Google Apparently Chose Not To Tell The NSA About Heartbleed

from the trust-issues dept

Well, this is interesting. I naturally assumed that when the various researchers first discovered Heartbleed, they told the government about it. While I know that some people think this is crazy, it is fairly standard practice, especially for a bug as big and as problematic as Heartbleed. However, the National Journal has an article suggesting that Google deliberately chose not to tell the government about Heartbleed. No official reason is given, but assuming this is true, it wouldn't be difficult to understand why. Google employees (especially on the security side) still seem absolutely furious about the NSA hacking into Google's data centers, and various other privacy violations. When a National Journal reporter contacted Google about the issue, note the response:
Asked whether Google discussed Heartbleed with the government, a company spokeswoman said only that the "security of our users' information is a top priority" and that Google users do not need to change their passwords.
Here's the thing: if the NSA hadn't become so focused on hacking everyone, it wouldn't be in this position. The NSA's dual offense and defense role has poisoned the waters, such that no company can or should trust the government to do the responsible thing and help secure vulnerable systems any more. And for that, the government only has itself to blame.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: heartbleed, nsa, privacy, security, surveillance
Companies: google


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ramon Creager (profile), 15 Apr 2014 @ 3:01pm

    Hypothetical...

    What if Google reports it to the gov, and the gov then turns around classifies the info and forbids Google from disclosing it? Non-Google customers would still be screwed. Not sure how legal that would be but they seem to just do whatever they please.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Apr 2014 @ 3:35pm

      Re: Hypothetical...

      The gov't can classify all they want. Google is under no legal obligation to hold that information in confidence since that information didn't come from the government to begin with.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Apr 2014 @ 4:11pm

      Re: Hypothetical...

      What if Google reports it to the gov, and the gov then turns around classifies the info and forbids Google from disclosing it?

      Lettre de cachet
      Lettres de cachet (French pronunciation: [lt d ka], lit. "letters of the sign/signet") were letters signed by the king of France, countersigned by one of his ministers, and closed with the royal seal, or cachet. They contained orders directly from the king, often to enforce arbitrary actions and judgments that could not be appealed. . . .

       

      See also
            • National Security Letter


      “… orders directly from the king, often to enforce arbitrary actions…”

      link to this | view in chronology ]

    • identicon
      me, 17 Apr 2014 @ 7:09pm

      Re: Hypothetical...

      "Legality" is an abstraction that is defined at the tip of a sword. Don't let anyone convince you otherwise. ALL systemic prosecution and deliberation becomes dog and pony show the second even one major group decides to go their own way as the NSA has.

      link to this | view in chronology ]

  • identicon
    Pixelation, 15 Apr 2014 @ 3:02pm

    Nelson from the Simpsons says it best, "Haha!".

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2014 @ 3:04pm

    Every time I see...

    ...Google and the NSA butting heads in the same post, I can't help but think of the NSA as the the forerunner of Skynet, and Google as John Connor.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Apr 2014 @ 3:20pm

      Re: Every time I see...

      But in reality, they're both Skynet wannabe's competing against each other.

      link to this | view in chronology ]

      • icon
        Jernau (profile), 15 Apr 2014 @ 4:57pm

        Re: Re: Every time I see...

        Kinda, but as has been said many times before, Google can't imprison, torture or execute me. I could put up with customised ads if it was a straight fight between the two. I think it'd be a toss-up who won as well.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 16 Apr 2014 @ 3:28am

          Re: Re: Re: Every time I see...

          Quote: "Google can't imprison, torture or execute me. I could put up with customised ads..."

          The problem is that the ads leak data to the advertisers. Imagine an insurance company hiring a campaign among people with a high-risk medical condition. Boom, you don't get that life insurance policy anymore.

          Google can't imprison but they can lead to life sentences.

          link to this | view in chronology ]

          • identicon
            Pragmatic, 16 Apr 2014 @ 7:01am

            Re: Re: Re: Re: Every time I see...

            Assume you're right, AC @3.28am.

            How would Google know, unless they're scanning the content of your emails to discover whether you're merely curious about brain tumors or actually have one?

            Now imagine the number of staff they'd have to hire to get human eyes on the email content that mentions high-risk medical conditions so they can pick out the ones that mention a person actually having one, then pass it on to the HR dept. of an insurance company.

            Hold that thought: the much-maligned ACA FORBIDS insurance companies to refuse cover for pre-existing conditions. For all its faults, that's one thing it does. Getting rid of it would bring back the risk of refusal.

            Can we please stop the dog-whistle cries of "Socialism!" over the ACA? The origin is from industry shills who don't want to pay out to people who actually need care. They're in business to make a profit, not to help us. "The Market" doesn't have the solution to this because there's no profit in it.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 16 Apr 2014 @ 10:06am

              Re: Re: Re: Re: Re: Every time I see...

              Quote: "How would Google know, unless they're scanning the content of your emails to discover whether you're merely curious about brain tumors or actually have one?"

              Remember Google Health...

              link to this | view in chronology ]

            • identicon
              David, 16 Apr 2014 @ 7:38pm

              Re: Re: Re: Re: Re: Every time I see...

              Taking money by force from people who earn it honestly and transfering it to those who claim to need it IS socialism. The means of production in the medical industry are certainly being more and more commandeered by government.

              That the much-maligned ACA prohibits insurance companies from refusing insurance to those with pre-existing conditions is one of many reasons to malign it. That kind of provision is a violation of the individual rights of the persons offering a service. If an employer "needs" my labor but I don't want to give it to him, does he have a right to draft me into his service simply because he professes a need? No one has a "right" to enslave anybody else, regardless of how much he "needs" to enslave that person.

              link to this | view in chronology ]

              • identicon
                vaughan, 16 Apr 2014 @ 8:27pm

                Re: Re: Re: Re: Re: Re: Every time I see...

                "Taking money by force from people who earn it honestly and transferring it to those who claim to need it is socialism."

                Then you really do not understand Marx at all because you are so wrong there! What you are describing is the warped sense of socialism that the capitalists push into everyone since birth so people think socialism is a bad thing, when in actual fact, marxist socialism can actually work, but people will need to unlearn all the capitalist propoganda that has been drilled into them for hundreds of years which as manipulated them into becoming slaves to capitalism & money.

                And don't give me any crap that socialism has been tried & tested and doesn't work. There has never ever been a true marxist socialist government on this planet EVER! Russia was never communist, sure, Lenin called his party communists, but he never implemented any marxist ideas at all. The communism you know is not the communism that marx theorised.

                Russia was state capitalist from the get go, not marxist!

                link to this | view in chronology ]

                • identicon
                  vaughan, 16 Apr 2014 @ 8:44pm

                  Re: Re: Re: Re: Re: Re: Re: Every time I see...

                  "Taking money by force from people who earn it honestly and transferring it to those who claim to need it is socialism."

                  Lets also take this concept and put it in the spotlight on what is actually happening under democracy and capitalism.

                  The Fed (a private company) issues currency and charges interest on it, the give that currency to the treasury, the treasury gives them bonds (repayable with interest).

                  So you work, you earn your money honestly, The IRS (another private company acting on behalf of the FED) then takes that hard earned money from you and gives it back to the FED. meanwhile, the fed cashes in their bonds and gets paid interest on them in return for that so called tax money. Which they then loan out to the private banks again, who repay them with interest. the gov then borrows more & the cycle repeats.

                  So your honest earned money is taken from you and given back to a private company and is paid by you to take it from you. So onder capitalism, your money is given to private companies, and not the needy. And you think giving to the needy is unfair?

                  link to this | view in chronology ]

              • icon
                John Fenderson (profile), 17 Apr 2014 @ 8:09am

                Re: Re: Re: Re: Re: Re: Every time I see...

                "Taking money by force from people who earn it honestly and transfering it to those who claim to need it IS socialism."

                If that is the case, then the only form of government that has ever existed is a socialist government. That makes the term "socialist" an effectively meaningless one, since it can't be used to draw distinctions.

                Which is pretty close to the truth of how the word is used nowadays, now that I think of it -- an effectively meaningless insult that is thrown at anything the person using the term doesn't like.

                link to this | view in chronology ]

              • identicon
                Anonymous Coward, 17 Apr 2014 @ 2:06pm

                Re: Re: Re: Re: Re: Re: Every time I see...

                Lots of people claim things, it's not socialism when an Office of X country Bureaucracy decides wheter one gets something or not.

                If only that ACA gave Health responsability to Provinces like up here, 1)the state-wide only servers wouldn't be overloaded like that federally centralized fiasco 2)People would feel like they have more power over state tax/money since "state" is one step closer to them than the big bad faceless Federal Government.

                There's a lot of things I'd change in canada, like british parliamentarism, give me a republic with proportionate voting for different parties and I'd really like it here cos Canada is not a centralized federation but a Confederation.

                Hint hint at Ukraine, just do that and your ridiculous in fighting between brother would be over.

                link to this | view in chronology ]

            • identicon
              FrancisChalk, 17 Apr 2014 @ 12:51am

              Re: Re: Re: Re: Re: Every time I see...

              What planet have you been living on? The medical industry--doctors, insurance, hospitals, equipment makes, etc.--has been fabulously profitable. There is massive profit in "The Market", as you call it. The ACA is about one thing and one thing ONLY: gaining control over people's health and therefore, control over their lives. It's straight up Socialism of the USSR brand. Of course the insurance industry is on board and wants to profit as best they can, they have no choice in a government takeover.

              link to this | view in chronology ]

              • identicon
                Anonymous Coward, 17 Apr 2014 @ 2:22pm

                Re: Re: Re: Re: Re: Re: Every time I see...

                Oh yeah, up here in canada, we call it single payer system, it's better. May the expriment in Vermont show you all. Health of citizens falls into the same thing taxes are for, infrastructure that would be too complicated in your populous country like roads and libraries where some dickheads would refuse to pay tax for such essentials, a state of me-myself-and-I anarcho-capitalist state would ensue and there would be mass riots. You guys are already real close to embracing anarcho-capitalism, I bet you'd one of the first ones to complain that there's potholes everywhere, which could cause physical injury nobody would be pitching in for to help.

                Individualism only goes so far, I'm very individualist but I'm realist that some things have to be socially organized or chaos and evil ensues.

                p.s. what about all those Americans who drive/fly to Canada so they can fly to Cuba (we don't stamp Americans' passports when they go there) to get A-1 class medical surgeries? Cuba is close to being the only communist experiment that worked, it would be extremely successful if the US got rid of that childish embargo on them.

                Familiar with the Human Development Index? It's made of other indexes, Cuba last time I checked (maybe a year or 2 ago) was equal at #1 for Medicine with 5 or 6 countries (equal index ratings). They're also way up there education wise. Have you ever seen a documentary about real Cubans, not those in florida who are ultra nationalist right wingers. Those people all help each other repair each other's household items, houses, even roads...This guy had a remote for a tv but there was a piece broken in it, he just paid visits to his neighbours, where nobody lock their doors and will talk to you even if you show up there asking if they can help you fix that TV remote. It took him a few days before finding someone who could do it, but the social fabric there isn't sick beyond repair like in "the west".

                Also this guy's house had serious needs of repair because some rain would accumulate in the apartments on top. Everyone who wanted to (a lot) in the neighbourhood helped them. I know people who were so deep in debt here who had a similar problem, water would go through the attic and into their tenants apartments upstairs. They had to sell the house and good luck just walking around the neighbourhood trying to find people to help you fix it for free (it was definitely a multiple people job). Nah, here people all distrust each other and everyone locks their door during day time.

                I wonder what is healthier of a society....just kidding I don't.

                link to this | view in chronology ]

    • identicon
      Lurker Keith, 15 Apr 2014 @ 5:06pm

      Re: Every time I see...

      I either read somewhere or a friend told me that at some point (research shows 2009) the US Military (USAF) had been trying to build something akin to Skynet from ~2500 daisy-chained PS3s. *facepalm*

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2014 @ 3:11pm

    "Google users do not need to change their passwords."

    That's exactly what an NSA-affiliated company would say! All conspiracies aside, that's still a negligent stance to take given what we know. The price of PR should not be a false sense of security.

    link to this | view in chronology ]

    • identicon
      Pragmatic, 16 Apr 2014 @ 7:01am

      Re:

      [Citation required]

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 16 Apr 2014 @ 7:54am

      Re:

      "that's still a negligent stance to take given what we know."

      It's not a negligent stance if Google determined that their servers did not contain the broken SSL code. They may have used something other than OpenSSL.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Apr 2014 @ 8:21am

        Re: Re:

        This.

        They could also have used an OpenSSL version from before the bug was introduced. Or, given how much Google optimizes their servers, they could be using OpenSSL with the heartbeat code compiled out. This last one is the most probable.

        link to this | view in chronology ]

  • identicon
    Indy, 15 Apr 2014 @ 3:32pm

    No requirement to change passwords?

    Why would users not need to update their passwords when Google silently fixed it themselves, and the assumption that the NSA (or other organization) had access for years is a safe one to make?

    Google also didn't ask users to change passwords for the Gaia breach, to their very password infrastructure, so I guess this behavior is consistent. Asking users to change passwords would incite more panic and bad press than the few accounts that may actually be impacted.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Apr 2014 @ 4:28pm

      Re: No requirement to change passwords?

      Because the vulnerability existed for ~2 years and nobody actually knows if it was being exploited during that time?

      Seems like a good reason to me.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 15 Apr 2014 @ 4:29pm

        Re: Re: No requirement to change passwords?

        I failed to parse your comment - you put the negative "not" in an unexpected place and my reading comprehension failed - sorry :)

        link to this | view in chronology ]

      • icon
        John Fenderson (profile), 16 Apr 2014 @ 7:57am

        Re: Re: No requirement to change passwords?

        Not a good reason at all. First, due to the nature of the exploit, it's incredibly difficult to determine if it was actually used. No trace is left, no red flags appear in any logs, etc. The only way to tell is through inference. Second, there have been a number of breaches that imply that Heartbleed was successfully used.

        link to this | view in chronology ]

  • icon
    Chronno S. Trigger (profile), 15 Apr 2014 @ 3:32pm

    I don't know how I feel about this. I understand fully why they didn't inform the government, but this was a huge thing, they probably still should have.

    I guess there's one bit of information that would change my mind. Who was it that first broke the news about HeartBleed? Did Google just skip the government and go straight to the public? If they did that, then I'm right there with them. If they kept it secret, then I'm glad I just changed my passwords.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 16 Apr 2014 @ 8:10am

      Re:

      Neel Mehta of Google Security discovered the flaw on march 21st. They created a patch for OpenSSL on the same day. Google submitted this patch for inclusion to OpenSSL, and simultaneously distributed the patch file to some major distros such as Red Hat and apply it to their own servers.

      On or before March 31st, CloudFlare gets the patch file and applies it. They blogged about it, giving the first public notice of the problem.

      April 1, Google notifies the OpenSSL team of the vulnerability.

      So, Google didn't immediately go directly to the public, but did immediately go to the major players. This is actually the right way to do it -- give the major vectors a chance to patch things up before making the world (and all the bad guys) aware of the vulnerability.

      It took 10 days from the time of discovery to the time the world was notified, and they had the fix already in hand when they did so. Google did good on this.

      link to this | view in chronology ]

  • identicon
    SpaceLifeForm, 15 Apr 2014 @ 3:50pm

    Between the lines...

    If I am google, who would you tell in the US government and why? Based upon past events, they must assume that the NSA
    already knew about Heartbleed, so no reason to tell the NSA.
    Who else to tell in US government that really would or could help?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Apr 2014 @ 3:57pm

      Re: Between the lines...

      Of course the NSA knew about Heartbleed.

      Consider: if you're the NSA, and you're willing to ignore the Constitution and the law and Congress and the Courts and anyone and everything else in search of as much data as you can possibly acquire, then why wouldn't you tap the email, phones etc. of security researchers?

      You know that they talk to each other. You know who they are. You know that they often seek each other out for peer review or to aid in dissemination of information. You know that they have a far better chance than nearly anyone else of uncovering security flaws. And so you know that every once in a while, a really useful bit of information is going to get picked up.

      (This is presuming that the NSA didn't know years ago, which I think is far more likely.)

      link to this | view in chronology ]

  • icon
    tracyanne (profile), 15 Apr 2014 @ 4:08pm

    Interesting points to note here

    1/ Google seems pretty certain the NSA never used Heartbleed against Google, which if true probably means they didn't know about it. Low probability, I know.

    2. Given that the NSA has been using information fed to it's defence arm to inform it's offence arm. Even if the US Government was to split the two arms into separate organisations, it's unlikely anyone could or should trust a new separate defence organisation not to pass information to the offence organisation.

    And three, the journalist who wrote the article can't frigging spell.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2014 @ 4:08pm

    Both Google and Microsoft have called NSA/the US gov an "active persistent threat" - why would you give that sort of information to such a dangerous threat? Might as well give notice to the Chinese about it then.

    link to this | view in chronology ]

  • identicon
    Beech, 15 Apr 2014 @ 4:52pm

    Google should have given the info to 4chan to see if they could use it against the NSA to pry loose some sweet, sweet dox.

    link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 15 Apr 2014 @ 8:46pm

    Thoughtful

    It shows thoughtfulness, that they neglected to mention the weakness to the intelligence community.

    If they had, likely what would have happened is that the agencies would ordered them to keep quiet and not touch anything, so the agencies could exploit the weakness.

    Demonstrates an amazing level of trust (and not a high level, either).

    link to this | view in chronology ]

  • identicon
    Mr. Oizo, 15 Apr 2014 @ 10:10pm

    Blah Google is so great Blah

    Google is a fucking front for the NSA. Don't you get that ?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Apr 2014 @ 1:01am

      Re: Blah Google is so great Blah

      AS a fellow tin-foil hat wearer, you, sirrah, put me to shame.

      Google is clearly more comptent than the NSA thus, it cannot be a front for the NSA.

      The NSA is clearly a front for the Social Media Megaconglomerate.

      link to this | view in chronology ]

  • icon
    That One Guy (profile), 16 Apr 2014 @ 12:00am

    Given that telling the NSA about a security vulnerability that they might not know about is pretty much the same as telling a local gang about an unlocked building full of expensive stuff, and for the same reasons, yeah, not telling the NSA anything seems like a good strategy there.

    link to this | view in chronology ]

  • identicon
    Robert, 16 Apr 2014 @ 2:12am

    Googles focus is on securing it's system. Under insane psychopathic management NSA's focus is on breaking systems. Why would Google discuss anything at all with the NSA, in fact it should take every possible precaution to secure it's security information from the NSA, to the point of dismissing any employees with suspected connections with the NSA.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 16 Apr 2014 @ 2:29am

      Re:

      Close, but if you suspect you've got a spy/mole in your company, you don't fire them, you just shift them to a job/position where they don't have access to any sensitive information, as if you fire them, then you've got to track down the replacement spy/mole.

      link to this | view in chronology ]

  • icon
    Ninja (profile), 16 Apr 2014 @ 3:33am

    In the end warning about vulnerabilities in the open is always the best option. No way for the Govt to try to silence it before reaching the public so it can be fixed just because they want to use it for their pseudo-terrorism pseudo-fight.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Apr 2014 @ 3:44am

    So what's up with these stories about Google hiring professional assassins???

    Is this "The Parallax View" come to life?

    link to this | view in chronology ]

  • identicon
    non-googler, 16 Apr 2014 @ 4:13am

    poetic justice

    "Google employees (especially on the security side) still seem absolutely furious about the NSA hacking into Google's data centers, and various other privacy violations."

    I found this part funny.

    Google violates the privacy of billions of Internet users on a systematic basis, all is OK. No one has right to complain.

    NSA breaks-in into Google datacenters. This privacy violation is unaceptable.

    Funny...

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Apr 2014 @ 5:13am

      Re: poetic justice

      Yeah, I violate the privacy of people who willingly share information with me all the time.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Apr 2014 @ 9:54am

      Re: poetic justice

      There is a difference between software seeing a mention of machine guns, whilst doing historical research and Google trying to show adverts from gun shops, and NSA seeing the same, and notifying the police who send a swat team through your door because somewhere else you were researching where the president goes for his holidays.

      link to this | view in chronology ]

  • icon
    Seegras (profile), 16 Apr 2014 @ 6:31am

    because the government neither wrote nor distributes openssl

    You inform the parties responsible, and not everyone that could be afflicted. That's common practice.

    I (and most security researchers) don't see the need to inform the government specifically, unless you expect for instance a CERT to be able to help you.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Apr 2014 @ 10:09am

    Who cares if Google didn't tell the NSA about Heartbleed? Ten bucks says they already knew for a while. Heck, I wouldn't put it past them to invent it! When I saw the initial post about it with the headline saying that it was worse than no crypto at all, I immediately thought "NSA".

    link to this | view in chronology ]

  • identicon
    Easycure, 16 Apr 2014 @ 1:03pm

    Blame

    When you say government to blame, surely you mean Obama is to blame. Nothing happens without White House authority.

    link to this | view in chronology ]

  • identicon
    Alan, 16 Apr 2014 @ 5:57pm

    Google and Heartbleed

    Not that I trust Google or anything.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.