug was introduced in March of 2012, that would mean the bug would have had to been discovered, an exploit tested, a product weaponized, a product distributed to end-users, and deployed by end-users against targets, all in under a month from the moment the bug was introduced. I'm not saying it can't happen, but a healthy distrust would seem appropriate here. Further, the use of "at least" two years is meant to imply it could have been substantially longer -- but it could not have been more than two years and a month. Between that and the journo's mishandling of anonymous sources, I am not confident the Bloomberg journo did his homework.

With respect to anonymous sources, the standard is generally --

    1.  You give their background, broadly speaking
    2.  You say something about where they got the information
    3.  You specify they asked for anonymity -- it wasn't your idea
    4.  You explain why you're granting anonymity

If you can't meet those four requirements, you don't use the source. If you can't give the public information about their background and the source of their information, then you can't give the public enough information to decide whether your source is credible. And if you can't give the public enough information to decide whether your source is credible, why should the public believe you?

(ObDisclosure: I used to work as a tech journo. My four-point outline there was the standard we used, and my editor was fastidious about enforcement -- whether it was as small as "one space after a colon and the word is capitalized" or "four-point process for anonymous sources," Terry was on top of things. I never used an anonymous source.)


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to