back to article Obama allows NSA to exploit 0-days: report

The NSA's denial it knew about or exploited the Heartbleed bug raises an obvious question: does it exploit similar flaws? The answer, according to The New York Times, is yes. Quoting ”senior administration officials”, the paper says US President Barack Obama considered what the NSA should do if it becomes aware of a …


This topic is closed for new posts.
  1. sunnyskies

    Wrist, meet slap

    This from the NYT — the paper that could be renamed "Senior Officials Said...".

    Naturally, Obama will say he's doing something for the sake of appearances.

    1. Brenda McViking
      Black Helicopters

      Re: Wrist, meet slap

      Well you know what they say about security agencies: the only time you're sure they're exploiting something is when they official deny it.

      1. Ted Treen
        Big Brother

        @Brenda McViking (Re: Wrist, meet slap)

        I never believe ANYTHING until it's been officially denied...

    2. Psyx

      Re: Wrist, meet slap

      Yes, it's all Obama's fault.

      None of the hacking was authorised under Bush at all.



  2. Charles Manning

    False feeling of control

    The NSA just asked permission to give Obama the false feeling he was in control.

    They didn't really care what he said, they would do - and continue to do - anything they want to.

    Did NSA ask permission to spy on Merkel? Perhaps. Did he give permission? Perhaps. But at the end of the day it would not really influence what they actually did - just whether they told Obama about it later.

    As far as NSA is concerned, everyone outside the NSA is the enemy. Likely the NSA spy on Obama too.

    1. Schultz

      Re: False feeling of control

      There is an important line between officially sanctioned and not officially sanctioned acts of the secret service. The spies can get into deep shit if they overstep the boundaries and embarrass their superiors, so they have to be careful what they do and will probably show some restraint.

      The problem is that nowadays anything seems to be sanctioned via some secret court or administrative memo (the memorandum seems to be the modern letter of marque and reprisal). The government handed over the keys to the lunatic bin and tries not to look what is going on.

      1. DropBear

        Re: False feeling of control

        I'd say they pretty much managed to "overstep their boundaries and embarrass their superiors" as thoroughly as conceivably was possible, as of late. So who exactly got into deep shit for that so far...?

      2. bigtimehustler

        Re: False feeling of control

        And how exactly are they going to get caught? Rumours may leak out, but they have the evidence, will never release it and no one can search their offices to see if they really have it. So they never do get caught, they just deny it.

      3. ShadowedOne

        Re: False feeling of control

        "The spies can get into deep shit if they overstep the boundaries and embarrass their superiors, so they have to be careful what they do and will probably show some restraint."

        You can't embarrass the shameless.

      4. Anonymous Coward
        Anonymous Coward

        Re: False feeling of control

        "There is an important line between officially sanctioned and not officially sanctioned acts of the secret service. The spies can get into deep shit if they overstep the boundaries and embarrass their superiors"

        Yeah, they can or kill that spy and put another guy there to do the exact same thing, while the media reports on the guy who got in trouble.

  3. amanfromMars 1 Silver badge

    Taking a Walk on the WWWild Side is not Suited nor Designed for the Intellectually Challenged in ICT

    The Rules of the New Great Game are ...... There be Zero Day Rules and No Knight Regulation. Step into that Astute Foreign Field and Alien Quantum Space of HyperRadioProActive Engagement at urPeril for IT accepts neither Prisoner nor Parasite for Dead Head Future Lead.

    And when spooks are crooks and/or the crooked spooked, are they [booked and cooked] borked and corked and deliberately overlooked to take no further definitive leading prime or sub-prime part in Great IntelAIgent Games Plays ..... AIMOvies .... for that is ITs Advanced IntelAIgent Modus Operandi and C42 Quantum Communication Control Systems Vivendi with Creative CyberSpace Command and Control of Computer Communications and Virtual Machine Firmament Ware ....... which be akin to SMARTR Fare in Essential and Existential Robot Ware.

    1. Anonymous Coward
      Anonymous Coward

      Re: Taking a Walk on the WWWild


      1. Psyx

        Re: Taking a Walk on the WWWild

        He's always like that.

        It's not supposed to make any sense; merely to drain your sanity away.

      2. All names Taken

        Re: Taking a Walk on the WWWild

        Just drink in the beauty or the words - treat it as a poem rather than a definition if that helps.

      3. NumptyScrub

        Re: Taking a Walk on the WWWild

        It's likely a continuation of the time-honoured "if you don't understand, you're obviously not supposed to know" theme. I suspect there are kernels of truth in there, possibly hiding from the Colonels of Truth (@MiniTrue)

        Full disclosure: I have seen more than one completely coherent post from amanfromMars, so I know there is definitely sentience there, despite appearances ;)

        1. Psyx

          "I have seen more than one completely coherent post from amanfromMars"

          Even a stopped clock gives the right time twice a day.

  4. Winkypop Silver badge

    Has there ever been a "line"?

    I can't imagine any security (or criminal) organisation deciding to ignore any reasonable exploit.

    In the case of Governments, it's easier to seek forgiveness than ask permission.

    1. Trevor_Pott Gold badge

      Re: Has there ever been a "line"?

      The populace has denied both forgiveness and permission. Now what?

  5. Allan George Dyer Silver badge
    Black Helicopters

    What are USAans wasting their tax dollars on?

    Isn't this an admission that the NSA is useless? Regardless of whether they think (or you agree) that their most important mission is protecting "friendly" communications or intercepting "enemy" communications, with their funding they should have found this bug. Why didn't they use the old, "neither confirm nor deny" to keep some semblance of competence?

    1. Sir Runcible Spoon

      Re: What are USAans wasting their tax dollars on?

      "neither confirm nor deny"

      or even

      Some people might say that, I couldn't possibly comment.

  6. This post has been deleted by its author

    1. asdf

      Re: No turning back now.

      Most suburban white Americans will make horrible slaves. Fat middle age people can't lift lumber for shit.

      1. Anonymous Coward
        Anonymous Coward

        Re: No turning back now.

        That's why they will get killed. While the remainder or the population will be put in concentration camps to slave away for their hedositic psychopathic overlords.

  7. Random Q Hacker

    now more than ever

    We need a law that taints evidence gained by the NSA, makes it a felony to misuse it, and makes invalid any domestic case it touches, irrespective of "parallel construction", which itself ought to be a felony.

    In addition, any legislation or law enforcement mentioning terrorism would fall under the same law. If you're getting on a plane and they find a bomb they can stop you. If they find a kilo of marijuana, they give it back and wish you a nice day.

    1. Roo

      Re: now more than ever

      "We need a law that taints evidence gained by the NSA"

      I question your sanity.

      We see enforcement agencies failing to secure prosecutions against rich & powerful folks all the time, we regularly see investigations into the crimes and failings of authorities and corporations derailed through sabotage and wilful malpractice (eg: the pathologist examining the newspaper seller beaten to death by a Policeman on his way home).

      How is a new law going to help if it going to be enforced by the very same mechanisms that have been shown to fail through wilful self-interest time and time again ?

      1. Matt Bryant Silver badge

        Re: Roo Re: now more than ever

        ".....the newspaper seller beaten to death by a Policeman on his way home....." If that typically Roo-esque, half-witted bit of police-bashing was a reference to Ian Tomlinson, not only was he not "beaten to death", but the policeman involved, Simon Harwood, was not only kicked out of the force but also charged with manslaughter. The problem with the prosecution of Harwood was that Tomlinson was a known drunk, already having suffered previous brain-damage from alcohol abuse, and having consumed about twenty units of alcohol that day. His liver was so rotten that any minor fall could have killed him. The third and final post-mortem examination (by two pathologists) agreed with the second, that Tomlinson probably died from internal bleeding when he fell on his right elbow, rupturing his cirrhosis-ridden liver, but that it was impossible to confirm if that fall was the one as a result of Harwood hitting him on the leg. What Harwood did was probably at least assault causing bodily harm, possibly manslaughter, but Harwood didn't "beat him to death" and had no intent to murder Tomlinson. Which was why Harwood was declared "not guilty" by jury trial in 2012. Yes, IMHO, Harwood was an over-aggressive moron and unfit to be a copper, but to paint it as some malicious "beating to death" says more about your willfully-limited reading on the matter and your obvious prejudices against figures of authority.

  8. John Smith 19 Gold badge

    'a clear national security or law enforcement need'.”

    Or indeed merely "want"

    1. asdf

      Re: 'a clear national security or law enforcement need'.”

      >a clear national security or law enforcement need

      IE a pesky senator that is asking too many questions and has a mistress.

  9. Ken Hagan Gold badge

    Missing the point, surely?

    It is no secret that the NSA exists and has a massive budget. Any moral outrage about its activities should either have been consistently expressed for the last few decades or, if only recently felt, should be based on revelations concerning who they target rather than how they do it.

    I don't have a big problem with the NSA using a 0-day to spy on (say) North Korea.

    1. Allan George Dyer Silver badge

      Re: Missing the point, surely?

      Well, both those have been happening: Some people have been saying for a very long time, "these powers are dangerous to democracy", and, recently, lots of people have been shocked that the targets have included USA citizens and allies.

      However, the problem with 0-days is that, not only do they allow the good guys to spy on the bad guys, they allow the bad guys to spy on the good guys. Of course, there is a lot of context-specific risk balancing. If the NSA find a 0-day in "the most popular encryption software used in North Korea, rarely used outside", then there could be a reasonable argument for keeping it hidden. Or, if the nature of the 0-day makes the NSA confident that it can detect when someone else discovers it, they could plan to reveal it at that time, and use it until then. Heartbleed is the opposite of both of these: the library is used almost everywhere, and it is (virtually?) impossible to tell if someone else discovered and used it.

      Anyone who discovered Heartbleed and kept it hidden deliberately reduced everyone's security.

  10. Psyx

    It's nearly like the time GCHQ invented public key encryption...

    ... and didn't tell anyone for 20 years.

    But we were all ok with that, at the time.

    1. asdf

      nice try

      There is a huge difference between inventing something new only you use and intentionally gimping or exploiting software everyone (including the people you are supposed to protect) else uses.

    2. Version 1.0 Silver badge

      RE: PKE

      You had to be there at the time - encryption was considered "munitions" and it's export and sale were tightly controlled.

      1. asdf

        Re: RE: PKE

        Yeah the US government tried that to before they realized the rest of the world had figured out public key encryption as well.

  11. Franklin

    You know what would be cool?

    If the Federal government created a large, well-funded organization designed to safeguard the computer and communications infrastructure so vital to the nation's economy, perhaps by discovering flaws in commercially important cryptographic systems and...

    Oh, wait.

    1. asdf

      Re: You know what would be cool?

      But then the macho wannabe warrior private contractor nerds couldn't justify all that pork they get.

      1. asdf

        Re: You know what would be cool?

        Actually this is about pork but not just the contractors. Now the war on terrorism has wound down the warhawks need to find some new sexy way to get pork and pushing the new cool cyberwar threat is a way to do it. Its more in vogue and lucrative to start a new war than to boringly secure our current infrastructure.

  12. FuzzyTheBear

    Annoying ? You bet , but this will hit below the belt.

    With all those 0 day floating around is it not obvious that the it security community is just sitting on their hands ? Security researchers seem to be totally inadequate in their jobs to protect us. Which brings me to the annoyance ... Are security researchers in the bag of the agencies ? Certainly looks that way and i am truly suspicious of ANY encryption being in the same backdoored 0 day on purpose category to let totalitarian regimes ( ex USA ) and police states ( again USA ) regimes to crack down on people and attack civil liberties the world around. I do not trust security researchers . Not one dang bit. IMHO they are in the pockets of the security agencies to deliver them the goods to attack us civilians .

  13. The_Idiot

    Coming soon...

    1: The establishment of a new protocol, 'to improve and centralise the ability of the US to respond to threats to public information security' - all discovered exploits and bugs in communications or crypto to be reported to a single government authority. The authority will be solely responsible for relaying them to 'stakeholders' 'as they find appropriate'.

    2: To avoid inciting unnecessary panic and potentially placing US industry at a disadvantage, the protocol is modified so that all such reports are to be made without publicity or other recognition.

    3: To allow a more streamlined and efficient response to such threats, the protocol is modified such that:

    a: It is a criminal offence _not_ to report any discovered exploits or bugs

    b: It is a criminal offence to tell anyone _except_ the central agency

    c: It is a criminal offence to tell anyone that you have submitted a report to the central agency.

    I know. It would never happen. Right? Er.... right?

    1. asdf

      Re: Coming soon...

      Yeah too bad there are plenty of security researchers in the rest of the world not to mention 6+ billion other people not in the US that could give a toss what the US government says.

      1. The_Idiot

        Re: Coming soon...

        And there are other people - Garry McKinnon, Mr K DotCom, arguably Mr Assange, who have experienced, or fear experiencing, how little not being American and not, in theory at least, being subject to US law is actually relevant.

        And in any wise, I didn't actually mean to imply that in some fashion the US would be able to make everyone in the world subject to such a US protocol - but where the goose flies, the gander follows (as my old gran used to say). Are we that far from different governments making vulnerabilities into a 'national security resource'? To be collected, hoarded and never, ever made public under pain of, well, pain?

        Yes. Of course. We are. I mean - we are... right?

  14. asdf

    so very stupid

    One could make a very strong argument that no other country in the world can be harmed as much by zero days as the United States (infrastructure, business, etc). Zero days are almost always a double edged sword with it being virtually impossible to know if you are the only one who knows about it and exploiting it (the bad guys will probably figure out if only your country gets the patches). Therefore you would think if the NSA truly cared about protecting Americans they would more defensive than offensive. Seems pretty obvious that defending the US public is not their number one priority.

  15. Gray

    Take it seriously?

    "... it is hard to know if his policies to curb the NSA's excesses can be taken seriously."

    Ummmm ... no. Not hard to know at all.

    (Clue for the clueless: watch what they do, not what they say)

  16. Anonymous Coward
    Thumb Down

    Once again, we REALLY need to move U.S. Cybersecurity Command out of the NSA

    The NSA has already proven that the historical "collect everything" bias is going to trump their newer responsibility to "protect everything". Its dangerous to the U.S., the tech industry in general and the other 6.7 billion people on this rock.

  17. Frank N. Stein

    The NSA is good at exploiting network and device vulnerabilities. And Obama is good at empty words and promises.

  18. Levente Szileszky

    I'm still amazed by the fact...

    ...that this bunch of arrogantly smiling lying PoC paper-pushers eg Gen Alexander and his ilks are STILL THERE - just what is it they use to blackmail Obama et all that allows them to repeatedly LIE to Congress and STILL keep their jobs, with that arrogant smile on their faces, instead of being prosecuted and tried...?

This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022