Let's say you were on security on and found it on the network. Would you somehow be bound by a gag order about it, since you would never have seen said gag order?
I think it's irrelevant in practice. (In theory, that's an interesting question) You're not making the decision to make this public. If you're on the security team, you're going to notify the boss, and at that scale of the system compromise this goes all the way to the top. At that point someone who knows about the gag order is in the chain.
The only scenario where I think the question matters is if you do something really stupid that would get you fired if this was an actual exploited external access.
Let's say an unaffiliated third party (white-hat hacker) found the exploit and reported it to you under a Bug Bounty program. Let's also say that that third-party was someone who followed "responsible disclosure" rules, and said that they'd publicize the vulnerability if you didn't do so yourself within a short time-frame. You investigate (by asking your team, your boss, looking at the bug tracker, etc.) and figure out it's an NSA backdoor. Now what do you do? Are you allowed talk to the white-hat? Are you allowed to not talk to the white-hat, knowing that this would result in the white-hat reporting the vulnerability and thus compromising the investigation?
Whether or not the company is doing everything they can to resist the order, I think that NSL's are always accompanied by a clear communication channel between a company's counsel and the agency.
So, after someone under the gag realizes the situation, they get the company's lawyers in contact with the agency to see what to do. The agency would then gag the white hat.
IMO, that's a huge part of why NSL's are scary. You are in an absolute strangle-hold and are at the mercy of the agency for your every move.
If I remember correctly, people even had to argue for the ability to talk to a lawyer about receiving an NSL. So, the feds are really not messing around here and will do absolutely everything to ruin you if you don't cooperate fully. Any perceived resistance is crushed.
> So, after someone under the gag realizes the situation, they get the company's lawyers in contact with the agency to see what to do. The agency would then gag the white hat.
He doenn't live in the US. Once he realizes this is going on, he'll disclose.
You talk to your boss. Your boss talks to the NSA. The NSA will find a way to silence the white-hat. Problem solved.
Philosophical dilemmas are fun to talk about, but only as long as you take the premises as granted. People who carry swords tend not to waste time trying to disentangle knots that they can simply cut in half. Most "technical" solutions to "human" problems suffer this vulnerability.
> You talk to your boss. Your boss talks to the NSA. The NSA will find a way to silence the white-hat. Problem solved.
Seems you're assuming the white hat hacker is from USA. I'm not so sure the NSA is going to be able to silence a white hat hacker from say Russia, or anywhere out of USA for that matter.
Silencing somebody doesn't need to involve sending him a legally binding gag order. Nor does it necessarily require killing him.
There are lots of carrots (e.g. job offer, lucrative contract) and whips (e.g. a threat to ruin his business or professional reputation) that a government agency can use to persuade someone, even a foreigner, to keep something a secret for a certain length of time.
This obviously won't work on someone who is under Putin's protection, for example, but then we're talking about cyberwar, not a lone white-hat.
