We’re exercising our freedom and taking off the 3rd to celebrate the 4th. See you Monday!Hide

Obama Tells NSA To Reveal, Not Exploit, Flaws... Except All The Times It Wants To Do The Opposite

from the a-bias? dept

Last week there was some confusion as Bloomberg published a story claiming that the NSA was well aware of the Heartbleed bug and had been exploiting it for "at least" two years. That seemed fairly incredible, given that the bug had only been around for slightly over two years. The NSA came out with a pretty strongly worded denial -- which left out much of the usual equivocation and tricky wording that the NSA normally uses in denying things. The general consensus seems to be that it is, in fact, unlikely that the NSA knew about Heartbleed (though that makes some wonder if some team at the NSA is now in trouble for not figuring it out). If anything, it seems likely that the Bloomberg reporters got confused by other programs that the NSA is known to have to break parts of SSL, something it's supposedly been able to do since around 2010.

However, the NY Times had a story this weekend about how this move has forced the administration to clarify its position on zero day exploits. It's already known that the NSA buys lots of zero day exploits and makes the internet weaker as a result of it. Though, in the past, the NSA has indicated that it only makes use of the kinds of exploits that only it can use (i.e., exploits that need such immense computing power that anyone outside of the NSA is unlikely to be able to do anything). However, the NY Times article notes that, following the White House's intelligence review task force recommendation that the NSA stop weakening encryption and other technologies, President Obama put in place an official rule that the NSA should have a "bias" towards revealing the flaws and helping to fix them, but leaves open a massive loophole:
But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.
Amusingly, the NY Times initially had a title on its story saying that President Obama had decided that the NSA should "reveal, not exploit, internet security flaws," but the title then changed to the much more accurate: "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say."

Of course, the cold war analogy used by people in the article seems... wrong:
“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.”
Except, it's meaningless that no one expects the Chinese (or the Russians or anyone else) to give up zero days. The simple fact is that if the NSA were helping to stop zero days that would better protect everyone against anyone else using those zero days. In fact, closing zero days is just like disarming both sides, because it takes the vulnerability out of service. It's not about us giving up our "weapons," it's about building a better defense for the world. And yet the NSA isn't willing to do that. Because they're not about protecting anyone -- other than themselves.

Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    BentFranklin (profile), Apr 14th, 2014 @ 6:50am

    "closing zero days is just like disarming both sides"

    That's only true if we know the same 0-days that the others know.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Chronno S. Trigger (profile), Apr 14th, 2014 @ 7:45am

    Re:

    But the more we close, the less they can use.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 7:47am

    The NSA needs to be split - into a defensive agency and an offensive agency. That way, we reduce the likelihood of there being such a situation again.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    GrayArea (profile), Apr 14th, 2014 @ 7:52am

    Splitting the NSA

    Then they would spend even more resources fighting each other. But hey, the entertainment value might be worth it. Spy vs. Spy.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 7:52am

    Evidence (or lack thereof) whether the NSA knew about Heartbleed

    Based on some of the other Snowden disclosures about NSA's state-sanctioned hacking program affectionately known as the Tailored Access Operations group, probably the best evidence that the NSA did not know about Heartbleed would be for Snowden and/or the reporters working with his documents to note that none of those documents discuss Heartbleed. Other TAO documents seem pretty blunt about what they like to do, so it would be unlikely for such a powerful disclosure attack to be completely absent from their documents if they did know about it.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 7:52am

    Re:

    Agreed. Unfortunately, Obama has rejected that idea as soon as he even heard the review panel was going to propose that.

    Ever since the US Cyber Command was merged with NSA, it has become a major force of corruption within NSA.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Chronno S. Trigger (profile), Apr 14th, 2014 @ 7:53am

    Re:

    Far too many people believe the mantra "The best defense is a good offense". The defensive NSA would become the offensive NSA, it would only be a matter of time.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 7:57am

    So the they are both malicious AND incompetent. Wouldn't it be great if it was non-malicious and competent at the same time?

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    pegr, Apr 14th, 2014 @ 8:20am

    Not buying it

    There is no conceivable way the NSA didn't know of this vulnerability. None. Zero. Follow the logic.

    The error itself is pretty standard. Blame C and buffer handling. The NSA geeks are fully aware of the buffer problems associated with C. They have TEAMS dedicated to finding and exploiting these errors.

    The OpenSSL library would be a major target for NSA hackers. The Open Source community audits software. The NSA REALLY audits software, especially an encryption library used by huge numbers of folks.

    My conclusion? The NSA knew about this bug within days of its release. It is impossible to come to any other conclusion. You may have issue about the technical competence of the federal government, but the NSA is the cream of the crop. There is no way they didn't know about this, with hundreds of devs combing through every line of this code.

    And speaking of Snowden documents, expect one that details their experience with this exploit. Remember BULLRUN? "Do not ask or speculate on sources or methods underpinning BULLRUN successes." We don't have to speculate anymore.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    John Fenderson (profile), Apr 14th, 2014 @ 8:22am

    Re: Evidence (or lack thereof) whether the NSA knew about Heartbleed

    The NSA didn't know about Heartbleed because that's not what they called it. However, check out the NSA's "Project Bullrun".

    According to The Guardian's analysis of the Snowden documents, under Bullrun, the NSA "has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking."

    The NSA's cracking might be of a different nature. Who knows? But to me, a rose by any other name...

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 8:24am

    (i.e., exploits that need such immense computing power that anyone outside of the NSA is unlikely to be able to do anything).

    Two exceptions, other governments, and all those bot-herders, who also have massive computing power available, and with zero costs to use it.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    John Fenderson (profile), Apr 14th, 2014 @ 8:33am

    Why did he even bother?

    What I want to know is why he bothered to say anything along these lines at all. Saying the "NSA will reveal flaws it finds unless thinks they might be useful" is almost precisely the same as saying "the NSA won't reveal the flaws it finds."

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    John Fenderson (profile), Apr 14th, 2014 @ 8:37am

    Crazy

    (i.e., exploits that need such immense computing power that anyone outside of the NSA is unlikely to be able to do anything).


    That's simply crazy thinking, right there. Computing power continues to get cheaper every day. Right now, it is technically within many individual's financial ability to build their own supercomputer. Not one of the best ones, but get a small group of modestly wealthy people together and you're golden. You can build a supercomputer that rivals anything the NSA has going.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Rich Kulawiec, Apr 14th, 2014 @ 8:43am

    Re: Crazy

    Why pay for it?

    There are computing operations running right now that have more CPU cycles, more memory, more storage, and more network bandwidth than Google and about a dozen of its peers combined. Botnets with tens of millions of systems are now ordinary.

    Granted, not every computing task maps well to that architecture, but a lot of them do. As we've seen.

    We're now into the second decade of botnets and so far, nobody has done anything meaningful about them. Nothing. Oh, there have been busts (yawn) and press conferences and agendas and meetings and all kinds of other feelgood happytalk bullshit, but nobody has actually attacked the underlying problem...and thus there's no reason to expect it to get any better, and lots of reasons to expect it to get worse.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 8:44am

    Banksy strikes at GCHQ Or how to make phone users paranoid.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 8:58am

    not bad for the 'most transparent administration in US history', eh?

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    nasch (profile), Apr 14th, 2014 @ 9:09am

    Re:

    That's only true if we know the same 0-days that the others know.

    The only exploits relevant to this story are the ones the NSA knows about.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 9:11am

    Re: Re:

    What I mean is one agency whose only focus is on finding security flaws and getting them fixed; and a second agency whose only reason for existence is to find and exploit these flaws both in-house and outside.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    nasch (profile), Apr 14th, 2014 @ 9:13am

    Re: Why did he even bother?

    Perhaps he was hoping to trick people into thinking he was telling the NSA to reveal flaws. And it even worked for a while.

    'Amusingly, the NY Times initially had a title on its story saying that President Obama had decided that the NSA should "reveal, not exploit, internet security flaws," but the title then changed to the much more accurate: "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say." '

    Presumably there are still people who believe the original headline.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Jerrymiah, Apr 14th, 2014 @ 10:34am

    Re: Evidence (or lack thereof) whether the NSA knew about Heartbleed

    That's only because the NSA uses this program under a different name which they will not reveal and Snowden had now way of knowing that. I am pretty sure that those that now are in possession of Snowden's paper are now pouring over them to identify which of these programs would show the use of Heartbleed.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Jerrymiah, Apr 14th, 2014 @ 10:42am

    Re: not bad for the 'most transparent administration in US history', eh?

    I rate this administration well less transparent than the Nixon and G.W, administration. That is its destiny.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 11:34am

    It's not about us giving up our "weapons," it's about building a better defense for the world.
    It doesn't even require that basic level of human decency. Even the poorest, most inept warmonger should be able to recognize "make our side immune to enemy attacks" as an extremely good thing. If the NSA had even the slightest shred of competence, they'd be making the country more secure, not less.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    Internet Zen Master (profile), Apr 14th, 2014 @ 11:35am

    Don't worry, the NSA will reveal flaws to others in the future

    They'll just tell people 50 years after they find them, or however long classified material is supposed to stay classified before getting released to the public.

    In other words, it's the unwritten "everyone important that was involved in this is dead now so who cares if the public finds out" rule.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 11:51am

    Cyber "security"

    Se-cu-ri-ttty

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    nasch (profile), Apr 14th, 2014 @ 12:19pm

    Re:

    If the NSA had even the slightest shred of competence, they'd be making the country more secure, not less.

    I don't think it's an issue of competence, but of objectives.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 12:34pm

    I still remember like it was yersterday: people chanting "OBAMAAAAAAA" like he was the saviour of the world.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Guardian, Apr 14th, 2014 @ 3:47pm

    THE ONLY SOLUTION

    NEXT ELECTION DO NOT VOTE REPUBLICAN OR DEMOCRAT

    END YOUR OPPRESSION AMERICA

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    BeeAitch (profile), Apr 14th, 2014 @ 4:49pm

    Re: Re: Re:

    GrayArea's comment still applies.

    Both agencies would waste taxpayer money racing to out'wit' (I use the term 'wit' very loosely) the other agency.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 7:01pm

    What's the fuss? Aren't they supposed to exploit? The problem lies in usage for *unlawful* activities.

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    John Fenderson (profile), Apr 14th, 2014 @ 7:13pm

    Re:

    The fuss is that they are tasked with both spying, which entails using exploits, and with protecting the network, which entails disclosing weaknesses.

    These two task are mutually exclusive. So all we get is them exploiting the network and keeping those exploits a secret, which means those exploits won't get fixed as quickly, if ever, which means that the entire security of the net is endangered by the NSA.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Apr 15th, 2014 @ 5:47am

    Share it with Cisco, deny it to Huawei

    Share it with Cisco, deny it to Huawei.

    That way, NSA could protect their own people while keep on spying on those cheap bastards that buy Chinese knock-offs.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    John Fenderson (profile), Apr 15th, 2014 @ 5:36pm

    Re: Share it with Cisco, deny it to Huawei

    You can't be serious. There are two main problems with this...

    1) If the NSA finds an exploit, so will criminal crackers. It won't stay a secret.

    2) If Cisco equipment uses an exploit, Huawei (and all other similar companies), as well as criminal crackers, will find it as soon as they reverse engineer the Cisco equipment (which all groups do whenever a new model is released). It won't stay secret.

    No matter what, these exploits won't stay secret. The NSA is even behind the curve in finding them -- they purchase most of them form the black and gray markets. By keeping any exploit a secret, the only thing that's accomplished is that critical infrastructure and everyone using it is left vulnerable to an exploit they may not know about but all the crooks do.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Roba Boru, Jun 24th, 2014 @ 4:30pm

    Re: wi-fi

    I want to open for my Samsung mobile?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.