Hat tip to the guy who discovered this, but I'm starting to think the situation is hopeless. I'd bet that NSA, GCHQ, et. all already know about this vulnerability and about countless others like it.
Think of it this way. If I'm one of those agencies I ask myself the following:
What applications do people typically use?
How do those applications typically interact
with the Internet?
How can we insert ourselves into that process to
spy on people or to take control of their systems?
What if NSA devoted 10 people full time to looking for vulnerabilities like this? What if they coordinated amongst the Five Eyes and, together, they had 50 full time people looking for vulnerabilities like this?
Could they afford to do it? Yes! Would they find a plethora of vulnerabilities? Yes! So, are they doing it? Probably, what's to stop them (other than legalities of course)?
It's low hanging fruit, compared to all the other, more esoteric stuff we know they are already doing.
When history is written this will probably turn out to be the Golden Age of governments spying on civilians. Robust crypto everywhere just can't happen soon enough.
Think of it this way. If I'm one of those agencies I ask myself the following:
What if NSA devoted 10 people full time to looking for vulnerabilities like this? What if they coordinated amongst the Five Eyes and, together, they had 50 full time people looking for vulnerabilities like this?Could they afford to do it? Yes! Would they find a plethora of vulnerabilities? Yes! So, are they doing it? Probably, what's to stop them (other than legalities of course)?
It's low hanging fruit, compared to all the other, more esoteric stuff we know they are already doing.
When history is written this will probably turn out to be the Golden Age of governments spying on civilians. Robust crypto everywhere just can't happen soon enough.