Would You Trust The NSA's Advice On How To Deal With Heartbleed?

from the didn't-think-so dept

Somewhat late to the game (by about a week), after the Heartbleed vulnerability was publicly revealed, and a few days after it was reported and denied that the NSA was already well aware of Heartbleed and exploiting it, the NSA has put out a one page PDF about Heartbleed. This seems like something of a too little, too late effort by the NSA to live up to its semi-promise of a “bias” towards revealing vulnerabilities over exploiting them. However, that leads to the simple question that plenty of people should be asking: given everything you’ve learned about the NSA recently (or, well, for years), would you trust the NSA’s advice on how to deal with Heartbleed? Not that I think the NSA would publicly suggest anything bad, but at this point, the NSA has a serious trust problem in convincing anyone engaged in computer security that they have their best interests in mind.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Would You Trust The NSA's Advice On How To Deal With Heartbleed?”

Subscribe: RSS Leave a comment
Ninja (profile) says:

Short answer? No.

Long answer:

I would look at their paper and study the proposed fixes extensively before making my mind. So the answer is no, I would not trust them at all but I would not discard it either. I would compare it to News from FoxNews: you can use them as a starting point but you’ll only know if it’s true and sticks to real facts if you give it careful scrutiny.

PaulT (profile) says:

Re: Re:

Fox is probably a good comparison. Sometimes they might be telling you something truthful, even useful. But I wouldn’t trust them without having verified the information with independent alternative sources.

I wouldn’t reject everything they say outright, but I couldn’t trust them without extra research. If there are no independent sources, I’ll just assume they’re lying. So, I agree – short answer = no.

Anonymous Coward says:

Re: Re: Re:

Problem is that they blur the line between news and infotainment to the point it’s indistinguishable.

And even if their coverage is factually accurate, you know they’ll spin the hell out of it. EG: compare their coverage of the NSA scandals during Bush to Obama. You’ll see that they’re alot more OK with it if it’s ‘their guy’ calling the shots

Anon E. Mous (profile) says:

Trust the NSA? Who on earth could take anything the NSA has to say as truth or even good advice. The NSA it has been reported has been exploiting this flaw for over two years!!

Now they up and expect people and companies to take their advice??

I highly doubt after everything the NSA has been doing against friendly and non friendly governments and it’s own citizens that anyone would heed their advice.

Anonymous Coward says:

Re: Re:

Such a document coming from the alternate source you mention would doubtless be questioned because it comes from the USG and, after all, the USG is under the spell of the NSA.

Seems to me much too much paranoia about the NSA. Yes, there are some things that it has the capability of doing that raise peoples’ “pucker factor”, but all the conjecturing of what it “might” be doing, “could” be doing if it wished, etc. adds little of substance to the discussion. And for those who say “But…look at all the times it has broken its internal rules”, ponder this (never mind that most, if not all, are of virtually no significance). How many intelligence services worldwide have internal investigation arms and engage is self-reporting? We all should know that countries with intelligence capabilities engage, more or less, in many of the same types of activities associated with US intelligence agencies. Funny, but I do not see them beating themselves up as an ordinary part of their internal checks and balances as performed by our agency IGs.

The US system is far from perfect and should always be challenged to prevent it from overstepping its bounds, but so much of the debate I have been reading about makes it seem as if many will be satisfied only with the complete abandonment of intelligence gathering activities.

Anonymous Coward says:

Looking at the document, it has taken them a week to republish public information, available when the story broke. This could be due to one or more of the following:=
1) Finding an image, and formating the document, after cutting and pasting from public sources, took a lot of effort.
2) The exchange of memos to get permission to republish public information took a lot of time.
3) All targets of interest have fixed the problem, and the exploit is of no further interest to them.

Anonymous Coward says:

Contrary to everybody else I fully trust the NSA.

I firmly and fully believe that the NSA is going to screw me at every opportunity and in every way possible is their sick drive to establish the ultimate in totalitarianism with only elitists from the great Ivy League hate schools as directors in a system more controlling than the worst than the most barbarity than any that every existed in the past with a morality equivalent of Stalinist Russia, Mow’s China, and Pole Pot’s Cambodia and all this done in the name of racial equality, women’s rights, and sexual freedom whose participants are logged, recorded, and categorized for re-education in typical North Korean, Soviet, or Chinese style communist gulag extermination camps.

Coogan says:

Greetings, citizen. The NSA is concerned that the latest Heartbleed vulnerability circulating around the Internet (aka, “the Web”, “the Net”, “Google”) is exploiting the computers and mobile devices of the American populace. As such, the security experts at the NSA have come up with some best practices all Americans can apply to keep themselves from falling victim to any nefarious Al-Qeada, Russian, or alien schemes.

1. Turn off any firewalls, intrusion detection/prevention, and anti-virus programs. These applications are being actively exploited by this vulnerability and, if infected, can cause grave harm to your computer. There have even been reports of entire houses being burned to the ground when Heartbleed mixes with ZoneAlarm. Additionally, many of these programs are open-source, meaning that terrorists could easily modify the application code to accomplish their own anti-American goals, such as draining your bank account and turning your pets and/or children gay.

2. Change your DNS settings to point to boris.nsa.gov and natasha.nsa.gov. These are the NSA’s highly secure DNS servers. Your privacy is of the utmost importance to the NSA. By default, all DNS queries will be logged on super-secret systems housed in concrete bunkers buried 200 meters below the Arizona desert. To opt-out of this and request that none of your queries be logged, send a postcard with your return address to “DNS OPT-OUT, Box 42, Langley, VA” (no quotes). An agent will personally contact you to make arrangements for an in-home visit. Please leave your door unlocked.

3. Contact your federal representatives and request that more funds be provided to the NSA in order to protect Americans and American interests both at home and abroad. What good are free school lunches, libraries, and homeless shelters if terrorists are raining hellfire and releasing locusts with herpes across the United States heartland? This additional funding will go towards capturing terrorists, seizing their assets, and shuttering their propaganda websites such as Fox News, The Guardian, and TechDirt.

These tips have been provided as a courtesy by the United Stated National Security Agency. Remember: Be Safe. Be Smart. Don’t be afraid to report your fellow citizens to your local law enforcement agency if you see something suspicious, such as taking our the trash (they could be disposing of terrorists materials and/or correspondence) or leaving for work (building missiles, mixing anthrax, or visiting a mosque).

Anonymous Coward says:

Dragnet surveillance was a retarded move by the NSA

It’s way worse than “not trusting the NSA”. People don’t trust the US government because they are corrupted completely by “special interests”.

The NSA are the retarded victims of it too. If they focused on targeted surveillance then there wouldn’t be any complaints so long as it was justified targeting. They focused on dragnet surveillance because some company said they could spy on us all and won a government contract (x1000 instances)… but people inevitably found out.

The fucking idiots at NSA should have done their job and provided security against those contractors who wanted to break laws for multi-billion contracts.
Now EVERYONE must use good encryption, NSA-Proof their systems and services. DOH!

Make software/systems more secure than they need to be because the NSA are retarded and could be working for McDonalds if some corrupt politician wanted to say thanks for some bribes.

Anonymous Coward says:

I sincerely hope that everyone here remembered that one of the NSA’s known tools is a 0-day exploit that lets them take complete control of computers running Adobe Acrobat Reader.

I have no idea whether that PDF is safe or not, and I’m pretty sure I don’t even have Acrobat Reader on this computer (I use Sumatra PDF), but you couldn’t PAY me to download that PDF file.

Jerrymiah (profile) says:

at this point, the NSA has a serious trust problem in convincing anyone engaged in computer security that they have their best interests in mind.

Fucking no. I wouldn’t trust anything that Obama’s Fourth Reich has to say about this. They have been screwing the software industry four years now and are not ready to stop. Why do you think that Sun’s Java has had such a hard times for at least 20-25 years to have that application free of bugs and back doors and everytime it come up with an upgrade they believe will work and broken into as soon as it is released. Same thins with Adove products (ie Shockwave and Flash Player). The Fourth Reich are master at screwing peoples. Fuck them.

PaulT (profile) says:

Re: at this point, the NSA has a serious trust problem in convincing anyone engaged in computer security that they have their best interests in mind.

“They have been screwing the software industry four years now”

“Why do you think that Sun’s Java has had such a hard times for at least 20-25 years”

You don’t see the contradiction here?

But, hey, just place the blame at the most convenient target and whine about him. Nothing else that happened in the past could possibly have led to the current situation, certainly nothing done by previous administrations! No, it’s just this one guy, nobody else would possibly have done this, and it would never had happened if the other guys had won!

“Why do you think that Sun’s Java has had such a hard times”

Because it’s no longer owned by Sun, a company that no longer exists? Because the company that now owns them, Oracle, has a poor record of providing patches, at one time refusing to release urgent fixes in favour of trying to force Java into a quarterly update system that’s woefully inadequate for this kind of software? Because Java has some inherently insecure design faults going back to its inception – something that’s now admitted and has forced Java to disable some functionality that were once considered it’s main selling points (e.g. browser applets)? Because OS manufacturers – especially Microsoft – have gotten so good at securing their OSes that it’s now browser plugins and not the OS itself that represent the best way to compromise a system, and people who wish to do so will use the easiest point of entry?

No, it’s all Obama. Of course it is. whatever helps you find an easy target instead of dealing with that complicated reality stuff.

Anonymous Coward says:

Re: at this point, the NSA has a serious trust problem in convincing anyone engaged in computer security that they have their best interests in mind.

You seem like an irrational Obama hater.
Something tells me that if Obama wanted to shut down the over-broad NSA spying programs you would be pissed at Obama.
Well at least you aren’t complaining about the non-scandals like Libya and IRS etc.. So I’ll give you credit for having a valid reason…. this time.

Also… Sun Java is full of bugs because of what Java is. It’s an interpreted language that gets nearly, full OS level access.

Of fucking course it’s going to get security bugs.
Java isn’t virtually sandboxed like “javascript in your browser” is ffs. Java is like a “virtual OS” running on your box with nearly unlimited access to your real OS.
Of fucking course it’s going to get security bugs….by nature of what Java is.

DannyB (profile) says:

Yes, I would trust the NSA completely

The NSA has your best interest in mind.

The NSA would like you to download and install this national security protection software onto your computer. It is a good idea. And it is for your protection. (Sort of like how Macrovision Quality Protection is for your protection somehow?)

But it reminds me of an old subliminal message:

is your friend
trust the NSA

Or: the NSA is mother, the NSA is father

Guardian says:

RCMP fed fbi of canada asked CRA not to divulge SIN number thefts

and if you think there isnt weird shit regarding the heartbleed bug


and they quickly closed comment son this….its embarrassment for all the govt cause they know about it and were like the nsa stealing peoples identity for abuise all themselves.

fucking govt’s time to take back fucking democracy

and its fucking snowing in mid april?????


Mike Gale (profile) says:

Why are they doing this will it work?

They are presumably doing this as PR to say that they are trying to fulfil the seemingly ignored part of their brief.

Given that the public (and many private) announcements are perceived as being devoid of truth they have a long way to climb back into the light of public approval.

This is a distraction. The real issue is splitting the organisation. The Public Protection section cannot be the same as the Attack the Public section.

At the end of the day we need some of what they do, we just need a return or morality and balance.

It’s a long, long road out of Hell, for these guys.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...