But the U.S. still has the most to suffer from them (as a country). But from NSA's point of view, even if the U.S. still has to suffer from those exploits, it's "worth it" because for every American that is getting harmed by those exploits, they can spy on 10 other foreigners. So it's not really a matter of "defending the country" but of "value of exploit".

Kind of how in the WW2 they used to allow one or two or five of their own ships to be sunk by the enemy just so they don't reveal that they intercepted their communications (which I guess the argument was the intelligence would've been more useful against more of the enemies' ships).

Also, this was a large batch of exploits, and the NSA knew eventually they would get released. So they might as well be the "heroes of the day" and get companies to fix them, especially if they can get the publicity for it. But for every one of these they fix there are probably dozens of others they don't want fixed, like for instance all the vulnerabilities in Chinese routers and smartphones and smart TVs and other electronics.

It's not that hard to verify that this is their logic. Look how they want to push backdoors and how they fight encryption, just to catch a few people, even if that harms everyone else. From their point of view "more security" is a bad thing. And I'm not even sure you can expect much else from a spy agency. When you have a hammer, you want every problem to be a nail. It should be up to everyone else to push back on that logic.

> If it makes you feel any better it looks like the NSA shared the vulnerabilities with Microsoft a month before they were leaked.

Do you have a source for that claim? Because I saw now multiple people indicate that.

From what I can see Microsoft hasn't said where they got the info from. They gave a statement to the intercept that indicates it wasn't NSA, but the statement isn't entirely clear, it may be up for misinterpretation.

I think it'd be really good if someone would shed light on how things unfolded here, but from what I can see right now we don't know where Microsoft got the info about these vulns - and probably only Microsoft can clarify.

I agree with that assessment: TSB were blackmailing the NSA 'We bees having windows vulns'. NSA told MS - red faces all round but then we're pros right?,..move on. Now TSB have nothing except maybe some doco and every USGA after them LOL! Anything else is stretching it. How these idiots came upon EQTN - maybe other people know, I don't. As broker of 0day exploits, they suck. As to what the NSA should be doing with 'your taxes' - erm, what do you people think the NSA do or to rephrase what do you think they should be doing? USGA have layers of expertise available to them and some punkery may have had to have been tolerated at some field level because y'know these skills are in demand and private sector pays more and when a kid has a secret some kids just can't help themselves - they are by definition immature. There is the possibility that NSA work with MS but given the emergency nature of the patch it appears not so, which is disappointing because as a federal employee you do not want to be breaking innocent people's stuff.

> How these idiots came upon EQTN - maybe other people know, I don't.

That's the bit that should really worry you. After all, if the NSA can't keep its goodies under lock and key then that means that others, possibly including your enemies have those goodies too.

It's one thing to be active in the weapons research domain, it's another to give that research away.

'Give' is harsh if you understand the operational constraints people on government salaries and budgets had to work under. USGAs collected/acquired/amassed rather than developed these and packaged them into a field kit - they were in the dark domain (for $$$), then meh punkery. Sure we'd all love to be chillin' with JMac shootin' up the neighbors porch. Not just NSA either... just sayin'. Even GCHQ have warez :O TSB are the curly, moe and larry of this sorry affair. they got lucky, now they gonna bees unlucky lol!

So, if the NSA becomes aware of an exploit that they are able to procure for $ and they really have the security of the United States at heart don't you think the proper course of action would be to alert the vendor rather than to leave their own people just as wide open to attack as their enemies?

I could understand them hoarding their own research but this essentially confirms that the NSA doesn't care about the security of the home country as much as they care about being able to infiltrate elsewhere and to me that seems to be a badly chosen priority.

After all they can't know for sure who also has access to that vulnerability.

In this circumstance, the NSA's two missions come into conflict - to spy on foreign targets, and to protect American targets. From the perspective of that institutional mission, it's not clear which motive should win out.

Do you really think that Microsoft are unaware of the limburger that lurks within their codebase to allow subtee, image hijinx, and the rest? cpls and pifs were in windows 3.1!

A month before they were leaked to the public. Not a month before they were leaked to another hostile actor.

I think the NSA spying/surveillancing harder on "us" then on "them" (the enemies).

I don't know who the "us" and "them" are here, but fact is the NSA is into global spying and mostly does industrial spying and "business intelligence" so the USA gets and maintains an edge over the rest of the world.

But it also spies on US citizen to be sure to control dissent and shut people down.

> it also spies on US citizen to be sure to control dissent and shut people down.

Yups. Shut dissents down, in an undemocratic way, to keep an undemocratic gov't from receiving public scrutiny. In the mean time keep up the appearance you're fighting (inter)national terrorism. Yeah for "National Security".

By the very nature of the agency's remit their focus will be more in a domestic say than a foreign theater of operations, so 'yes' but 'unfair!' (the bad guys walk amongst you).