UPDATED: NSA Denies Claims That It Knew About Heartbleed And Did Nothing

from the well-that's-comforting dept

Update: The NSA has denied the Bloomberg report, briefly stating that the agency "was not aware of the recently identified Heartbleed vulnerability until it was made public." We'll continue to update as more information emerges.

The internet is still reeling from the discovery of the Heartbleed bug, and yesterday we wondered if the NSA knew about it and for how long. Today, Bloomberg is reporting that the agency did indeed know about Heartbleed for at least the past two years, and made regular use of it to obtain passwords and data.

While it's not news that the NSA hunts down and utilizes vulnerabilities like this, the extreme nature of Heartbleed is going to draw more scrutiny to the practice than ever before. As others have noted, failing to reveal the bug so it could be fixed is contrary to at least part of the agency's supposed mission:

Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.

“If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the U.S. Secret Service. “Invariably when this has happened over time, the offensive mission wins.”

There is, in fact, a massive hypocrisy here: the default refrain of NSA apologists is that all these questionable things they do are absolutely necessary to protect Americans from outside threats, yet they leave open a huge security hole that is just as easily exploited by foreign entities. Or consider the cybersecurity bill CISPA, which was designed to allow private companies to share network security information with the intelligence community, and vice versa, supposedly to assist in detecting and fixing security holes and cyber attacks of various kinds. But, especially after this revelation about Heartbleed, can there be any doubt that the intelligence community is far more interested in using backdoors than it is in closing them?


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 12:32pm

    I still think, that "bug" was purposefully introduced by the NSA.

    They have quite a (by now documented) history of infiltrating and sabotaging security solutions.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 12:35pm

    Never forget what was in one of the Snowden leaked presentations:

    "consumers and other adversaries"

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 12:41pm

    From the linked article:

    “They actually have a process when they find this stuff that goes all the way up to the director” of the agency, Lewis said.

    Of course it does.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 12:46pm

    And that's the end of SELinux

    Or it should be, at least. There's no way we can ever trust so much as a single line of code from the NSA ever again.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 12:49pm

    not bad for a government law enforcement agency that is supposed to be charged with looking after the USA and it's citizens, even if it doesn't care about anyone else!

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 12:50pm

    Fuck NSA.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    That One Guy (profile), Apr 11th, 2014 @ 12:51pm

    Conflict of interest anyone?

    This is what happens when you mix defensive and offensive goals under the same agency, the idea of defense by fixing the problem goes clean out the window in favor of offense by utilizing the problem.

    In regards to the idea that the NSA was the cause of the problem, at this point I'd say that's meaningless, if they knew about it and not only did nothing, but actively used it, then they're just as guilty as if they had introduced it themselves.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 12:55pm

    Re: Conflict of interest anyone?

    NSA probably has the best fuzzing tools available, and the collections of computers to allow the to do a lot of fuzzing on lots of programs in their own labs.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 1:05pm

    Let's throw the CFAA at them.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Chronno S. Trigger (profile), Apr 11th, 2014 @ 1:11pm

    They knew about this "at least the past two years"? Wasn't this flaw introduced two years ago?

    If one person can do it, many can. How many others found this bug and used it while the NSA was sitting on this thumbs?

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    PRMan, Apr 11th, 2014 @ 1:25pm

    Re:

    Government agents are specifically exempt, don't you know?

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 1:28pm

    Re:

    "sitting on their thumbs"? Oh no, I think not. I'm sure they were quite busy with it, e.g., http://arstechnica.com/security/2014/03/nsa-hacker-in-residence-dishes-on-how-to-hunt-system-admins/

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 1:31pm

    The NSA is a terrorist organization.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    That One Guy (profile), Apr 11th, 2014 @ 1:32pm

    Re:

    Impossible, obviously only the certified geniuses at the NSA could ever take advantage of security holes like this, or any of the other weaknesses that the NSA intentionally creates, so letting a security hole like this exists so they can exploit it, and/or creating other security holes to make their jobs easier in no way would ever allow other people/agencies to compromise affected systems.

    /s

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 1:35pm

    Re: Re: Conflict of interest anyone?

    And I'm sure the "funding" would lean heavily toward the offensive side for the development and use of those tools - leaving the defensive side pretty much useless for actually protecting anyone anyway.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 1:36pm

    possibly the NSA didn't know about it but are claiming to so that it will make "the terrorists" afraid, and waste their resources redoing their own technology

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 1:42pm

    Re:

    "possibly the NSA didn't know about it but are claiming to so that" .... they preserve the myth of their all-knowing superiority in their own megalomaniacal brains. Heaven help all those high paid experts if they missed something in plain sight. Can't have that, funding might be cut.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    sehlat (profile), Apr 11th, 2014 @ 1:44pm

    Binary Evaluation Set

    Either:

    The NSA is lying and they actually failed to find the flaw, despite the fact that probing for buffer overruns is Hacking 101.

    Result: They are too incompetent to protect us from the real threats.

    The NSA is telling the truth and they spent two years knowing about a serious security flaw in the infrastructure of the internet, may have exploited it, and certainly failed to report it to the nation and enable us to protect ourselves.

    Result: They committed treason.

    Pick one.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 1:44pm

    Re:

    Ah yes, great plan: piss off the entire world to scare a few terrorists.

    No, that's just not how they work - they'd rather keep it a secret, given their history of coverups and secrecy.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 1:46pm

    Re: Binary Evaluation Set

    I'm going to go with #2 - but I know they'll never been accused or convicted of treason, so it's an easy one to choose.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 1:48pm

    Re:

    Eventually you'll come to realize that the U.S. government itself is the terrorist organization here, and the NSA is just one of their tools.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 1:51pm

    Interesting how that ties in with previous reporting

    See http://www.bankinfosecurity.com/report-nsa-circumvented-encryption-a-6045 from September 2013 which reads in part:

    Bruce Schneier, a widely followed cryptography expert, author and blogger, characterizes the revelation as explosive. "Basically, the NSA is able to decrypt most of the Internet," he writes in his blog. "They're doing it primarily by cheating, not by mathematics. ... Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted."

    According to the news report, some of NSA's most exhaustive efforts have concentrated on encryption widely used in the United States, including Secure Sockets Layer, virtual private networks and the protection used on fourth generation smart phones.


    Note the explicit mention of SSL as well as Schneier's comment that they're decrypting most of the Internet.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    Dennis F. Heffernan (profile), Apr 11th, 2014 @ 1:54pm

    Swipe at Open Source

    Personally I liked their little attack on open source software:

    "The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development."

    and

    "While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects."

    Let's remember though that while open source developers may have introduced Heartbleed by accident, they also revealed it when they found it. The NSA, by contrast, exploited it even though it was their duty to reveal it. And when the commercial developers at RSA introduced a security flaw, it was deliberate because they were *PAID* to do it.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 1:54pm

    Previously they claimed that they only kept vulnerabilities to themselves if they thought they were only the ones with the resources to exploit them. Clearly that was yet another lie since Heartbleed is exploitable by anyone.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 1:56pm

    If this is true...

    The last few days have been devastating to the NSA... as holes are being closed, private keys and certs are being recreated, and users' passwords are being changed worldwide - most of their goodies are dissolving slowly.

    The "bad guys" were probably the first to act on the news of this exploit, as they probably have the most to lose - so any pilfered passwords or keys that the NSA has already collected from them are probably junk now.

    On the bright side, maybe the internet will "speed up" as the NSA will stop pounding against servers worldwide siphoning off the data that they've had unfettered access to for 2 years now.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 2:01pm

    Re: If this is true...

    The scariest part of this is not that the NSA had access -- although that's bad enough.

    The scariest part is not that other intelligence agencies might also have had access -- although that's worse.

    The scariest part is that there exist criminal organizations on this planet with the financial and personnel resources to get in on this game too. There are some enormous operations that involve the fusion of organized crime with extremely smart highly-skilled technical people -- the prototype of which was the Russian Business Network. These organizations are smart enough, rich enough, and clueful enough to exploit this.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 2:04pm

    As was surmised all along, the NSA purposely setups up bugs or knows of them and doesn't reveal them to take advantage. Either way makes internet users far less secure. Microsoft was what you could say 'busted' over notifying the NSA of zero day bugs and then not fixing them for long spans of time.

    This story just keeps going. It seems to have the legs of a giraffe. Every time you think they couldn't possibly sink lower, you get a new reset on what that low is.

    Face it, the entire government has went bonkers for data and any excuse, be it terrorism, kids, mom, or apple pie will work.

    When will enough actually be enough?

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 2:07pm

    Re: Swipe at Open Source

    I would assume that they have a backdoor in the proprietary solutions, and want people to move to these, so that they keep their spying capabilities.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Jim, Apr 11th, 2014 @ 2:08pm

    Re: Swipe at Open Source

    The commenters over as Ars Technica have been ganging up on anyone saying anything negative about the Open Source community, by negative voting those comments into blocking & moderation, often without giving factual rebuttal. It's interesting to see that here, where there's a little freer commenting setup, that the potential NSA/Open Source connection is more openly talked about.

    Obviously, tech observers are coming to the obvious conclusion that there's a bit of a smoking gun here. And Open Source people doth protest too much, methinks.

    Clearly, this incident is showing that Open Source software is no panacea in The Battle to Save the Internet (minimal hyperbole intended). The community is going to seriously have to up their game in terms of code openness, oversight, and review, if they want to be taken seriously, from now on...this screw-up was that bad.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 2:08pm

    Can't wait to hear the NSA's usual mouthpieces try to spin THIS one.

    "Anyone who complains about their banks being vulnerable to hackers is a sissy! Either man up or start keeping your money in your mattress."

    (Hey, any bank CEOs out there? You're not getting your lobbying money's worth. Just saying.)

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    John Fenderson (profile), Apr 11th, 2014 @ 2:10pm

    Re: Re: If this is true...

    I dunno. I think the NSA having access is worse than the other two groups.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 2:20pm

    The problem with the NSA's denial is that they are proven liars, and have every incentive to lie about this.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 2:21pm

    Re: Re: Swipe at Open Source

    No, open source isn't a panacea: it's necessary, but not sufficient.

    I've said that for years. Decades, actually. Open source allows us to play the game, it doesn't guarantee that we'll win it. We clearly need to think about how this went wrong -- whether or not it was deliberate sabotage -- and we need to figure out how to prevent similar failures in the future.

    One thing that would sure help would be if all the major sites that rely on this code kicked in a few bucks to support it. $100K is chump change to most of them, but if they all kicked just that tiny amount in, there would be enough funding to put half a dozen people to work on OpenSSL full time and to have the code audited and to have it extensively tested by fuzzers. (Let me note in passing that these operations are spending WAY more than $100K cleaning up this mess. So it would be cost-effective as well as very cheap.)

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 2:21pm

    Re: Re: Swipe at Open Source

    "The community is going to seriously have to up their game in terms of code openness, oversight, and review,"

    It is interesting that even corporations who PAY people to work on open-source projects didn't find this (and presumably other problems yet to be uncovered). It is asking a great deal of volunteers to work on this type of project if nobody is feeding them or paying their mortgage. One of the biggest problems has always been the lack of strong technical management for many open-source projects. I would do it but I also need to eat.

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    That One Guy (profile), Apr 11th, 2014 @ 2:29pm

    Re:

    Yeah, at this point I'd say the only people likely to believe their denial are those that have been supporting them this whole time no matter what(Feinstien and Rogers for example), to anyone not wearing 'The spy agencies can do no wrong'-blinders the NSA has zero credibility, and they've only got themselves to blame.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    Lifeform (profile), Apr 11th, 2014 @ 2:30pm

    Re: Re:

    Except that it does apply to government agencies. Brennan admitted that the CFAA applies to the CIA.

    http://www.wyden.senate.gov/news/press-releases/brennan-letter-to-wyden-acknowledges-that-cfaa-a pplies-to-the-cia

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    John Fenderson (profile), Apr 11th, 2014 @ 2:58pm

    Re: Re: Re: Swipe at Open Source

    "I've said that for years. Decades, actually."

    Me too. And, truthfully, only a small percentage of OSS folks have every said otherwise (and they're the kind of zealots that exist everywhere are should be disregarded.)

    However, the attacks on "open source" that we're seeing now are intimating that there is something about open source that makes it more dangerous to use than closed source, and heartbleed is somehow the proof of this. That's 100% industrial-grade bullshit.

    Open source and closed source software are roughly equally error-prone. The history of closed-source software contains quite a few problems on the scale of heartbleed, after all.

    The primary difference between the two is that with open source, there's a greater chance that problems will be found before they bite too hard, and even more importantly, they tend to get fixed and those fixes distributed much more quickly.

    Closed source software is full of examples of serious vulnerabilities that have gone unfixed for years despite being reported.

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    akp (profile), Apr 11th, 2014 @ 3:00pm

    Re: Binary Evaluation Set

    It's not treason. Illegal, probably, but "treason" isn't the charge.

    Treason has a very specific definition: "Waging war against the United States, or giving aid and comfort to its enemies."

    The NSA has done neither. Stop using "treason" to describe everything bad someone in the government does.

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 3:02pm

    and of course everyone is going to believe that! i dont think so!!

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 3:18pm

    Re: Re: Re: Re: Swipe at Open Source

    Your points are well-taken. I'd like to comment on the speed of the response of the community, just to add to what you've said.

    Compare, for example, the speed with which this flaw was (a) disclosed (b) analyzed (c) measured (d) fixed in the source (e) fixed in the distributions that use it (f) published (in the source and in the distributions) and (g) made understandable by a plethora of web sites, proof-of-concept attack tools, etc. with, for example the glacial response of Adobe to a 0-day in Acrobat: http://news.slashdot.org/story/11/12/07/0057227/adobe-warns-of-critical-zero-day-vulnerability

    The impressive response speed (some distributions were updated within 12 hours) probably helped partially mitigate the consequences of this. That's only possible because it's open source -- well, and because everyone recognized how serious this was rather quickly. That, at least, is one positive takeaway from the situation.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 3:27pm

    Re:

    For what it's worth, the guy who wrote the code says it was just a mistake: http://arstechnica.com/information-technology/2014/04/heartbleed-developer-explains-openssl-mistake- that-put-web-at-risk/

    It's not impossible that he's lying, but the sort of bug that caused the leak is very plausibly a simple mistake.

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    sehlat (profile), Apr 11th, 2014 @ 3:40pm

    Re: Re: Binary Evaluation Set

    If failure to fix a major security threat isn't "giving aid and comfort to our nation's enemies" I will eat my mouse. Without salt.

     

    reply to this | link to this | view in thread ]

  43.  
    icon
    sehlat (profile), Apr 11th, 2014 @ 3:42pm

    Re: Re: Binary Evaluation Set

    Update to prior comment: make that "willful failure". And there can be no doubt that, if they did in fact fail to report and get a major threat fixed, it was willful.

     

    reply to this | link to this | view in thread ]

  44.  
    icon
    That One Guy (profile), Apr 11th, 2014 @ 3:47pm

    Re: Re: Re:

    That's where the difference between 'On paper' and 'In practice' come into play, technically falling under a law means nothing if the odds of actually being charged and prosecuted for breaking it are effectively zero, and they know it.

     

    reply to this | link to this | view in thread ]

  45.  
    identicon
    Jerrymiah, Apr 11th, 2014 @ 3:48pm

    NSA and Heartbleed

    The NSA denying that it knew anything about this security breach before it was made public this week is a lot of bullshit. Nothing the NSA says can be believed even with their new chief. After all, he's only another Mike Rogers, full of shit and ready to stomp on the flgs and the constitution just as Barack Obama is.

     

    reply to this | link to this | view in thread ]

  46.  
    icon
    OldMugwump (profile), Apr 11th, 2014 @ 3:54pm

    Re: Re: Re: Swipe at Open Source

    Huh? From Slate.com:
    The vulnerability in encryption software OpenSSL was discovered by Google researcher Neel Mehta and the security firm Codenomicon.
    Two corporations who "PAY people to work on open-source projects" did indeed find this.

     

    reply to this | link to this | view in thread ]

  47.  
    identicon
    coward (anon), Apr 11th, 2014 @ 5:02pm

    FIPS

    Anyone know if this bug is in the FIPS certified version of OpenSSL? If so, I would think that would call into question the security of any FIPS certified code.

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 6:15pm

    Of course they weren't aware of Heartbleed.

    They called it something else.

     

    reply to this | link to this | view in thread ]

  49.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 6:17pm

    Re: Re: Re: Re: Swipe at Open Source

    There's an even more important advantage of open source, IMO. If the original creators have no interest in developing the software any further, be it features or bugfixes, then you can always find someone to continue the work; you have access to the source, and permission to modify it. Even if you can't do it yourself, you can always hire people to do it for you. With a propietary model you may not have that option, and you are completely at the mercy of the original vendor.

     

    reply to this | link to this | view in thread ]

  50.  
    identicon
    Rekrul, Apr 11th, 2014 @ 6:49pm

    Update: The NSA has denied the Bloomberg report, briefly stating that the agency "was not aware of the recently identified Heartbleed vulnerability until it was made public." We'll continue to update as more information emerges.

    Is that their least untruthful answer?

     

    reply to this | link to this | view in thread ]

  51.  
    icon
    AMusingFool (profile), Apr 11th, 2014 @ 6:50pm

    Hard to believe...

    That they knew about it two years ago. If so, it probably would have been part of Snowden's revelations. And they probably would have managed to stop Snowden before he left the country.

    I would believe they knew about it before it became public, but I have a hard time believing two years ago.

     

    reply to this | link to this | view in thread ]

  52.  
    identicon
    Kronomex, Apr 11th, 2014 @ 7:08pm

    Could they be using the Sergeant Schultz excuse? Nah, my imagination.

     

    reply to this | link to this | view in thread ]

  53.  
    icon
    McCrea (profile), Apr 11th, 2014 @ 8:31pm

    Re: Re:

    My proposed conspiracy theory is that they well known guy who says it was an honest mistake may well have been enlisted to nefarious action 10 years ago, spending the first 8 years becoming a respected member of the community.

     

    reply to this | link to this | view in thread ]

  54.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 9:38pm

    Re: NSA denial

    Some possibilities:
    * The NSA only considers itself "aware" of information when that information has been distributed to all employees and contractors.
    * They consider an exploit to be "made public" the first time they transmit it across the Internet.
    * They consider it public when the vulnerable source code is posted.
    * They knew about it, but not by the name "Heartbleed".
    * The vulnerability was discovered earlier by someone else and "published" on some obscure hacking forum.
    * The Five Eyes use wilful blindness for deniability: another agency developed the exploit, and sometimes the NSA asks them to grab and share some data without revealing how they got it.
    * The NSA knew about it and can't come up with any semantic tricks to justify a denial, and they simply don't care about lying.

     

    reply to this | link to this | view in thread ]

  55.  
    identicon
    Anonymous Coward, Apr 11th, 2014 @ 9:41pm

    Re: Hard to believe...

    Hard to believe...
    That they knew about it two years ago. If so, it probably would have been part of Snowden's revelations.

    It's the weekend. Give Glenn a few days to find the document.

     

    reply to this | link to this | view in thread ]

  56.  
    identicon
    Anonymous Coward, Apr 12th, 2014 @ 12:34am

    Re: Re: Re: Re: Re: Swipe at Open Source

    With a propietary model you may not have that option, and you are completely at the mercy of the original vendor.

    Just look at how much Microsoft is raking in to maintain XP for various governments and large firms.

     

    reply to this | link to this | view in thread ]

  57.  
    identicon
    Anonymous Coward, Apr 12th, 2014 @ 12:36am

    Re: Re: Hard to believe...

    It might take a little longer, he is visiting the US at the moment, and having the documents with him would be a bit foolish.

     

    reply to this | link to this | view in thread ]

  58.  
    identicon
    Anonymous Coward, Apr 12th, 2014 @ 1:52am

    Re: Chronno S. Trigger

    > Wasn't this flaw introduced two years ago?

    No. If you check github, the vulnerable code was first published 16 months ago. So Bloomberg is implying NSA clairvoyance.

     

    reply to this | link to this | view in thread ]

  59.  
    identicon
    FM Hilton, Apr 12th, 2014 @ 2:42am

    Interesting

    Of course the NSA is going to deny that they knew about this flaw before it was 'officially' found. That's a given.

    But I find it rather doubtful that the most powerful spy agency in the world, with all of it's varied resources would not be privately aware of a vulnerability that would open up a technological nightmare-they're supposed to be on the job for finding this kind of problem (defensive) and stopping hostile agents from using it against us.

    We won't talk about their efforts with various companies in opening up their source code and backdoors in the past. I mean, they weren't looking for them and attempting to get them put in themselves?

    Yes, it does seem a bit odd that they would not be the first to at least have heard about the problem in the beginning through private channels.

    If that's the case, they're the most incompetent spy agency in the world.

     

    reply to this | link to this | view in thread ]

  60.  
    identicon
    Mike, Apr 12th, 2014 @ 3:43am

    They have a name for this

    It's called a Dereliction of Duty. It may not be Treason but its damn sure close and still requires nearly equal the punishment.

     

    reply to this | link to this | view in thread ]

  61.  
    identicon
    Anonymous Coward, Apr 12th, 2014 @ 4:54am

    Re: Interesting

    Yes, it does seem a bit odd that they would not be the first to at least have heard about the problem in the beginning through private channels.

    Do those private channels include all the Internet communications, like between two black hat hackers?

     

    reply to this | link to this | view in thread ]

  62.  
    identicon
    Guardian, Apr 12th, 2014 @ 7:59am

    So the NSA is TOTALLY INCOMPETANT

    time to shut the nsa down as it cant protect you

     

    reply to this | link to this | view in thread ]

  63.  
    identicon
    Guardian, Apr 12th, 2014 @ 8:10am

    US govt knew

    the software that's out was ...um er tested via US govt sites the sec they came available and guess what before the leak they were already fixed.....

    THIS IS WHY WE KNOW THE NSA KNEW OF THIS BUG

     

    reply to this | link to this | view in thread ]

  64.  
    icon
    MatBastardson (profile), Apr 12th, 2014 @ 11:04am

    A hundred years ago...

    "I never believe anything until it's officially denied." ~ Otto von Bismarke

     

    reply to this | link to this | view in thread ]

  65.  
    icon
    nasch (profile), Apr 12th, 2014 @ 12:05pm

    Re:

    not bad for a government law enforcement agency

    The NSA is not a law enforcement agency.

     

    reply to this | link to this | view in thread ]

  66.  
    icon
    nasch (profile), Apr 12th, 2014 @ 1:25pm

    Re: Re: Re: Binary Evaluation Set

    If failure to fix a major security threat isn't "giving aid and comfort to our nation's enemies" I will eat my mouse.

    I think failure to act will not meet the bar for treason. You have to actively do something to give aid to a specific nation that is considered an enemy. The NSA didn't take any action here, and their inaction may have helped many bad actors, but not particularly enemy states. My understanding, anyway.

     

    reply to this | link to this | view in thread ]

  67.  
    identicon
    Anonymous Coward, Apr 12th, 2014 @ 1:42pm

    National Insecurity Agency

     

    reply to this | link to this | view in thread ]

  68.  
    identicon
    Jerrymiah, Apr 12th, 2014 @ 2:40pm

    Re: Re: Hard to believe...

    It shouldn't take long now before it is released by either the Guardian or another outlet.

     

    reply to this | link to this | view in thread ]

  69.  
    identicon
    Anonymous Coward, Apr 12th, 2014 @ 2:56pm

    Re: And that's the end of SELinux

    Not to be hipster but I never trusted SELinux in the first place after their efforts at weakening crypto. It is like taking legal advice from your opponents lawyer.

     

    reply to this | link to this | view in thread ]

  70.  
    identicon
    Anonymous Coward, Apr 12th, 2014 @ 6:48pm

    Re: Re: Re: Re: Binary Evaluation Set

    Choosing not to act is, in fact, an act. And from the standpoint of governments, every other government is an enemy, actual or potential, and must be guarded against.

     

    reply to this | link to this | view in thread ]

  71.  
    icon
    nasch (profile), Apr 13th, 2014 @ 8:00am

    Re: Re: Re: Re: Re: Binary Evaluation Set

    Choosing not to act is, in fact, an act. And from the standpoint of governments, every other government is an enemy, actual or potential, and must be guarded against.

    What you're saying probably has no relevance in the context of the law. It doesn't matter that philosophically choosing not to act is an act, it only matters whether the law considers it so. IANAL but I'm pretty sure the law treats acting and failure to act very differently. The same with the meaning of "enemy".

     

    reply to this | link to this | view in thread ]

  72.  
    identicon
    Anonymous Coward, Apr 13th, 2014 @ 1:25pm

    Re: And that's the end of SELinux

    This SELINUX comes with almost all distros, but it isn't put into action by default right? I know it is very user unfriendly, at least, it's what my security solution for linux (grsecurity) was saying when selling itself to me, and weev says its the best so I think it must be, just annoying that I gotta get stuck with using an older kernel than I would like.

     

    reply to this | link to this | view in thread ]

  73.  
    identicon
    Anonymous Coward, Apr 13th, 2014 @ 1:29pm

    Re:

    i thought "we" were fighting uneducated cave dwellers with leftover stingray missiles from those nice gifts Reagan and Rambo made to the mujahideen.

     

    reply to this | link to this | view in thread ]

  74.  
    identicon
    Anonymous Coward, Apr 13th, 2014 @ 4:46pm

    They claim that they reveal security holes if they are deemed dangerous to the general public or government.

    I'd like to know if there's a record of any security holes the NSA has gotten knowledge off in the past which was forwarded to developers in charge?

    Anybody?

     

    reply to this | link to this | view in thread ]

  75.  
    icon
    John Fenderson (profile), Apr 14th, 2014 @ 7:02am

    Re: Re: And that's the end of SELinux

    Me too. I've always ignored SELinux stuff for this reason.

     

    reply to this | link to this | view in thread ]

  76.  
    icon
    John Fenderson (profile), Apr 14th, 2014 @ 7:03am

    Re: Re: And that's the end of SELinux

    Depends on the distro. Most distros aimed at the general purpose user don't enable it by default, but some are aimed at a more security-conscious audience and enable it by default.

     

    reply to this | link to this | view in thread ]

  77.  
    icon
    John Fenderson (profile), Apr 14th, 2014 @ 7:25am

    Re: Re: Re: Swipe at Open Source

    Open Source does not automatically mean "volunteer" any more than it automatically means "free". There are lots of (and the numbers are increasing over time) software engineers who are paid to work on and develop open source software.

     

    reply to this | link to this | view in thread ]

  78.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 7:39am

    Re: Re: Binary Evaluation Set

    Actually, knowing about a critical security vulnerability which 'enemies' can take advantage of, and which affects everything the united states government has online, is giving aid and comfort of enemies.

    You are on a really slippery slope if you think the NSA is not a rogue agency, just like the CIA.

     

    reply to this | link to this | view in thread ]

  79.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 7:41am

    Re: Re: Re: Re: Binary Evaluation Set

    You seem to miss the point of what 'giving aid' means. Do you think that if a known terrorist was found hiding in your basement, and it turned out he got in on his own, but you knew about it, and said nothing, would you be comfortable with your lawyer raising the same feeble defense on your behalf? "Your honor, my client did not act, therefore he cannot be said to have been aiding the terrorist who he knew was hiding in his basement."

     

    reply to this | link to this | view in thread ]

  80.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 7:54am

    Re: Re: Swipe at Open Source

    "Open Source software is no panacea in The Battle to Save the Internet "

    No, open source software IS the internet. Open source definition: All the open projects of smart people who have actually created the internet for all practical purposes, as it is known today. Smart people like to do things openly, that way other smart people can contribute. Smart, huh?

    Proprietary internet software: capitalists attempting to profit from the internet by attempting (and usually failing) to create equivalent proprietary versions of open source technology (once they see what cool new tool the smart people have made, they want to glom on for free and then sell it to others). These flawed technologies are then marketed to users, and obtain their userbase by virtue of that marketing rather than actual usefulness of the proprietary tool. Which is usually a broken and relatively hapless attempts to immitate what open source successfully does. Take a look at AD vs LDAP if you need an example.

    Make no mistake, without the open source community through the years, todays internet would not exist. Period.

     

    reply to this | link to this | view in thread ]

  81.  
    icon
    nasch (profile), Apr 14th, 2014 @ 7:57am

    Re: Re: Re: Binary Evaluation Set

    Actually, knowing about a critical security vulnerability which 'enemies' can take advantage of, and which affects everything the united states government has online, is giving aid and comfort of enemies.

    If nobody has ever been convicted of or even charged with treason for doing that, then that claim sounds speculative.

    You are on a really slippery slope if you think the NSA is not a rogue agency, just like the CIA.

    He specifically said the NSA is doing bad things, just not treason.

     

    reply to this | link to this | view in thread ]

  82.  
    icon
    nasch (profile), Apr 14th, 2014 @ 7:58am

    Re: Re: Re: Re: Re: Binary Evaluation Set

    Do you think that if a known terrorist was found hiding in your basement, and it turned out he got in on his own, but you knew about it, and said nothing,

    That's a terrible analogy to knowing about a security flaw and not publishing it.

     

    reply to this | link to this | view in thread ]

  83.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 8:03am

    Re: FIPS

    Yes, you are right. This shines an ugly light on the emerging industry of corporate security hardening. In this industry, the security product gets an endorsement from the federal government. The company who wants to contract with the government must then use the security software which is endorsed by the government. This kind of debacle reveals how the entire security hardening industry is ultimately a cash grab, just like homeland security.

     

    reply to this | link to this | view in thread ]

  84.  
    identicon
    Neuronsf, Apr 14th, 2014 @ 8:49am

    I really like the brunt of that last sentence - it reads like it came from the "control voice" of the Outer Limits (original version).

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.