Data remain safe, most of the time. The attacker needs access to the computer minutes after the user has walked away, and if he arrives later the data stay locked. If the user guards the computer jealously, by clutching it close to the chest, or, as Atlantic employees with company-issued laptops are required to do, entrusting it during nights and weekends to a Gurkha security team, then even the geeks of Princeton can’t get in.
One line from John Markham’s informative NYT article stood out. “The team […] did not know if such an attack capability would compromise government computer information, because details of how classified computer data is protected are not publicly available.” Many readers will take this statement as a sign of government computers’ security.
Security experts would suggest the opposite conclusion: vulnerabilities reveal themselves only when many eyes are looking for them. It took so long to find this one because thousands of computer scientists and engineers all over the world have over the years collaborated to make encryption stronger. The government’s methods, if they are different, will have had none of the same scrutiny. And other than a squad of Gurkhas, scrutiny is the only security worth having.
Originally appeared at TheAtlantic.com