UPDATED: NSA Denies Claims That It Knew About Heartbleed And Did Nothing
from the well-that's-comforting dept
Update: The NSA has denied the Bloomberg report, briefly stating that the agency "was not aware of the recently identified Heartbleed vulnerability until it was made public." We'll continue to update as more information emerges.
The internet is still reeling from the discovery of the Heartbleed bug, and yesterday we wondered if the NSA knew about it and for how long. Today, Bloomberg is reporting that the agency did indeed know about Heartbleed for at least the past two years, and made regular use of it to obtain passwords and data.
While it's not news that the NSA hunts down and utilizes vulnerabilities like this, the extreme nature of Heartbleed is going to draw more scrutiny to the practice than ever before. As others have noted, failing to reveal the bug so it could be fixed is contrary to at least part of the agency's supposed mission:
Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.
“If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the U.S. Secret Service. “Invariably when this has happened over time, the offensive mission wins.”
There is, in fact, a massive hypocrisy here: the default refrain of NSA apologists is that all these questionable things they do are absolutely necessary to protect Americans from outside threats, yet they leave open a huge security hole that is just as easily exploited by foreign entities. Or consider the cybersecurity bill CISPA, which was designed to allow private companies to share network security information with the intelligence community, and vice versa, supposedly to assist in detecting and fixing security holes and cyber attacks of various kinds. But, especially after this revelation about Heartbleed, can there be any doubt that the intelligence community is far more interested in using backdoors than it is in closing them?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: heartbleed, nsa, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
They have quite a (by now documented) history of infiltrating and sabotaging security solutions.
[ link to this | view in chronology ]
Re:
It's not impossible that he's lying, but the sort of bug that caused the leak is very plausibly a simple mistake.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
"consumers and other adversaries"
[ link to this | view in chronology ]
“They actually have a process when they find this stuff that goes all the way up to the director” of the agency, Lewis said.
Of course it does.
[ link to this | view in chronology ]
And that's the end of SELinux
[ link to this | view in chronology ]
Re: And that's the end of SELinux
[ link to this | view in chronology ]
Re: Re: And that's the end of SELinux
[ link to this | view in chronology ]
Re: And that's the end of SELinux
[ link to this | view in chronology ]
Re: Re: And that's the end of SELinux
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The NSA is not a law enforcement agency.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Conflict of interest anyone?
In regards to the idea that the NSA was the cause of the problem, at this point I'd say that's meaningless, if they knew about it and not only did nothing, but actively used it, then they're just as guilty as if they had introduced it themselves.
[ link to this | view in chronology ]
Re: Conflict of interest anyone?
[ link to this | view in chronology ]
Re: Re: Conflict of interest anyone?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
http://www.wyden.senate.gov/news/press-releases/brennan-letter-to-wyden-acknowledges-that-cfaa-a pplies-to-the-cia
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
If one person can do it, many can. How many others found this bug and used it while the NSA was sitting on this thumbs?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
/s
[ link to this | view in chronology ]
Re: Chronno S. Trigger
No. If you check github, the vulnerable code was first published 16 months ago. So Bloomberg is implying NSA clairvoyance.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
No, that's just not how they work - they'd rather keep it a secret, given their history of coverups and secrecy.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Binary Evaluation Set
The NSA is lying and they actually failed to find the flaw, despite the fact that probing for buffer overruns is Hacking 101.
Result: They are too incompetent to protect us from the real threats.
The NSA is telling the truth and they spent two years knowing about a serious security flaw in the infrastructure of the internet, may have exploited it, and certainly failed to report it to the nation and enable us to protect ourselves.
Result: They committed treason.
Pick one.
[ link to this | view in chronology ]
Re: Binary Evaluation Set
[ link to this | view in chronology ]
Re: Binary Evaluation Set
Treason has a very specific definition: "Waging war against the United States, or giving aid and comfort to its enemies."
The NSA has done neither. Stop using "treason" to describe everything bad someone in the government does.
[ link to this | view in chronology ]
Re: Re: Binary Evaluation Set
[ link to this | view in chronology ]
Re: Re: Re: Binary Evaluation Set
I think failure to act will not meet the bar for treason. You have to actively do something to give aid to a specific nation that is considered an enemy. The NSA didn't take any action here, and their inaction may have helped many bad actors, but not particularly enemy states. My understanding, anyway.
[ link to this | view in chronology ]
Re: Re: Re: Re: Binary Evaluation Set
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Binary Evaluation Set
What you're saying probably has no relevance in the context of the law. It doesn't matter that philosophically choosing not to act is an act, it only matters whether the law considers it so. IANAL but I'm pretty sure the law treats acting and failure to act very differently. The same with the meaning of "enemy".
[ link to this | view in chronology ]
Re: Re: Re: Re: Binary Evaluation Set
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Binary Evaluation Set
That's a terrible analogy to knowing about a security flaw and not publishing it.
[ link to this | view in chronology ]
Re: Re: Binary Evaluation Set
[ link to this | view in chronology ]
Re: Re: Binary Evaluation Set
You are on a really slippery slope if you think the NSA is not a rogue agency, just like the CIA.
[ link to this | view in chronology ]
Re: Re: Re: Binary Evaluation Set
If nobody has ever been convicted of or even charged with treason for doing that, then that claim sounds speculative.
You are on a really slippery slope if you think the NSA is not a rogue agency, just like the CIA.
He specifically said the NSA is doing bad things, just not treason.
[ link to this | view in chronology ]
Interesting how that ties in with previous reporting
Bruce Schneier, a widely followed cryptography expert, author and blogger, characterizes the revelation as explosive. "Basically, the NSA is able to decrypt most of the Internet," he writes in his blog. "They're doing it primarily by cheating, not by mathematics. ... Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted."
According to the news report, some of NSA's most exhaustive efforts have concentrated on encryption widely used in the United States, including Secure Sockets Layer, virtual private networks and the protection used on fourth generation smart phones.
Note the explicit mention of SSL as well as Schneier's comment that they're decrypting most of the Internet.
[ link to this | view in chronology ]
Swipe at Open Source
"The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development."
and
"While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects."
Let's remember though that while open source developers may have introduced Heartbleed by accident, they also revealed it when they found it. The NSA, by contrast, exploited it even though it was their duty to reveal it. And when the commercial developers at RSA introduced a security flaw, it was deliberate because they were *PAID* to do it.
[ link to this | view in chronology ]
Re: Swipe at Open Source
[ link to this | view in chronology ]
Re: Swipe at Open Source
Obviously, tech observers are coming to the obvious conclusion that there's a bit of a smoking gun here. And Open Source people doth protest too much, methinks.
Clearly, this incident is showing that Open Source software is no panacea in The Battle to Save the Internet (minimal hyperbole intended). The community is going to seriously have to up their game in terms of code openness, oversight, and review, if they want to be taken seriously, from now on...this screw-up was that bad.
[ link to this | view in chronology ]
Re: Re: Swipe at Open Source
I've said that for years. Decades, actually. Open source allows us to play the game, it doesn't guarantee that we'll win it. We clearly need to think about how this went wrong -- whether or not it was deliberate sabotage -- and we need to figure out how to prevent similar failures in the future.
One thing that would sure help would be if all the major sites that rely on this code kicked in a few bucks to support it. $100K is chump change to most of them, but if they all kicked just that tiny amount in, there would be enough funding to put half a dozen people to work on OpenSSL full time and to have the code audited and to have it extensively tested by fuzzers. (Let me note in passing that these operations are spending WAY more than $100K cleaning up this mess. So it would be cost-effective as well as very cheap.)
[ link to this | view in chronology ]
Re: Re: Re: Swipe at Open Source
Me too. And, truthfully, only a small percentage of OSS folks have every said otherwise (and they're the kind of zealots that exist everywhere are should be disregarded.)
However, the attacks on "open source" that we're seeing now are intimating that there is something about open source that makes it more dangerous to use than closed source, and heartbleed is somehow the proof of this. That's 100% industrial-grade bullshit.
Open source and closed source software are roughly equally error-prone. The history of closed-source software contains quite a few problems on the scale of heartbleed, after all.
The primary difference between the two is that with open source, there's a greater chance that problems will be found before they bite too hard, and even more importantly, they tend to get fixed and those fixes distributed much more quickly.
Closed source software is full of examples of serious vulnerabilities that have gone unfixed for years despite being reported.
[ link to this | view in chronology ]
Re: Re: Re: Re: Swipe at Open Source
Compare, for example, the speed with which this flaw was (a) disclosed (b) analyzed (c) measured (d) fixed in the source (e) fixed in the distributions that use it (f) published (in the source and in the distributions) and (g) made understandable by a plethora of web sites, proof-of-concept attack tools, etc. with, for example the glacial response of Adobe to a 0-day in Acrobat: http://news.slashdot.org/story/11/12/07/0057227/adobe-warns-of-critical-zero-day-vulnerability
The impressive response speed (some distributions were updated within 12 hours) probably helped partially mitigate the consequences of this. That's only possible because it's open source -- well, and because everyone recognized how serious this was rather quickly. That, at least, is one positive takeaway from the situation.
[ link to this | view in chronology ]
Re: Re: Re: Re: Swipe at Open Source
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Swipe at Open Source
Just look at how much Microsoft is raking in to maintain XP for various governments and large firms.
[ link to this | view in chronology ]
Re: Re: Swipe at Open Source
It is interesting that even corporations who PAY people to work on open-source projects didn't find this (and presumably other problems yet to be uncovered). It is asking a great deal of volunteers to work on this type of project if nobody is feeding them or paying their mortgage. One of the biggest problems has always been the lack of strong technical management for many open-source projects. I would do it but I also need to eat.
[ link to this | view in chronology ]
Re: Re: Re: Swipe at Open Source
[ link to this | view in chronology ]
Re: Re: Re: Swipe at Open Source
[ link to this | view in chronology ]
Re: Re: Swipe at Open Source
No, open source software IS the internet. Open source definition: All the open projects of smart people who have actually created the internet for all practical purposes, as it is known today. Smart people like to do things openly, that way other smart people can contribute. Smart, huh?
Proprietary internet software: capitalists attempting to profit from the internet by attempting (and usually failing) to create equivalent proprietary versions of open source technology (once they see what cool new tool the smart people have made, they want to glom on for free and then sell it to others). These flawed technologies are then marketed to users, and obtain their userbase by virtue of that marketing rather than actual usefulness of the proprietary tool. Which is usually a broken and relatively hapless attempts to immitate what open source successfully does. Take a look at AD vs LDAP if you need an example.
Make no mistake, without the open source community through the years, todays internet would not exist. Period.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If this is true...
The "bad guys" were probably the first to act on the news of this exploit, as they probably have the most to lose - so any pilfered passwords or keys that the NSA has already collected from them are probably junk now.
On the bright side, maybe the internet will "speed up" as the NSA will stop pounding against servers worldwide siphoning off the data that they've had unfettered access to for 2 years now.
[ link to this | view in chronology ]
Re: If this is true...
The scariest part is not that other intelligence agencies might also have had access -- although that's worse.
The scariest part is that there exist criminal organizations on this planet with the financial and personnel resources to get in on this game too. There are some enormous operations that involve the fusion of organized crime with extremely smart highly-skilled technical people -- the prototype of which was the Russian Business Network. These organizations are smart enough, rich enough, and clueful enough to exploit this.
[ link to this | view in chronology ]
Re: Re: If this is true...
[ link to this | view in chronology ]
This story just keeps going. It seems to have the legs of a giraffe. Every time you think they couldn't possibly sink lower, you get a new reset on what that low is.
Face it, the entire government has went bonkers for data and any excuse, be it terrorism, kids, mom, or apple pie will work.
When will enough actually be enough?
[ link to this | view in chronology ]
"Anyone who complains about their banks being vulnerable to hackers is a sissy! Either man up or start keeping your money in your mattress."
(Hey, any bank CEOs out there? You're not getting your lobbying money's worth. Just saying.)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
NSA and Heartbleed
[ link to this | view in chronology ]
FIPS
[ link to this | view in chronology ]
Re: FIPS
[ link to this | view in chronology ]
They called it something else.
[ link to this | view in chronology ]
Is that their least untruthful answer?
[ link to this | view in chronology ]
Re: NSA denial
* The NSA only considers itself "aware" of information when that information has been distributed to all employees and contractors.
* They consider an exploit to be "made public" the first time they transmit it across the Internet.
* They consider it public when the vulnerable source code is posted.
* They knew about it, but not by the name "Heartbleed".
* The vulnerability was discovered earlier by someone else and "published" on some obscure hacking forum.
* The Five Eyes use wilful blindness for deniability: another agency developed the exploit, and sometimes the NSA asks them to grab and share some data without revealing how they got it.
* The NSA knew about it and can't come up with any semantic tricks to justify a denial, and they simply don't care about lying.
[ link to this | view in chronology ]
Hard to believe...
I would believe they knew about it before it became public, but I have a hard time believing two years ago.
[ link to this | view in chronology ]
Re: Hard to believe...
It's the weekend. Give Glenn a few days to find the document.
[ link to this | view in chronology ]
Re: Re: Hard to believe...
[ link to this | view in chronology ]
Re: Re: Hard to believe...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Interesting
But I find it rather doubtful that the most powerful spy agency in the world, with all of it's varied resources would not be privately aware of a vulnerability that would open up a technological nightmare-they're supposed to be on the job for finding this kind of problem (defensive) and stopping hostile agents from using it against us.
We won't talk about their efforts with various companies in opening up their source code and backdoors in the past. I mean, they weren't looking for them and attempting to get them put in themselves?
Yes, it does seem a bit odd that they would not be the first to at least have heard about the problem in the beginning through private channels.
If that's the case, they're the most incompetent spy agency in the world.
[ link to this | view in chronology ]
Re: Interesting
Do those private channels include all the Internet communications, like between two black hat hackers?
[ link to this | view in chronology ]
They have a name for this
[ link to this | view in chronology ]
So the NSA is TOTALLY INCOMPETANT
[ link to this | view in chronology ]
US govt knew
THIS IS WHY WE KNOW THE NSA KNEW OF THIS BUG
[ link to this | view in chronology ]
A hundred years ago...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I'd like to know if there's a record of any security holes the NSA has gotten knowledge off in the past which was forwarded to developers in charge?
Anybody?
[ link to this | view in chronology ]
[ link to this | view in chronology ]