Would You Trust The NSA's Advice On How To Deal With Heartbleed?

from the didn't-think-so dept

Somewhat late to the game (by about a week), after the Heartbleed vulnerability was publicly revealed, and a few days after it was reported and denied that the NSA was already well aware of Heartbleed and exploiting it, the NSA has put out a one page PDF about Heartbleed. This seems like something of a too little, too late effort by the NSA to live up to its semi-promise of a "bias" towards revealing vulnerabilities over exploiting them. However, that leads to the simple question that plenty of people should be asking: given everything you've learned about the NSA recently (or, well, for years), would you trust the NSA's advice on how to deal with Heartbleed? Not that I think the NSA would publicly suggest anything bad, but at this point, the NSA has a serious trust problem in convincing anyone engaged in computer security that they have their best interests in mind.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: heartbleed, nsa, openssl, trust


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 15 Apr 2014 @ 3:51am

    Short answer? No.

    Long answer:

    I would look at their paper and study the proposed fixes extensively before making my mind. So the answer is no, I would not trust them at all but I would not discard it either. I would compare it to News from FoxNews: you can use them as a starting point but you'll only know if it's true and sticks to real facts if you give it careful scrutiny.

    link to this | view in chronology ]

    • icon
      PaulT (profile), 15 Apr 2014 @ 5:46am

      Re:

      Fox is probably a good comparison. Sometimes they might be telling you something truthful, even useful. But I wouldn't trust them without having verified the information with independent alternative sources.

      I wouldn't reject everything they say outright, but I couldn't trust them without extra research. If there are no independent sources, I'll just assume they're lying. So, I agree - short answer = no.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Apr 2014 @ 7:01am

        Re: Re:

        Problem is that they blur the line between news and infotainment to the point it's indistinguishable.

        And even if their coverage is factually accurate, you know they'll spin the hell out of it. EG: compare their coverage of the NSA scandals during Bush to Obama. You'll see that they're alot more OK with it if it's 'their guy' calling the shots

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Apr 2014 @ 7:08am

      Re:

      Short answer: No
      Long answer : Nooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooo

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2014 @ 5:22am

    Fuck no!

    link to this | view in chronology ]

  • identicon
    beech, 15 Apr 2014 @ 5:26am

    predictions

    Hello citizens! We hear you are concerned about this vulnerability. Here is how to protect yourself:

    1. Email everything on your hard drive to the NSA.
    2. Google how to protect yourself, then do that.

    Love,
    The NSA

    link to this | view in chronology ]

  • icon
    Anon E. Mous (profile), 15 Apr 2014 @ 5:27am

    Trust the NSA? Who on earth could take anything the NSA has to say as truth or even good advice. The NSA it has been reported has been exploiting this flaw for over two years!!

    Now they up and expect people and companies to take their advice??

    I highly doubt after everything the NSA has been doing against friendly and non friendly governments and it's own citizens that anyone would heed their advice.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Apr 2014 @ 1:42am

      Re:

      "The NSA it has been reported has been exploiting this flaw for over two years"

      If you believe that you will believe anything.

      The vulnerable version of OpenSSL weren't even in any stable distributions for that long!

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2014 @ 5:27am

    Short answer: No. Having looked over this document, I will say that, in this case, it's accurate. However, this sort of thing should be coming from US-CERT, NOT from the NSA.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Apr 2014 @ 5:54am

      Re:

      Such a document coming from the alternate source you mention would doubtless be questioned because it comes from the USG and, after all, the USG is under the spell of the NSA.

      Seems to me much too much paranoia about the NSA. Yes, there are some things that it has the capability of doing that raise peoples' "pucker factor", but all the conjecturing of what it "might" be doing, "could" be doing if it wished, etc. adds little of substance to the discussion. And for those who say "But...look at all the times it has broken its internal rules", ponder this (never mind that most, if not all, are of virtually no significance). How many intelligence services worldwide have internal investigation arms and engage is self-reporting? We all should know that countries with intelligence capabilities engage, more or less, in many of the same types of activities associated with US intelligence agencies. Funny, but I do not see them beating themselves up as an ordinary part of their internal checks and balances as performed by our agency IGs.

      The US system is far from perfect and should always be challenged to prevent it from overstepping its bounds, but so much of the debate I have been reading about makes it seem as if many will be satisfied only with the complete abandonment of intelligence gathering activities.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2014 @ 5:33am

    Looking at the document, it has taken them a week to republish public information, available when the story broke. This could be due to one or more of the following:=
    1) Finding an image, and formating the document, after cutting and pasting from public sources, took a lot of effort.
    2) The exchange of memos to get permission to republish public information took a lot of time.
    3) All targets of interest have fixed the problem, and the exploit is of no further interest to them.

    link to this | view in chronology ]

  • icon
    art guerrilla (profile), 15 Apr 2014 @ 5:54am

    r u sirius ? ? ?

    wouldn't trust the scumbags with my national security, much less a nosebleed...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2014 @ 5:56am

    HA! I wouldn't even open a PDF from them. It probably has some damn exploit weaved into it that will release more of my personal info.

    I'm more afraid of my own government infecting my computer than I am of skeevy pirate sites.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2014 @ 5:59am

    Contrary to everybody else I fully trust the NSA.

    I firmly and fully believe that the NSA is going to screw me at every opportunity and in every way possible is their sick drive to establish the ultimate in totalitarianism with only elitists from the great Ivy League hate schools as directors in a system more controlling than the worst than the most barbarity than any that every existed in the past with a morality equivalent of Stalinist Russia, Mow's China, and Pole Pot's Cambodia and all this done in the name of racial equality, women's rights, and sexual freedom whose participants are logged, recorded, and categorized for re-education in typical North Korean, Soviet, or Chinese style communist gulag extermination camps.

    link to this | view in chronology ]

  • identicon
    tomczerniawski, 15 Apr 2014 @ 6:31am

    Trust the NSA?

    Why would anyone do that? Chances are their recommended "fix" would be just another backdoor.

    link to this | view in chronology ]

    • identicon
      sqlrob, 15 Apr 2014 @ 7:03am

      Re: Trust the NSA?

      Their fix is to patch to the latest version.

      Unless you want to leave OpenSSL, that's the right thing to do.

      link to this | view in chronology ]

  • icon
    Coogan (profile), 15 Apr 2014 @ 7:15am

    Greetings, citizen. The NSA is concerned that the latest Heartbleed vulnerability circulating around the Internet (aka, "the Web", "the Net", "Google") is exploiting the computers and mobile devices of the American populace. As such, the security experts at the NSA have come up with some best practices all Americans can apply to keep themselves from falling victim to any nefarious Al-Qeada, Russian, or alien schemes.

    1. Turn off any firewalls, intrusion detection/prevention, and anti-virus programs. These applications are being actively exploited by this vulnerability and, if infected, can cause grave harm to your computer. There have even been reports of entire houses being burned to the ground when Heartbleed mixes with ZoneAlarm. Additionally, many of these programs are open-source, meaning that terrorists could easily modify the application code to accomplish their own anti-American goals, such as draining your bank account and turning your pets and/or children gay.

    2. Change your DNS settings to point to boris.nsa.gov and natasha.nsa.gov. These are the NSA's highly secure DNS servers. Your privacy is of the utmost importance to the NSA. By default, all DNS queries will be logged on super-secret systems housed in concrete bunkers buried 200 meters below the Arizona desert. To opt-out of this and request that none of your queries be logged, send a postcard with your return address to "DNS OPT-OUT, Box 42, Langley, VA" (no quotes). An agent will personally contact you to make arrangements for an in-home visit. Please leave your door unlocked.

    3. Contact your federal representatives and request that more funds be provided to the NSA in order to protect Americans and American interests both at home and abroad. What good are free school lunches, libraries, and homeless shelters if terrorists are raining hellfire and releasing locusts with herpes across the United States heartland? This additional funding will go towards capturing terrorists, seizing their assets, and shuttering their propaganda websites such as Fox News, The Guardian, and TechDirt.

    These tips have been provided as a courtesy by the United Stated National Security Agency. Remember: Be Safe. Be Smart. Don't be afraid to report your fellow citizens to your local law enforcement agency if you see something suspicious, such as taking our the trash (they could be disposing of terrorists materials and/or correspondence) or leaving for work (building missiles, mixing anthrax, or visiting a mosque).

    link to this | view in chronology ]

  • icon
    kazolar (profile), 15 Apr 2014 @ 7:40am

    NSA has no credibility -- even if their advice was legitimate and helpful -- they should just keep their mouth shut about internet security matters, because whatever they say will be looked at with skepticism. It's like asking someone -- when did you stop beating your wife? -- can't win

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2014 @ 7:50am

    Dragnet surveillance was a retarded move by the NSA

    It's way worse than "not trusting the NSA". People don't trust the US government because they are corrupted completely by "special interests".


    The NSA are the retarded victims of it too. If they focused on targeted surveillance then there wouldn't be any complaints so long as it was justified targeting. They focused on dragnet surveillance because some company said they could spy on us all and won a government contract (x1000 instances)... but people inevitably found out.

    The fucking idiots at NSA should have done their job and provided security against those contractors who wanted to break laws for multi-billion contracts.
    Now EVERYONE must use good encryption, NSA-Proof their systems and services. DOH!


    ----Nsa-Proof----
    Make software/systems more secure than they need to be because the NSA are retarded and could be working for McDonalds if some corrupt politician wanted to say thanks for some bribes.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2014 @ 7:54am

    I sincerely hope that everyone here remembered that one of the NSA's known tools is a 0-day exploit that lets them take complete control of computers running Adobe Acrobat Reader.

    I have no idea whether that PDF is safe or not, and I'm pretty sure I don't even have Acrobat Reader on this computer (I use Sumatra PDF), but you couldn't PAY me to download that PDF file.

    link to this | view in chronology ]

    • identicon
      NSA, 15 Apr 2014 @ 8:08am

      Re:

      Dang it, you cracked the code! Um... You're under arrest! Because national security! If we don't ruin your life and send you to jail, the terrorists win!

      link to this | view in chronology ]

  • identicon
    Jerrymiah, 15 Apr 2014 @ 8:08am

    at this point, the NSA has a serious trust problem in convincing anyone engaged in computer security that they have their best interests in mind.

    Fucking no. I wouldn't trust anything that Obama's Fourth Reich has to say about this. They have been screwing the software industry four years now and are not ready to stop. Why do you think that Sun's Java has had such a hard times for at least 20-25 years to have that application free of bugs and back doors and everytime it come up with an upgrade they believe will work and broken into as soon as it is released. Same thins with Adove products (ie Shockwave and Flash Player). The Fourth Reich are master at screwing peoples. Fuck them.

    link to this | view in chronology ]

    • icon
      PaulT (profile), 15 Apr 2014 @ 8:31am

      Re: at this point, the NSA has a serious trust problem in convincing anyone engaged in computer security that they have their best interests in mind.

      "They have been screwing the software industry four years now"

      "Why do you think that Sun's Java has had such a hard times for at least 20-25 years"

      You don't see the contradiction here?

      But, hey, just place the blame at the most convenient target and whine about him. Nothing else that happened in the past could possibly have led to the current situation, certainly nothing done by previous administrations! No, it's just this one guy, nobody else would possibly have done this, and it would never had happened if the other guys had won!

      "Why do you think that Sun's Java has had such a hard times"

      Because it's no longer owned by Sun, a company that no longer exists? Because the company that now owns them, Oracle, has a poor record of providing patches, at one time refusing to release urgent fixes in favour of trying to force Java into a quarterly update system that's woefully inadequate for this kind of software? Because Java has some inherently insecure design faults going back to its inception - something that's now admitted and has forced Java to disable some functionality that were once considered it's main selling points (e.g. browser applets)? Because OS manufacturers - especially Microsoft - have gotten so good at securing their OSes that it's now browser plugins and not the OS itself that represent the best way to compromise a system, and people who wish to do so will use the easiest point of entry?

      No, it's all Obama. Of course it is. whatever helps you find an easy target instead of dealing with that complicated reality stuff.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Apr 2014 @ 9:57am

      Re: at this point, the NSA has a serious trust problem in convincing anyone engaged in computer security that they have their best interests in mind.

      You seem like an irrational Obama hater.
      Something tells me that if Obama wanted to shut down the over-broad NSA spying programs you would be pissed at Obama.
      Well at least you aren't complaining about the non-scandals like Libya and IRS etc.. So I'll give you credit for having a valid reason.... this time.



      Also... Sun Java is full of bugs because of what Java is. It's an interpreted language that gets nearly, full OS level access.

      Of fucking course it's going to get security bugs.
      Java isn't virtually sandboxed like "javascript in your browser" is ffs. Java is like a "virtual OS" running on your box with nearly unlimited access to your real OS.
      Of fucking course it's going to get security bugs....by nature of what Java is.

      link to this | view in chronology ]

  • icon
    DannyB (profile), 15 Apr 2014 @ 8:26am

    Yes, I would trust the NSA completely

    The NSA has your best interest in mind.

    The NSA would like you to download and install this national security protection software onto your computer. It is a good idea. And it is for your protection. (Sort of like how Macrovision Quality Protection is for your protection somehow?)

    But it reminds me of an old subliminal message:

    The NSA
    is your friend
    trust the NSA

    Or: the NSA is mother, the NSA is father

    link to this | view in chronology ]

  • icon
    madasahatter (profile), 15 Apr 2014 @ 8:30am

    Answer

    Never!

    I would rely on independent sources for advice rather than the NSA.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2014 @ 8:47am

    They don't care. They only need the the trust (or incriminating info) of those in power.

    link to this | view in chronology ]

  • identicon
    Guardian, 15 Apr 2014 @ 8:52am

    RCMP fed fbi of canada asked CRA not to divulge SIN number thefts

    and if you think there isnt weird shit regarding the heartbleed bug

    http://www.cbc.ca/news/business/heartbleed-bug-rcmp-asked-revenue-canada-to-delay-news-of-sin-the fts-1.2609192#commentwrapper

    and they quickly closed comment son this....its embarrassment for all the govt cause they know about it and were like the nsa stealing peoples identity for abuise all themselves.

    fucking govt's time to take back fucking democracy

    and its fucking snowing in mid april?????

    WTF

    link to this | view in chronology ]

  • identicon
    FM Hilton, 15 Apr 2014 @ 9:01am

    Trust who?

    I'd trust the NSA as far as I could throw them.

    But they don't trust us either.

    So we're even.

    link to this | view in chronology ]

  • identicon
    Mark Wing, 15 Apr 2014 @ 9:32am

    To serve man ... it's a cookbook!

    link to this | view in chronology ]

  • icon
    That One Guy (profile), 15 Apr 2014 @ 10:31am

    Signs point to 'No'

    I wouldn't trust them to tell me whether or not the sun was in the sky, compulsive liars like that are unworthy of trust on any topic, and if they just so happen to be right this time around, I believe there's a saying along the lines of 'A stopped clock is still right twice a day'.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2014 @ 10:53am

    Silence isn't golden

    NSA lost their credibility when remained silent for so long.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2014 @ 1:37pm

    TBH, in this case it's kinda irrelevant whether I trust them or not - all they've said is apply the patch if you're vulnerable. To which the only response I have is "duh". It's the same thing everyone else has said, just a week late.

    link to this | view in chronology ]

  • identicon
    Kronomex, 15 Apr 2014 @ 2:34pm

    "Would You Trust The NSA's Advice On How To Deal With Heartbleed?"

    MWAHAHAHAHA...gasp, gasp...HAHAHAHA...gasp, gasp...er, no.

    link to this | view in chronology ]

  • identicon
    I trust in this case, 16 Apr 2014 @ 4:26am

    All recommendations done by NSA on this document make sense. What is wrong with that advice? Nothing.

    Just to be clear. Once applied the patch all certificates must be regenerated, not only personal ones, system wide ones must be changed too.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Apr 2014 @ 7:41am

      Re:

      Yes the document is accurate, but it took them a week to repeat the advice that came out with the public notification of the security flaw. It's only possible value is as PR to try and improve NSA'a image.

      link to this | view in chronology ]

  • icon
    Mike Gale (profile), 16 Apr 2014 @ 3:54pm

    Why are they doing this will it work?

    They are presumably doing this as PR to say that they are trying to fulfil the seemingly ignored part of their brief.

    Given that the public (and many private) announcements are perceived as being devoid of truth they have a long way to climb back into the light of public approval.

    This is a distraction. The real issue is splitting the organisation. The Public Protection section cannot be the same as the Attack the Public section.

    At the end of the day we need some of what they do, we just need a return or morality and balance.

    It's a long, long road out of Hell, for these guys.

    link to this | view in chronology ]

  • identicon
    Tavis, 16 Apr 2014 @ 8:37pm

    Trust a NSA PDF directed to people concerned about security?

    Quick! Check it for exploits!

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.