Google Apparently Chose Not To Tell The NSA About Heartbleed

from the trust-issues dept

Well, this is interesting. I naturally assumed that when the various researchers first discovered Heartbleed, they told the government about it. While I know that some people think this is crazy, it is fairly standard practice, especially for a bug as big and as problematic as Heartbleed. However, the National Journal has an article suggesting that Google deliberately chose not to tell the government about Heartbleed. No official reason is given, but assuming this is true, it wouldn’t be difficult to understand why. Google employees (especially on the security side) still seem absolutely furious about the NSA hacking into Google’s data centers, and various other privacy violations. When a National Journal reporter contacted Google about the issue, note the response:

Asked whether Google discussed Heartbleed with the government, a company spokeswoman said only that the “security of our users’ information is a top priority” and that Google users do not need to change their passwords.

Here’s the thing: if the NSA hadn’t become so focused on hacking everyone, it wouldn’t be in this position. The NSA’s dual offense and defense role has poisoned the waters, such that no company can or should trust the government to do the responsible thing and help secure vulnerable systems any more. And for that, the government only has itself to blame.

Filed Under: , , , ,
Companies: google

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Google Apparently Chose Not To Tell The NSA About Heartbleed”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Hypothetical...

What if Google reports it to the gov, and the gov then turns around classifies the info and forbids Google from disclosing it?

Lettre de cachet

Lettres de cachet (French pronunciation: [lt d ka], lit. “letters of the sign/signet”) were letters signed by the king of France, countersigned by one of his ministers, and closed with the royal seal, or cachet. They contained orders directly from the king, often to enforce arbitrary actions and judgments that could not be appealed.?.?.?.


See also
????? ? National Security Letter

?? orders directly from the king, often to enforce arbitrary actions??

Anonymous Coward says:

Re: Re: Re: Every time I see...

Quote: “Google can’t imprison, torture or execute me. I could put up with customised ads…”

The problem is that the ads leak data to the advertisers. Imagine an insurance company hiring a campaign among people with a high-risk medical condition. Boom, you don’t get that life insurance policy anymore.

Google can’t imprison but they can lead to life sentences.

Pragmatic says:

Re: Re: Re:2 Every time I see...

Assume you’re right, AC @3.28am.

How would Google know, unless they’re scanning the content of your emails to discover whether you’re merely curious about brain tumors or actually have one?

Now imagine the number of staff they’d have to hire to get human eyes on the email content that mentions high-risk medical conditions so they can pick out the ones that mention a person actually having one, then pass it on to the HR dept. of an insurance company.

Hold that thought: the much-maligned ACA FORBIDS insurance companies to refuse cover for pre-existing conditions. For all its faults, that’s one thing it does. Getting rid of it would bring back the risk of refusal.

Can we please stop the dog-whistle cries of “Socialism!” over the ACA? The origin is from industry shills who don’t want to pay out to people who actually need care. They’re in business to make a profit, not to help us. “The Market” doesn’t have the solution to this because there’s no profit in it.

David says:

Re: Re: Re:3 Every time I see...

Taking money by force from people who earn it honestly and transfering it to those who claim to need it IS socialism. The means of production in the medical industry are certainly being more and more commandeered by government.

That the much-maligned ACA prohibits insurance companies from refusing insurance to those with pre-existing conditions is one of many reasons to malign it. That kind of provision is a violation of the individual rights of the persons offering a service. If an employer “needs” my labor but I don’t want to give it to him, does he have a right to draft me into his service simply because he professes a need? No one has a “right” to enslave anybody else, regardless of how much he “needs” to enslave that person.

vaughan says:

Re: Re: Re:4 Every time I see...

“Taking money by force from people who earn it honestly and transferring it to those who claim to need it is socialism.”

Then you really do not understand Marx at all because you are so wrong there! What you are describing is the warped sense of socialism that the capitalists push into everyone since birth so people think socialism is a bad thing, when in actual fact, marxist socialism can actually work, but people will need to unlearn all the capitalist propoganda that has been drilled into them for hundreds of years which as manipulated them into becoming slaves to capitalism & money.

And don’t give me any crap that socialism has been tried & tested and doesn’t work. There has never ever been a true marxist socialist government on this planet EVER! Russia was never communist, sure, Lenin called his party communists, but he never implemented any marxist ideas at all. The communism you know is not the communism that marx theorised.

Russia was state capitalist from the get go, not marxist!

vaughan says:

Re: Re: Re:5 Every time I see...

“Taking money by force from people who earn it honestly and transferring it to those who claim to need it is socialism.”

Lets also take this concept and put it in the spotlight on what is actually happening under democracy and capitalism.

The Fed (a private company) issues currency and charges interest on it, the give that currency to the treasury, the treasury gives them bonds (repayable with interest).

So you work, you earn your money honestly, The IRS (another private company acting on behalf of the FED) then takes that hard earned money from you and gives it back to the FED. meanwhile, the fed cashes in their bonds and gets paid interest on them in return for that so called tax money. Which they then loan out to the private banks again, who repay them with interest. the gov then borrows more & the cycle repeats.

So your honest earned money is taken from you and given back to a private company and is paid by you to take it from you. So onder capitalism, your money is given to private companies, and not the needy. And you think giving to the needy is unfair?

John Fenderson (profile) says:

Re: Re: Re:4 Every time I see...

“Taking money by force from people who earn it honestly and transfering it to those who claim to need it IS socialism.”

If that is the case, then the only form of government that has ever existed is a socialist government. That makes the term “socialist” an effectively meaningless one, since it can’t be used to draw distinctions.

Which is pretty close to the truth of how the word is used nowadays, now that I think of it — an effectively meaningless insult that is thrown at anything the person using the term doesn’t like.

Anonymous Coward says:

Re: Re: Re:4 Every time I see...

Lots of people claim things, it’s not socialism when an Office of X country Bureaucracy decides wheter one gets something or not.

If only that ACA gave Health responsability to Provinces like up here, 1)the state-wide only servers wouldn’t be overloaded like that federally centralized fiasco 2)People would feel like they have more power over state tax/money since “state” is one step closer to them than the big bad faceless Federal Government.

There’s a lot of things I’d change in canada, like british parliamentarism, give me a republic with proportionate voting for different parties and I’d really like it here cos Canada is not a centralized federation but a Confederation.

Hint hint at Ukraine, just do that and your ridiculous in fighting between brother would be over.

FrancisChalk says:

Re: Re: Re:3 Every time I see...

What planet have you been living on? The medical industry–doctors, insurance, hospitals, equipment makes, etc.–has been fabulously profitable. There is massive profit in “The Market”, as you call it. The ACA is about one thing and one thing ONLY: gaining control over people’s health and therefore, control over their lives. It’s straight up Socialism of the USSR brand. Of course the insurance industry is on board and wants to profit as best they can, they have no choice in a government takeover.

Anonymous Coward says:

Re: Re: Re:4 Every time I see...

Oh yeah, up here in canada, we call it single payer system, it’s better. May the expriment in Vermont show you all. Health of citizens falls into the same thing taxes are for, infrastructure that would be too complicated in your populous country like roads and libraries where some dickheads would refuse to pay tax for such essentials, a state of me-myself-and-I anarcho-capitalist state would ensue and there would be mass riots. You guys are already real close to embracing anarcho-capitalism, I bet you’d one of the first ones to complain that there’s potholes everywhere, which could cause physical injury nobody would be pitching in for to help.

Individualism only goes so far, I’m very individualist but I’m realist that some things have to be socially organized or chaos and evil ensues.

p.s. what about all those Americans who drive/fly to Canada so they can fly to Cuba (we don’t stamp Americans’ passports when they go there) to get A-1 class medical surgeries? Cuba is close to being the only communist experiment that worked, it would be extremely successful if the US got rid of that childish embargo on them.

Familiar with the Human Development Index? It’s made of other indexes, Cuba last time I checked (maybe a year or 2 ago) was equal at #1 for Medicine with 5 or 6 countries (equal index ratings). They’re also way up there education wise. Have you ever seen a documentary about real Cubans, not those in florida who are ultra nationalist right wingers. Those people all help each other repair each other’s household items, houses, even roads…This guy had a remote for a tv but there was a piece broken in it, he just paid visits to his neighbours, where nobody lock their doors and will talk to you even if you show up there asking if they can help you fix that TV remote. It took him a few days before finding someone who could do it, but the social fabric there isn’t sick beyond repair like in “the west”.

Also this guy’s house had serious needs of repair because some rain would accumulate in the apartments on top. Everyone who wanted to (a lot) in the neighbourhood helped them. I know people who were so deep in debt here who had a similar problem, water would go through the attic and into their tenants apartments upstairs. They had to sell the house and good luck just walking around the neighbourhood trying to find people to help you fix it for free (it was definitely a multiple people job). Nah, here people all distrust each other and everyone locks their door during day time.

I wonder what is healthier of a society….just kidding I don’t.

Indy says:

No requirement to change passwords?

Why would users not need to update their passwords when Google silently fixed it themselves, and the assumption that the NSA (or other organization) had access for years is a safe one to make?

Google also didn’t ask users to change passwords for the Gaia breach, to their very password infrastructure, so I guess this behavior is consistent. Asking users to change passwords would incite more panic and bad press than the few accounts that may actually be impacted.

John Fenderson (profile) says:

Re: Re: No requirement to change passwords?

Not a good reason at all. First, due to the nature of the exploit, it’s incredibly difficult to determine if it was actually used. No trace is left, no red flags appear in any logs, etc. The only way to tell is through inference. Second, there have been a number of breaches that imply that Heartbleed was successfully used.

Chronno S. Trigger (profile) says:

I don’t know how I feel about this. I understand fully why they didn’t inform the government, but this was a huge thing, they probably still should have.

I guess there’s one bit of information that would change my mind. Who was it that first broke the news about HeartBleed? Did Google just skip the government and go straight to the public? If they did that, then I’m right there with them. If they kept it secret, then I’m glad I just changed my passwords.

John Fenderson (profile) says:

Re: Re:

Neel Mehta of Google Security discovered the flaw on march 21st. They created a patch for OpenSSL on the same day. Google submitted this patch for inclusion to OpenSSL, and simultaneously distributed the patch file to some major distros such as Red Hat and apply it to their own servers.

On or before March 31st, CloudFlare gets the patch file and applies it. They blogged about it, giving the first public notice of the problem.

April 1, Google notifies the OpenSSL team of the vulnerability.

So, Google didn’t immediately go directly to the public, but did immediately go to the major players. This is actually the right way to do it — give the major vectors a chance to patch things up before making the world (and all the bad guys) aware of the vulnerability.

It took 10 days from the time of discovery to the time the world was notified, and they had the fix already in hand when they did so. Google did good on this.

Anonymous Coward says:

Re: Between the lines...

Of course the NSA knew about Heartbleed.

Consider: if you’re the NSA, and you’re willing to ignore the Constitution and the law and Congress and the Courts and anyone and everything else in search of as much data as you can possibly acquire, then why wouldn’t you tap the email, phones etc. of security researchers?

You know that they talk to each other. You know who they are. You know that they often seek each other out for peer review or to aid in dissemination of information. You know that they have a far better chance than nearly anyone else of uncovering security flaws. And so you know that every once in a while, a really useful bit of information is going to get picked up.

(This is presuming that the NSA didn’t know years ago, which I think is far more likely.)

tracyanne (profile) says:

Interesting points to note here

1/ Google seems pretty certain the NSA never used Heartbleed against Google, which if true probably means they didn’t know about it. Low probability, I know.

2. Given that the NSA has been using information fed to it’s defence arm to inform it’s offence arm. Even if the US Government was to split the two arms into separate organisations, it’s unlikely anyone could or should trust a new separate defence organisation not to pass information to the offence organisation.

And three, the journalist who wrote the article can’t frigging spell.

Robert says:

Googles focus is on securing it’s system. Under insane psychopathic management NSA’s focus is on breaking systems. Why would Google discuss anything at all with the NSA, in fact it should take every possible precaution to secure it’s security information from the NSA, to the point of dismissing any employees with suspected connections with the NSA.

non-googler says:

poetic justice

“Google employees (especially on the security side) still seem absolutely furious about the NSA hacking into Google’s data centers, and various other privacy violations.”

I found this part funny.

Google violates the privacy of billions of Internet users on a systematic basis, all is OK. No one has right to complain.

NSA breaks-in into Google datacenters. This privacy violation is unaceptable.


Anonymous Coward says:

Re: poetic justice

There is a difference between software seeing a mention of machine guns, whilst doing historical research and Google trying to show adverts from gun shops, and NSA seeing the same, and notifying the police who send a swat team through your door because somewhere else you were researching where the president goes for his holidays.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...