UPDATED: NSA Denies Claims That It Knew About Heartbleed And Did Nothing

from the well-that's-comforting dept

Update: The NSA has denied the Bloomberg report, briefly stating that the agency “was not aware of the recently identified Heartbleed vulnerability until it was made public.” We’ll continue to update as more information emerges.

The internet is still reeling from the discovery of the Heartbleed bug, and yesterday we wondered if the NSA knew about it and for how long. Today, Bloomberg is reporting that the agency did indeed know about Heartbleed for at least the past two years, and made regular use of it to obtain passwords and data.

While it’s not news that the NSA hunts down and utilizes vulnerabilities like this, the extreme nature of Heartbleed is going to draw more scrutiny to the practice than ever before. As others have noted, failing to reveal the bug so it could be fixed is contrary to at least part of the agency’s supposed mission:

Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.

“If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the U.S. Secret Service. “Invariably when this has happened over time, the offensive mission wins.”

There is, in fact, a massive hypocrisy here: the default refrain of NSA apologists is that all these questionable things they do are absolutely necessary to protect Americans from outside threats, yet they leave open a huge security hole that is just as easily exploited by foreign entities. Or consider the cybersecurity bill CISPA, which was designed to allow private companies to share network security information with the intelligence community, and vice versa, supposedly to assist in detecting and fixing security holes and cyber attacks of various kinds. But, especially after this revelation about Heartbleed, can there be any doubt that the intelligence community is far more interested in using backdoors than it is in closing them?

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “UPDATED: NSA Denies Claims That It Knew About Heartbleed And Did Nothing”

Subscribe: RSS Leave a comment
84 Comments
Anonymous Coward says:

Re: And that's the end of SELinux

This SELINUX comes with almost all distros, but it isn’t put into action by default right? I know it is very user unfriendly, at least, it’s what my security solution for linux (grsecurity) was saying when selling itself to me, and weev says its the best so I think it must be, just annoying that I gotta get stuck with using an older kernel than I would like.

That One Guy (profile) says:

Conflict of interest anyone?

This is what happens when you mix defensive and offensive goals under the same agency, the idea of defense by fixing the problem goes clean out the window in favor of offense by utilizing the problem.

In regards to the idea that the NSA was the cause of the problem, at this point I’d say that’s meaningless, if they knew about it and not only did nothing, but actively used it, then they’re just as guilty as if they had introduced it themselves.

That One Guy (profile) says:

Re: Re:

Impossible, obviously only the certified geniuses at the NSA could ever take advantage of security holes like this, or any of the other weaknesses that the NSA intentionally creates, so letting a security hole like this exists so they can exploit it, and/or creating other security holes to make their jobs easier in no way would ever allow other people/agencies to compromise affected systems.

/s

sehlat (profile) says:

Binary Evaluation Set

Either:

The NSA is lying and they actually failed to find the flaw, despite the fact that probing for buffer overruns is Hacking 101.

Result: They are too incompetent to protect us from the real threats.

The NSA is telling the truth and they spent two years knowing about a serious security flaw in the infrastructure of the internet, may have exploited it, and certainly failed to report it to the nation and enable us to protect ourselves.

Result: They committed treason.

Pick one.

akp (profile) says:

Re: Binary Evaluation Set

It’s not treason. Illegal, probably, but “treason” isn’t the charge.

Treason has a very specific definition: “Waging war against the United States, or giving aid and comfort to its enemies.”

The NSA has done neither. Stop using “treason” to describe everything bad someone in the government does.

nasch (profile) says:

Re: Re: Re: Binary Evaluation Set

If failure to fix a major security threat isn’t “giving aid and comfort to our nation’s enemies” I will eat my mouse.

I think failure to act will not meet the bar for treason. You have to actively do something to give aid to a specific nation that is considered an enemy. The NSA didn’t take any action here, and their inaction may have helped many bad actors, but not particularly enemy states. My understanding, anyway.

nasch (profile) says:

Re: Re: Re:3 Binary Evaluation Set

Choosing not to act is, in fact, an act. And from the standpoint of governments, every other government is an enemy, actual or potential, and must be guarded against.

What you’re saying probably has no relevance in the context of the law. It doesn’t matter that philosophically choosing not to act is an act, it only matters whether the law considers it so. IANAL but I’m pretty sure the law treats acting and failure to act very differently. The same with the meaning of “enemy”.

Anonymous Coward says:

Re: Re: Re:2 Binary Evaluation Set

You seem to miss the point of what ‘giving aid’ means. Do you think that if a known terrorist was found hiding in your basement, and it turned out he got in on his own, but you knew about it, and said nothing, would you be comfortable with your lawyer raising the same feeble defense on your behalf? “Your honor, my client did not act, therefore he cannot be said to have been aiding the terrorist who he knew was hiding in his basement.”

Anonymous Coward says:

Re: Re: Binary Evaluation Set

Actually, knowing about a critical security vulnerability which ‘enemies’ can take advantage of, and which affects everything the united states government has online, is giving aid and comfort of enemies.

You are on a really slippery slope if you think the NSA is not a rogue agency, just like the CIA.

nasch (profile) says:

Re: Re: Re: Binary Evaluation Set

Actually, knowing about a critical security vulnerability which ‘enemies’ can take advantage of, and which affects everything the united states government has online, is giving aid and comfort of enemies.

If nobody has ever been convicted of or even charged with treason for doing that, then that claim sounds speculative.

You are on a really slippery slope if you think the NSA is not a rogue agency, just like the CIA.

He specifically said the NSA is doing bad things, just not treason.

Anonymous Coward says:

Interesting how that ties in with previous reporting

See http://www.bankinfosecurity.com/report-nsa-circumvented-encryption-a-6045 from September 2013 which reads in part:

Bruce Schneier, a widely followed cryptography expert, author and blogger, characterizes the revelation as explosive. “Basically, the NSA is able to decrypt most of the Internet,” he writes in his blog. “They’re doing it primarily by cheating, not by mathematics. … Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted.”

According to the news report, some of NSA’s most exhaustive efforts have concentrated on encryption widely used in the United States, including Secure Sockets Layer, virtual private networks and the protection used on fourth generation smart phones.

Note the explicit mention of SSL as well as Schneier’s comment that they’re decrypting most of the Internet.

Dennis F. Heffernan (profile) says:

Swipe at Open Source

Personally I liked their little attack on open source software:

“The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.”

and

“While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.”

Let’s remember though that while open source developers may have introduced Heartbleed by accident, they also revealed it when they found it. The NSA, by contrast, exploited it even though it was their duty to reveal it. And when the commercial developers at RSA introduced a security flaw, it was deliberate because they were *PAID* to do it.

Jim says:

Re: Swipe at Open Source

The commenters over as Ars Technica have been ganging up on anyone saying anything negative about the Open Source community, by negative voting those comments into blocking & moderation, often without giving factual rebuttal. It’s interesting to see that here, where there’s a little freer commenting setup, that the potential NSA/Open Source connection is more openly talked about.

Obviously, tech observers are coming to the obvious conclusion that there’s a bit of a smoking gun here. And Open Source people doth protest too much, methinks.

Clearly, this incident is showing that Open Source software is no panacea in The Battle to Save the Internet (minimal hyperbole intended). The community is going to seriously have to up their game in terms of code openness, oversight, and review, if they want to be taken seriously, from now on…this screw-up was that bad.

Anonymous Coward says:

Re: Re: Swipe at Open Source

No, open source isn’t a panacea: it’s necessary, but not sufficient.

I’ve said that for years. Decades, actually. Open source allows us to play the game, it doesn’t guarantee that we’ll win it. We clearly need to think about how this went wrong — whether or not it was deliberate sabotage — and we need to figure out how to prevent similar failures in the future.

One thing that would sure help would be if all the major sites that rely on this code kicked in a few bucks to support it. $100K is chump change to most of them, but if they all kicked just that tiny amount in, there would be enough funding to put half a dozen people to work on OpenSSL full time and to have the code audited and to have it extensively tested by fuzzers. (Let me note in passing that these operations are spending WAY more than $100K cleaning up this mess. So it would be cost-effective as well as very cheap.)

John Fenderson (profile) says:

Re: Re: Re: Swipe at Open Source

“I’ve said that for years. Decades, actually.”

Me too. And, truthfully, only a small percentage of OSS folks have every said otherwise (and they’re the kind of zealots that exist everywhere are should be disregarded.)

However, the attacks on “open source” that we’re seeing now are intimating that there is something about open source that makes it more dangerous to use than closed source, and heartbleed is somehow the proof of this. That’s 100% industrial-grade bullshit.

Open source and closed source software are roughly equally error-prone. The history of closed-source software contains quite a few problems on the scale of heartbleed, after all.

The primary difference between the two is that with open source, there’s a greater chance that problems will be found before they bite too hard, and even more importantly, they tend to get fixed and those fixes distributed much more quickly.

Closed source software is full of examples of serious vulnerabilities that have gone unfixed for years despite being reported.

Anonymous Coward says:

Re: Re: Re:2 Swipe at Open Source

Your points are well-taken. I’d like to comment on the speed of the response of the community, just to add to what you’ve said.

Compare, for example, the speed with which this flaw was (a) disclosed (b) analyzed (c) measured (d) fixed in the source (e) fixed in the distributions that use it (f) published (in the source and in the distributions) and (g) made understandable by a plethora of web sites, proof-of-concept attack tools, etc. with, for example the glacial response of Adobe to a 0-day in Acrobat: http://news.slashdot.org/story/11/12/07/0057227/adobe-warns-of-critical-zero-day-vulnerability

The impressive response speed (some distributions were updated within 12 hours) probably helped partially mitigate the consequences of this. That’s only possible because it’s open source — well, and because everyone recognized how serious this was rather quickly. That, at least, is one positive takeaway from the situation.

Anonymous Coward says:

Re: Re: Re:2 Swipe at Open Source

There’s an even more important advantage of open source, IMO. If the original creators have no interest in developing the software any further, be it features or bugfixes, then you can always find someone to continue the work; you have access to the source, and permission to modify it. Even if you can’t do it yourself, you can always hire people to do it for you. With a propietary model you may not have that option, and you are completely at the mercy of the original vendor.

Anonymous Coward says:

Re: Re: Swipe at Open Source

“The community is going to seriously have to up their game in terms of code openness, oversight, and review,”

It is interesting that even corporations who PAY people to work on open-source projects didn’t find this (and presumably other problems yet to be uncovered). It is asking a great deal of volunteers to work on this type of project if nobody is feeding them or paying their mortgage. One of the biggest problems has always been the lack of strong technical management for many open-source projects. I would do it but I also need to eat.

Anonymous Coward says:

Re: Re: Swipe at Open Source

“Open Source software is no panacea in The Battle to Save the Internet “

No, open source software IS the internet. Open source definition: All the open projects of smart people who have actually created the internet for all practical purposes, as it is known today. Smart people like to do things openly, that way other smart people can contribute. Smart, huh?

Proprietary internet software: capitalists attempting to profit from the internet by attempting (and usually failing) to create equivalent proprietary versions of open source technology (once they see what cool new tool the smart people have made, they want to glom on for free and then sell it to others). These flawed technologies are then marketed to users, and obtain their userbase by virtue of that marketing rather than actual usefulness of the proprietary tool. Which is usually a broken and relatively hapless attempts to immitate what open source successfully does. Take a look at AD vs LDAP if you need an example.

Make no mistake, without the open source community through the years, todays internet would not exist. Period.

Anonymous Coward says:

If this is true...

The last few days have been devastating to the NSA… as holes are being closed, private keys and certs are being recreated, and users’ passwords are being changed worldwide – most of their goodies are dissolving slowly.

The “bad guys” were probably the first to act on the news of this exploit, as they probably have the most to lose – so any pilfered passwords or keys that the NSA has already collected from them are probably junk now.

On the bright side, maybe the internet will “speed up” as the NSA will stop pounding against servers worldwide siphoning off the data that they’ve had unfettered access to for 2 years now.

Anonymous Coward says:

Re: If this is true...

The scariest part of this is not that the NSA had access — although that’s bad enough.

The scariest part is not that other intelligence agencies might also have had access — although that’s worse.

The scariest part is that there exist criminal organizations on this planet with the financial and personnel resources to get in on this game too. There are some enormous operations that involve the fusion of organized crime with extremely smart highly-skilled technical people — the prototype of which was the Russian Business Network. These organizations are smart enough, rich enough, and clueful enough to exploit this.

Anonymous Coward says:

As was surmised all along, the NSA purposely setups up bugs or knows of them and doesn’t reveal them to take advantage. Either way makes internet users far less secure. Microsoft was what you could say ‘busted’ over notifying the NSA of zero day bugs and then not fixing them for long spans of time.

This story just keeps going. It seems to have the legs of a giraffe. Every time you think they couldn’t possibly sink lower, you get a new reset on what that low is.

Face it, the entire government has went bonkers for data and any excuse, be it terrorism, kids, mom, or apple pie will work.

When will enough actually be enough?

Anonymous Coward says:

Re: FIPS

Yes, you are right. This shines an ugly light on the emerging industry of corporate security hardening. In this industry, the security product gets an endorsement from the federal government. The company who wants to contract with the government must then use the security software which is endorsed by the government. This kind of debacle reveals how the entire security hardening industry is ultimately a cash grab, just like homeland security.

Anonymous Coward says:

Re: NSA denial

Some possibilities:
* The NSA only considers itself “aware” of information when that information has been distributed to all employees and contractors.
* They consider an exploit to be “made public” the first time they transmit it across the Internet.
* They consider it public when the vulnerable source code is posted.
* They knew about it, but not by the name “Heartbleed”.
* The vulnerability was discovered earlier by someone else and “published” on some obscure hacking forum.
* The Five Eyes use wilful blindness for deniability: another agency developed the exploit, and sometimes the NSA asks them to grab and share some data without revealing how they got it.
* The NSA knew about it and can’t come up with any semantic tricks to justify a denial, and they simply don’t care about lying.

FM Hilton (profile) says:

Interesting

Of course the NSA is going to deny that they knew about this flaw before it was ‘officially’ found. That’s a given.

But I find it rather doubtful that the most powerful spy agency in the world, with all of it’s varied resources would not be privately aware of a vulnerability that would open up a technological nightmare-they’re supposed to be on the job for finding this kind of problem (defensive) and stopping hostile agents from using it against us.

We won’t talk about their efforts with various companies in opening up their source code and backdoors in the past. I mean, they weren’t looking for them and attempting to get them put in themselves?

Yes, it does seem a bit odd that they would not be the first to at least have heard about the problem in the beginning through private channels.

If that’s the case, they’re the most incompetent spy agency in the world.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...