Obama Tells NSA To Reveal, Not Exploit, Flaws... Except All The Times It Wants To Do The Opposite
from the a-bias? dept
Last week there was some confusion as Bloomberg published a story claiming that the NSA was well aware of the Heartbleed bug and had been exploiting it for "at least" two years. That seemed fairly incredible, given that the bug had only been around for slightly over two years. The NSA came out with a pretty strongly worded denial -- which left out much of the usual equivocation and tricky wording that the NSA normally uses in denying things. The general consensus seems to be that it is, in fact, unlikely that the NSA knew about Heartbleed (though that makes some wonder if some team at the NSA is now in trouble for not figuring it out). If anything, it seems likely that the Bloomberg reporters got confused by other programs that the NSA is known to have to break parts of SSL, something it's supposedly been able to do since around 2010.However, the NY Times had a story this weekend about how this move has forced the administration to clarify its position on zero day exploits. It's already known that the NSA buys lots of zero day exploits and makes the internet weaker as a result of it. Though, in the past, the NSA has indicated that it only makes use of the kinds of exploits that only it can use (i.e., exploits that need such immense computing power that anyone outside of the NSA is unlikely to be able to do anything). However, the NY Times article notes that, following the White House's intelligence review task force recommendation that the NSA stop weakening encryption and other technologies, President Obama put in place an official rule that the NSA should have a "bias" towards revealing the flaws and helping to fix them, but leaves open a massive loophole:
But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.Amusingly, the NY Times initially had a title on its story saying that President Obama had decided that the NSA should "reveal, not exploit, internet security flaws," but the title then changed to the much more accurate: "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say."
Of course, the cold war analogy used by people in the article seems... wrong:
“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.”Except, it's meaningless that no one expects the Chinese (or the Russians or anyone else) to give up zero days. The simple fact is that if the NSA were helping to stop zero days that would better protect everyone against anyone else using those zero days. In fact, closing zero days is just like disarming both sides, because it takes the vulnerability out of service. It's not about us giving up our "weapons," it's about building a better defense for the world. And yet the NSA isn't willing to do that. Because they're not about protecting anyone -- other than themselves.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: barack obama, exploits, heartbleed, national security, nsa, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
That's only true if we know the same 0-days that the others know.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
The only exploits relevant to this story are the ones the NSA knows about.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Splitting the NSA
[ link to this | view in chronology ]
Re:
Ever since the US Cyber Command was merged with NSA, it has become a major force of corruption within NSA.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Both agencies would waste taxpayer money racing to out'wit' (I use the term 'wit' very loosely) the other agency.
[ link to this | view in chronology ]
Evidence (or lack thereof) whether the NSA knew about Heartbleed
[ link to this | view in chronology ]
Re: Evidence (or lack thereof) whether the NSA knew about Heartbleed
According to The Guardian's analysis of the Snowden documents, under Bullrun, the NSA "has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking."
The NSA's cracking might be of a different nature. Who knows? But to me, a rose by any other name...
[ link to this | view in chronology ]
Re: Evidence (or lack thereof) whether the NSA knew about Heartbleed
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not buying it
The error itself is pretty standard. Blame C and buffer handling. The NSA geeks are fully aware of the buffer problems associated with C. They have TEAMS dedicated to finding and exploiting these errors.
The OpenSSL library would be a major target for NSA hackers. The Open Source community audits software. The NSA REALLY audits software, especially an encryption library used by huge numbers of folks.
My conclusion? The NSA knew about this bug within days of its release. It is impossible to come to any other conclusion. You may have issue about the technical competence of the federal government, but the NSA is the cream of the crop. There is no way they didn't know about this, with hundreds of devs combing through every line of this code.
And speaking of Snowden documents, expect one that details their experience with this exploit. Remember BULLRUN? "Do not ask or speculate on sources or methods underpinning BULLRUN successes." We don't have to speculate anymore.
[ link to this | view in chronology ]
Two exceptions, other governments, and all those bot-herders, who also have massive computing power available, and with zero costs to use it.
[ link to this | view in chronology ]
Why did he even bother?
[ link to this | view in chronology ]
Re: Why did he even bother?
'Amusingly, the NY Times initially had a title on its story saying that President Obama had decided that the NSA should "reveal, not exploit, internet security flaws," but the title then changed to the much more accurate: "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say." '
Presumably there are still people who believe the original headline.
[ link to this | view in chronology ]
Crazy
That's simply crazy thinking, right there. Computing power continues to get cheaper every day. Right now, it is technically within many individual's financial ability to build their own supercomputer. Not one of the best ones, but get a small group of modestly wealthy people together and you're golden. You can build a supercomputer that rivals anything the NSA has going.
[ link to this | view in chronology ]
Re: Crazy
There are computing operations running right now that have more CPU cycles, more memory, more storage, and more network bandwidth than Google and about a dozen of its peers combined. Botnets with tens of millions of systems are now ordinary.
Granted, not every computing task maps well to that architecture, but a lot of them do. As we've seen.
We're now into the second decade of botnets and so far, nobody has done anything meaningful about them. Nothing. Oh, there have been busts (yawn) and press conferences and agendas and meetings and all kinds of other feelgood happytalk bullshit, but nobody has actually attacked the underlying problem...and thus there's no reason to expect it to get any better, and lots of reasons to expect it to get worse.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: not bad for the 'most transparent administration in US history', eh?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
I don't think it's an issue of competence, but of objectives.
[ link to this | view in chronology ]
Don't worry, the NSA will reveal flaws to others in the future
In other words, it's the unwritten "everyone important that was involved in this is dead now so who cares if the public finds out" rule.
[ link to this | view in chronology ]
Se-cu-ri-ttty
[ link to this | view in chronology ]
[ link to this | view in chronology ]
THE ONLY SOLUTION
END YOUR OPPRESSION AMERICA
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
These two task are mutually exclusive. So all we get is them exploiting the network and keeping those exploits a secret, which means those exploits won't get fixed as quickly, if ever, which means that the entire security of the net is endangered by the NSA.
[ link to this | view in chronology ]
Share it with Cisco, deny it to Huawei
That way, NSA could protect their own people while keep on spying on those cheap bastards that buy Chinese knock-offs.
[ link to this | view in chronology ]
Re: Share it with Cisco, deny it to Huawei
1) If the NSA finds an exploit, so will criminal crackers. It won't stay a secret.
2) If Cisco equipment uses an exploit, Huawei (and all other similar companies), as well as criminal crackers, will find it as soon as they reverse engineer the Cisco equipment (which all groups do whenever a new model is released). It won't stay secret.
No matter what, these exploits won't stay secret. The NSA is even behind the curve in finding them -- they purchase most of them form the black and gray markets. By keeping any exploit a secret, the only thing that's accomplished is that critical infrastructure and everyone using it is left vulnerable to an exploit they may not know about but all the crooks do.
[ link to this | view in chronology ]
Re: wi-fi
[ link to this | view in chronology ]