Or, alternatively, it may suggest that the NSA’s classified systems are not very secure, which seems at least as possible: they may rely on requiring physical access to these systems to even attempt to penetrate them.

Curl is such a small utility, and the effect of any single problem is limited.

Mythos's great strength was finding multiple vulnerabilities and chaining them together to break a whole system.

Look at it like this: It found one confirmed, minor vulnerability in Curl (but I don't think they have said what it was?). In another system that used Curl it's possible it could have exploited that vulnerability to chain to another, bigger vulnerability that was normally inaccessible.

That's how systems get broken.

>> The curl experience does not suggest that hysteria is warranted, but this gives me pause.

What about the Firefox experience?

Or are we conveniently ignoring things that don't confirm conclusions we've already reached?