Google Apparently Chose Not To Tell The NSA About Heartbleed
from the trust-issues dept
Well, this is interesting. I naturally assumed that when the various researchers first discovered Heartbleed, they told the government about it. While I know that some people think this is crazy, it is fairly standard practice, especially for a bug as big and as problematic as Heartbleed. However, the National Journal has an article suggesting that Google deliberately chose not to tell the government about Heartbleed. No official reason is given, but assuming this is true, it wouldn't be difficult to understand why. Google employees (especially on the security side) still seem absolutely furious about the NSA hacking into Google's data centers, and various other privacy violations. When a National Journal reporter contacted Google about the issue, note the response:Asked whether Google discussed Heartbleed with the government, a company spokeswoman said only that the "security of our users' information is a top priority" and that Google users do not need to change their passwords.Here's the thing: if the NSA hadn't become so focused on hacking everyone, it wouldn't be in this position. The NSA's dual offense and defense role has poisoned the waters, such that no company can or should trust the government to do the responsible thing and help secure vulnerable systems any more. And for that, the government only has itself to blame.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: heartbleed, nsa, privacy, security, surveillance
Companies: google
Reader Comments
Subscribe: RSS
View by: Time | Thread
Hypothetical...
[ link to this | view in chronology ]
Re: Hypothetical...
[ link to this | view in chronology ]
Re: Hypothetical...
Lettre de cachet
“… orders directly from the king, often to enforce arbitrary actions…”
[ link to this | view in chronology ]
Re: Hypothetical...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Every time I see...
[ link to this | view in chronology ]
Re: Every time I see...
[ link to this | view in chronology ]
Re: Re: Every time I see...
[ link to this | view in chronology ]
Re: Re: Re: Every time I see...
The problem is that the ads leak data to the advertisers. Imagine an insurance company hiring a campaign among people with a high-risk medical condition. Boom, you don't get that life insurance policy anymore.
Google can't imprison but they can lead to life sentences.
[ link to this | view in chronology ]
Re: Re: Re: Re: Every time I see...
How would Google know, unless they're scanning the content of your emails to discover whether you're merely curious about brain tumors or actually have one?
Now imagine the number of staff they'd have to hire to get human eyes on the email content that mentions high-risk medical conditions so they can pick out the ones that mention a person actually having one, then pass it on to the HR dept. of an insurance company.
Hold that thought: the much-maligned ACA FORBIDS insurance companies to refuse cover for pre-existing conditions. For all its faults, that's one thing it does. Getting rid of it would bring back the risk of refusal.
Can we please stop the dog-whistle cries of "Socialism!" over the ACA? The origin is from industry shills who don't want to pay out to people who actually need care. They're in business to make a profit, not to help us. "The Market" doesn't have the solution to this because there's no profit in it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Every time I see...
Remember Google Health...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Every time I see...
That the much-maligned ACA prohibits insurance companies from refusing insurance to those with pre-existing conditions is one of many reasons to malign it. That kind of provision is a violation of the individual rights of the persons offering a service. If an employer "needs" my labor but I don't want to give it to him, does he have a right to draft me into his service simply because he professes a need? No one has a "right" to enslave anybody else, regardless of how much he "needs" to enslave that person.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Every time I see...
Then you really do not understand Marx at all because you are so wrong there! What you are describing is the warped sense of socialism that the capitalists push into everyone since birth so people think socialism is a bad thing, when in actual fact, marxist socialism can actually work, but people will need to unlearn all the capitalist propoganda that has been drilled into them for hundreds of years which as manipulated them into becoming slaves to capitalism & money.
And don't give me any crap that socialism has been tried & tested and doesn't work. There has never ever been a true marxist socialist government on this planet EVER! Russia was never communist, sure, Lenin called his party communists, but he never implemented any marxist ideas at all. The communism you know is not the communism that marx theorised.
Russia was state capitalist from the get go, not marxist!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Every time I see...
Lets also take this concept and put it in the spotlight on what is actually happening under democracy and capitalism.
The Fed (a private company) issues currency and charges interest on it, the give that currency to the treasury, the treasury gives them bonds (repayable with interest).
So you work, you earn your money honestly, The IRS (another private company acting on behalf of the FED) then takes that hard earned money from you and gives it back to the FED. meanwhile, the fed cashes in their bonds and gets paid interest on them in return for that so called tax money. Which they then loan out to the private banks again, who repay them with interest. the gov then borrows more & the cycle repeats.
So your honest earned money is taken from you and given back to a private company and is paid by you to take it from you. So onder capitalism, your money is given to private companies, and not the needy. And you think giving to the needy is unfair?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Every time I see...
If that is the case, then the only form of government that has ever existed is a socialist government. That makes the term "socialist" an effectively meaningless one, since it can't be used to draw distinctions.
Which is pretty close to the truth of how the word is used nowadays, now that I think of it -- an effectively meaningless insult that is thrown at anything the person using the term doesn't like.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Every time I see...
If only that ACA gave Health responsability to Provinces like up here, 1)the state-wide only servers wouldn't be overloaded like that federally centralized fiasco 2)People would feel like they have more power over state tax/money since "state" is one step closer to them than the big bad faceless Federal Government.
There's a lot of things I'd change in canada, like british parliamentarism, give me a republic with proportionate voting for different parties and I'd really like it here cos Canada is not a centralized federation but a Confederation.
Hint hint at Ukraine, just do that and your ridiculous in fighting between brother would be over.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Every time I see...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Every time I see...
Individualism only goes so far, I'm very individualist but I'm realist that some things have to be socially organized or chaos and evil ensues.
p.s. what about all those Americans who drive/fly to Canada so they can fly to Cuba (we don't stamp Americans' passports when they go there) to get A-1 class medical surgeries? Cuba is close to being the only communist experiment that worked, it would be extremely successful if the US got rid of that childish embargo on them.
Familiar with the Human Development Index? It's made of other indexes, Cuba last time I checked (maybe a year or 2 ago) was equal at #1 for Medicine with 5 or 6 countries (equal index ratings). They're also way up there education wise. Have you ever seen a documentary about real Cubans, not those in florida who are ultra nationalist right wingers. Those people all help each other repair each other's household items, houses, even roads...This guy had a remote for a tv but there was a piece broken in it, he just paid visits to his neighbours, where nobody lock their doors and will talk to you even if you show up there asking if they can help you fix that TV remote. It took him a few days before finding someone who could do it, but the social fabric there isn't sick beyond repair like in "the west".
Also this guy's house had serious needs of repair because some rain would accumulate in the apartments on top. Everyone who wanted to (a lot) in the neighbourhood helped them. I know people who were so deep in debt here who had a similar problem, water would go through the attic and into their tenants apartments upstairs. They had to sell the house and good luck just walking around the neighbourhood trying to find people to help you fix it for free (it was definitely a multiple people job). Nah, here people all distrust each other and everyone locks their door during day time.
I wonder what is healthier of a society....just kidding I don't.
[ link to this | view in chronology ]
Re: Every time I see...
[ link to this | view in chronology ]
Re: Re: Every time I see...
[ link to this | view in chronology ]
That's exactly what an NSA-affiliated company would say! All conspiracies aside, that's still a negligent stance to take given what we know. The price of PR should not be a false sense of security.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
It's not a negligent stance if Google determined that their servers did not contain the broken SSL code. They may have used something other than OpenSSL.
[ link to this | view in chronology ]
Re: Re:
They could also have used an OpenSSL version from before the bug was introduced. Or, given how much Google optimizes their servers, they could be using OpenSSL with the heartbeat code compiled out. This last one is the most probable.
[ link to this | view in chronology ]
No requirement to change passwords?
Google also didn't ask users to change passwords for the Gaia breach, to their very password infrastructure, so I guess this behavior is consistent. Asking users to change passwords would incite more panic and bad press than the few accounts that may actually be impacted.
[ link to this | view in chronology ]
Re: No requirement to change passwords?
Seems like a good reason to me.
[ link to this | view in chronology ]
Re: Re: No requirement to change passwords?
[ link to this | view in chronology ]
Re: Re: No requirement to change passwords?
[ link to this | view in chronology ]
I guess there's one bit of information that would change my mind. Who was it that first broke the news about HeartBleed? Did Google just skip the government and go straight to the public? If they did that, then I'm right there with them. If they kept it secret, then I'm glad I just changed my passwords.
[ link to this | view in chronology ]
Re:
On or before March 31st, CloudFlare gets the patch file and applies it. They blogged about it, giving the first public notice of the problem.
April 1, Google notifies the OpenSSL team of the vulnerability.
So, Google didn't immediately go directly to the public, but did immediately go to the major players. This is actually the right way to do it -- give the major vectors a chance to patch things up before making the world (and all the bad guys) aware of the vulnerability.
It took 10 days from the time of discovery to the time the world was notified, and they had the fix already in hand when they did so. Google did good on this.
[ link to this | view in chronology ]
Between the lines...
already knew about Heartbleed, so no reason to tell the NSA.
Who else to tell in US government that really would or could help?
[ link to this | view in chronology ]
Re: Between the lines...
Consider: if you're the NSA, and you're willing to ignore the Constitution and the law and Congress and the Courts and anyone and everything else in search of as much data as you can possibly acquire, then why wouldn't you tap the email, phones etc. of security researchers?
You know that they talk to each other. You know who they are. You know that they often seek each other out for peer review or to aid in dissemination of information. You know that they have a far better chance than nearly anyone else of uncovering security flaws. And so you know that every once in a while, a really useful bit of information is going to get picked up.
(This is presuming that the NSA didn't know years ago, which I think is far more likely.)
[ link to this | view in chronology ]
Interesting points to note here
2. Given that the NSA has been using information fed to it's defence arm to inform it's offence arm. Even if the US Government was to split the two arms into separate organisations, it's unlikely anyone could or should trust a new separate defence organisation not to pass information to the offence organisation.
And three, the journalist who wrote the article can't frigging spell.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Thoughtful
If they had, likely what would have happened is that the agencies would ordered them to keep quiet and not touch anything, so the agencies could exploit the weakness.
Demonstrates an amazing level of trust (and not a high level, either).
[ link to this | view in chronology ]
Blah Google is so great Blah
[ link to this | view in chronology ]
Re: Blah Google is so great Blah
Google is clearly more comptent than the NSA thus, it cannot be a front for the NSA.
The NSA is clearly a front for the Social Media Megaconglomerate.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Is this "The Parallax View" come to life?
[ link to this | view in chronology ]
poetic justice
I found this part funny.
Google violates the privacy of billions of Internet users on a systematic basis, all is OK. No one has right to complain.
NSA breaks-in into Google datacenters. This privacy violation is unaceptable.
Funny...
[ link to this | view in chronology ]
Re: poetic justice
[ link to this | view in chronology ]
Re: poetic justice
[ link to this | view in chronology ]
because the government neither wrote nor distributes openssl
I (and most security researchers) don't see the need to inform the government specifically, unless you expect for instance a CERT to be able to help you.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Blame
[ link to this | view in chronology ]
Google and Heartbleed
[ link to this | view in chronology ]