Would You Trust The NSA's Advice On How To Deal With Heartbleed?
from the didn't-think-so dept
Somewhat late to the game (by about a week), after the Heartbleed vulnerability was publicly revealed, and a few days after it was reported and denied that the NSA was already well aware of Heartbleed and exploiting it, the NSA has put out a one page PDF about Heartbleed. This seems like something of a too little, too late effort by the NSA to live up to its semi-promise of a "bias" towards revealing vulnerabilities over exploiting them. However, that leads to the simple question that plenty of people should be asking: given everything you've learned about the NSA recently (or, well, for years), would you trust the NSA's advice on how to deal with Heartbleed? Not that I think the NSA would publicly suggest anything bad, but at this point, the NSA has a serious trust problem in convincing anyone engaged in computer security that they have their best interests in mind.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: heartbleed, nsa, openssl, trust
Reader Comments
Subscribe: RSS
View by: Time | Thread
Long answer:
I would look at their paper and study the proposed fixes extensively before making my mind. So the answer is no, I would not trust them at all but I would not discard it either. I would compare it to News from FoxNews: you can use them as a starting point but you'll only know if it's true and sticks to real facts if you give it careful scrutiny.
[ link to this | view in chronology ]
Re:
I wouldn't reject everything they say outright, but I couldn't trust them without extra research. If there are no independent sources, I'll just assume they're lying. So, I agree - short answer = no.
[ link to this | view in chronology ]
Re: Re:
And even if their coverage is factually accurate, you know they'll spin the hell out of it. EG: compare their coverage of the NSA scandals during Bush to Obama. You'll see that they're alot more OK with it if it's 'their guy' calling the shots
[ link to this | view in chronology ]
Re:
Long answer : Nooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooo
[ link to this | view in chronology ]
[ link to this | view in chronology ]
predictions
1. Email everything on your hard drive to the NSA.
2. Google how to protect yourself, then do that.
Love,
The NSA
[ link to this | view in chronology ]
Now they up and expect people and companies to take their advice??
I highly doubt after everything the NSA has been doing against friendly and non friendly governments and it's own citizens that anyone would heed their advice.
[ link to this | view in chronology ]
Re:
If you believe that you will believe anything.
The vulnerable version of OpenSSL weren't even in any stable distributions for that long!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Seems to me much too much paranoia about the NSA. Yes, there are some things that it has the capability of doing that raise peoples' "pucker factor", but all the conjecturing of what it "might" be doing, "could" be doing if it wished, etc. adds little of substance to the discussion. And for those who say "But...look at all the times it has broken its internal rules", ponder this (never mind that most, if not all, are of virtually no significance). How many intelligence services worldwide have internal investigation arms and engage is self-reporting? We all should know that countries with intelligence capabilities engage, more or less, in many of the same types of activities associated with US intelligence agencies. Funny, but I do not see them beating themselves up as an ordinary part of their internal checks and balances as performed by our agency IGs.
The US system is far from perfect and should always be challenged to prevent it from overstepping its bounds, but so much of the debate I have been reading about makes it seem as if many will be satisfied only with the complete abandonment of intelligence gathering activities.
[ link to this | view in chronology ]
1) Finding an image, and formating the document, after cutting and pasting from public sources, took a lot of effort.
2) The exchange of memos to get permission to republish public information took a lot of time.
3) All targets of interest have fixed the problem, and the exploit is of no further interest to them.
[ link to this | view in chronology ]
r u sirius ? ? ?
[ link to this | view in chronology ]
I'm more afraid of my own government infecting my computer than I am of skeevy pirate sites.
[ link to this | view in chronology ]
I firmly and fully believe that the NSA is going to screw me at every opportunity and in every way possible is their sick drive to establish the ultimate in totalitarianism with only elitists from the great Ivy League hate schools as directors in a system more controlling than the worst than the most barbarity than any that every existed in the past with a morality equivalent of Stalinist Russia, Mow's China, and Pole Pot's Cambodia and all this done in the name of racial equality, women's rights, and sexual freedom whose participants are logged, recorded, and categorized for re-education in typical North Korean, Soviet, or Chinese style communist gulag extermination camps.
[ link to this | view in chronology ]
Trust the NSA?
[ link to this | view in chronology ]
Re: Trust the NSA?
Unless you want to leave OpenSSL, that's the right thing to do.
[ link to this | view in chronology ]
1. Turn off any firewalls, intrusion detection/prevention, and anti-virus programs. These applications are being actively exploited by this vulnerability and, if infected, can cause grave harm to your computer. There have even been reports of entire houses being burned to the ground when Heartbleed mixes with ZoneAlarm. Additionally, many of these programs are open-source, meaning that terrorists could easily modify the application code to accomplish their own anti-American goals, such as draining your bank account and turning your pets and/or children gay.
2. Change your DNS settings to point to boris.nsa.gov and natasha.nsa.gov. These are the NSA's highly secure DNS servers. Your privacy is of the utmost importance to the NSA. By default, all DNS queries will be logged on super-secret systems housed in concrete bunkers buried 200 meters below the Arizona desert. To opt-out of this and request that none of your queries be logged, send a postcard with your return address to "DNS OPT-OUT, Box 42, Langley, VA" (no quotes). An agent will personally contact you to make arrangements for an in-home visit. Please leave your door unlocked.
3. Contact your federal representatives and request that more funds be provided to the NSA in order to protect Americans and American interests both at home and abroad. What good are free school lunches, libraries, and homeless shelters if terrorists are raining hellfire and releasing locusts with herpes across the United States heartland? This additional funding will go towards capturing terrorists, seizing their assets, and shuttering their propaganda websites such as Fox News, The Guardian, and TechDirt.
These tips have been provided as a courtesy by the United Stated National Security Agency. Remember: Be Safe. Be Smart. Don't be afraid to report your fellow citizens to your local law enforcement agency if you see something suspicious, such as taking our the trash (they could be disposing of terrorists materials and/or correspondence) or leaving for work (building missiles, mixing anthrax, or visiting a mosque).
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Dragnet surveillance was a retarded move by the NSA
The NSA are the retarded victims of it too. If they focused on targeted surveillance then there wouldn't be any complaints so long as it was justified targeting. They focused on dragnet surveillance because some company said they could spy on us all and won a government contract (x1000 instances)... but people inevitably found out.
The fucking idiots at NSA should have done their job and provided security against those contractors who wanted to break laws for multi-billion contracts.
Now EVERYONE must use good encryption, NSA-Proof their systems and services. DOH!
----Nsa-Proof----
Make software/systems more secure than they need to be because the NSA are retarded and could be working for McDonalds if some corrupt politician wanted to say thanks for some bribes.
[ link to this | view in chronology ]
I have no idea whether that PDF is safe or not, and I'm pretty sure I don't even have Acrobat Reader on this computer (I use Sumatra PDF), but you couldn't PAY me to download that PDF file.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
at this point, the NSA has a serious trust problem in convincing anyone engaged in computer security that they have their best interests in mind.
[ link to this | view in chronology ]
Re: at this point, the NSA has a serious trust problem in convincing anyone engaged in computer security that they have their best interests in mind.
"Why do you think that Sun's Java has had such a hard times for at least 20-25 years"
You don't see the contradiction here?
But, hey, just place the blame at the most convenient target and whine about him. Nothing else that happened in the past could possibly have led to the current situation, certainly nothing done by previous administrations! No, it's just this one guy, nobody else would possibly have done this, and it would never had happened if the other guys had won!
"Why do you think that Sun's Java has had such a hard times"
Because it's no longer owned by Sun, a company that no longer exists? Because the company that now owns them, Oracle, has a poor record of providing patches, at one time refusing to release urgent fixes in favour of trying to force Java into a quarterly update system that's woefully inadequate for this kind of software? Because Java has some inherently insecure design faults going back to its inception - something that's now admitted and has forced Java to disable some functionality that were once considered it's main selling points (e.g. browser applets)? Because OS manufacturers - especially Microsoft - have gotten so good at securing their OSes that it's now browser plugins and not the OS itself that represent the best way to compromise a system, and people who wish to do so will use the easiest point of entry?
No, it's all Obama. Of course it is. whatever helps you find an easy target instead of dealing with that complicated reality stuff.
[ link to this | view in chronology ]
Re: at this point, the NSA has a serious trust problem in convincing anyone engaged in computer security that they have their best interests in mind.
Something tells me that if Obama wanted to shut down the over-broad NSA spying programs you would be pissed at Obama.
Well at least you aren't complaining about the non-scandals like Libya and IRS etc.. So I'll give you credit for having a valid reason.... this time.
Also... Sun Java is full of bugs because of what Java is. It's an interpreted language that gets nearly, full OS level access.
Of fucking course it's going to get security bugs.
Java isn't virtually sandboxed like "javascript in your browser" is ffs. Java is like a "virtual OS" running on your box with nearly unlimited access to your real OS.
Of fucking course it's going to get security bugs....by nature of what Java is.
[ link to this | view in chronology ]
Yes, I would trust the NSA completely
The NSA would like you to download and install this national security protection software onto your computer. It is a good idea. And it is for your protection. (Sort of like how Macrovision Quality Protection is for your protection somehow?)
But it reminds me of an old subliminal message:
The NSA
is your friend
trust the NSA
Or: the NSA is mother, the NSA is father
[ link to this | view in chronology ]
Answer
I would rely on independent sources for advice rather than the NSA.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
RCMP fed fbi of canada asked CRA not to divulge SIN number thefts
http://www.cbc.ca/news/business/heartbleed-bug-rcmp-asked-revenue-canada-to-delay-news-of-sin-the fts-1.2609192#commentwrapper
and they quickly closed comment son this....its embarrassment for all the govt cause they know about it and were like the nsa stealing peoples identity for abuise all themselves.
fucking govt's time to take back fucking democracy
and its fucking snowing in mid april?????
WTF
[ link to this | view in chronology ]
Trust who?
But they don't trust us either.
So we're even.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Signs point to 'No'
[ link to this | view in chronology ]
Silence isn't golden
[ link to this | view in chronology ]
[ link to this | view in chronology ]
MWAHAHAHAHA...gasp, gasp...HAHAHAHA...gasp, gasp...er, no.
[ link to this | view in chronology ]
Just to be clear. Once applied the patch all certificates must be regenerated, not only personal ones, system wide ones must be changed too.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Why are they doing this will it work?
Given that the public (and many private) announcements are perceived as being devoid of truth they have a long way to climb back into the light of public approval.
This is a distraction. The real issue is splitting the organisation. The Public Protection section cannot be the same as the Attack the Public section.
At the end of the day we need some of what they do, we just need a return or morality and balance.
It's a long, long road out of Hell, for these guys.
[ link to this | view in chronology ]
Trust a NSA PDF directed to people concerned about security?
[ link to this | view in chronology ]