As Thom Brow mentioned in another thread: What can you actually get from this security hole? The private key appears to be highly unlikely.
blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
The tech world is aflutter over the Heartbleed encryption flaw in OpenSSL, but it seems that the bug was no surprise to the analysts of the NSA, since they have reportedly been using it for two years to spy on data traffic. Two sources familiar with the matter told Bloomberg that NSA staff picked up on the fatal flaw shortly …
As Thom Brow mentioned in another thread: What can you actually get from this security hole? The private key appears to be highly unlikely.
blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
s/the rich/itself/
If you think the NSA acts on the whims Bill Gates, Warren Buffet or Prez Obama, you'd be severely wrong. The NSA will have eprobes into these people's lives.
NSA has become like the KGB of old - completely above the law and any government oversight. They become paranoid: anyone outside the organisation becomes the enemy.
Obama thinks he can reign them in with strict guidelines etc, but he is wrong.
The only way the NSA can be managed is to shut them down, investigate the hell out of them, and criminally presecute those that have not done. Half measure won't do it.
NSA has become like the KGB of old - completely above the law and any government oversight. They become paranoid: anyone outside the organisation becomes the enemy.
Sadly, all the NSA are likely to learn from the Snowden debacle, is that there is also the enemy within. I would expect far greater effort has gone into assuaging their paranoia with data compartmentalisation and audits than has been spent effecting behavioural change in their dealings with the wider world.
The Big 0 has no interest in reigning them in.
Neither would any other POTUS. There's political sauce to be made from expressing sympathy with privacy advocates, outrage over infractions of civil rights, etc; but there's no pragmatic advantage for the nominal head of the Executive Branch to reduce the power of that branch. The only reason for a US President to actually try to restrict the NSA would be ideological, and that's not the sort of ideology that gets you elected.
More importantly, there's no way the president could effectively control the intelligence apparatus at this point. It's firmly established and much too large for a presidential administration to survey effectively, much less police. The president could fire some of the top administrators (in theory; whether anyone would take the risk is another question), but that would have very little effect on day-to-day operations.
Protect themselves.
The Twitter claim of knowing nothing until public disclosure is breathtaking. I mean by April 7th a patch had been written and committed for 1.0.1e, heartbleed.com had been registered for 3 days, there had been considerable correspondence between the Finnish company and the authors. Google had allegedly already patched it servers.
And the NSA had not known this?
Which leads to the conclusion they are incredibly incompetent or barefaced liars. Your choice.
And if they lied about 2 days or 2 weeks how can one believe it wasn't two years?
"The open source community has been criticized for failing to spot the flaw, but it lacks the resources of the NSA, which employs hundreds of code checkers to find flaws in common code."
I thought the whole point of open source was that countless numbers of NEETs were supposed to be sitting in their mommys' basements checking the code.
Code checking is a real drudge job and no one likes doing it. And if you don't have a concise specification it is nearly impossible.
The steps for writing quality code are
1. Write a spec
2. Write a test plan based on the spec
3. Write the code
4. Conduct a code review
5. Unit test the code.
I wonder how many of those steps were followed in this case?
The steps for writing quality code are
1. Write a spec
2. Write a test plan based on the spec
3. Write the code
4. Conduct a code review
5. Unit test the code.
I wonder how many of those steps were followed in this case?
Numbers 1 and 3. And the specification and code were written by the same person; and the specification says that the code should discard malformed requests, but it doesn't. So there you have it.
In just the same way that there isn't any obvious trace when a miscreant uses this method to try to collect data from a site, maybe the NSA had silently monitored selected sites to capture details of attackers who were exploiting the security hole. By allowing the leak of relatively non-critical data through what would in effect be a set of giant honeypots they could have been compiling details of their enemies.
As to the costs, a) it wouldn't be their money; and b) this would go to show just how important their work really is.
> Pretty sure opens source code review is not high on the list of things they are getting paid for.
Since one of their primary mandates is the security and defense of American interests, and knowing full well that they have enormous Internet-related expertise and resources, I would be shocked to discover that the most widely used security protocol library used by pretty much all US websites had not been pored over with a fine tooth comb for just this kind of thing, even if it is to find something that they could use themselves.
It's not like the resources to do that kind of thing wouldn't even be on the cost radar for an organisation like the NSA.
I would be shocked to discover that the most widely used security protocol library used by pretty much all US websites
I have to point out that the final phrase is a grotesque exaggeration. There are a great many websites which don't use SSL/TLS at all; and there are many which don't use OpenSSL - mostly the ones running IIS, but there are other competitors (GnuTLS, BSAFE, CyaSSL, Apple's implementation, etc) as well.
"used by many US websites" is a reasonable formulation; "pretty much all" is not.
"If the NSA didn't know about this bug... what are they getting so much money for?"
So... you expect them to be utterly all-seeing and all-powerful, but at the same time take issue with the fact?
*sometimes* several million people come up with stuff that several thousand highly trained professionals don't.
It just happens.
"One of the NSA's specific roles is to safeguard national communications and online security infrastructure"
That seems a bit naive. Nowhere do they claim to protect individual/corporate communications or individual/corporate online security and why would they? As far as the NSA is concerned everyone and everything that isn't the U.S. government is a potential threat to national security and that includes its own employees. After all it's a post-Snowden world and you can't trust anyone since tear-wrists ar' eevy-whirr!
So why didn't they tell the government?
Either the Army, Navy, Airforce, Marines, Coastguard, congress, CIA, SS etc all were informed about this bug and fixed it - without the news leaking out. Or the NSA didn't tell them and has been risking the lives of our service men and women in combat by allowing secret details to be vulnerable to hackers.
You tell me, only 26 U.S. Gov't servers were ever reported as vulnerable and best I can determine none of those were dealing with national security issues. The rest were either patched or not vulnerable in the first place. Of course they could all be like the desktops and running software a dozen years old, but that doesn't play to the story now does it?
The most likely reason that most US Government were not vulnerable to Heartbleed because they were using OpenSSL versions earlier than 1.0.1 or, in some cases were running Windows-based web servers, which do not use OpenSSL. That would include those associated with DoD or other agencies one might think of as involving national security.
OpenSSL versions 0.9.8 and 1.0.0 (not vulnerable) both appear to be actively maintained and so could be used within the government.
Sure, they could be using 1.0.0 or GnuTLS, CyaSSL, PolarSSL or a bunch of others. Somehow since most all the packages comply with NSA Suite B and the NSA did do a bunch of work on SELinux I have to believe they know their stuff. If you read carefully I never said either way if they knew about it beforehand or not. My point was, and still is, that the NSA isn't in the "protect your bank account, communications to mom, instagram sessions and Google data slurps" because those functions aren't in the national interest no matter how important we think we are.
The NSA isn't going to prevent you from taking a shiv in the kidney in a dark alley but they might be able to do something about the incoming attack helicopter or guided missile frigate. I'll let the conspiracy experts argue about who knew what and when. Perhaps naive was the wrong word, I should have used vain or immodest.
"NSA isn't in the "protect your bank account[...]" because those functions aren't in the national interest no matter how important we think we are."
You must have missed the financial crash a few years ago. A way of pulling down small numbers of bank accounts is not a problem. A way of hoovering up credentials quietly until you have a million or so accounts that you can vaporise in one night of action would be untargetted but definitely a threat to the nation's well-being.
If the FDIC and NCUSIF had to start paying out huge sums, the NSA might have a look after the Secret Service and FBI asked for their help. Even then given the average account balance runs around $6,000 and 56% have total savings under $25,000 someone draining a million accounts is only getting 6 to 25 billion dollars. Sure, it would sting and a million or so people would be hurting pretty badly for a while and yes it's a substantial fraction of the intelligence budget but it still wouldn't qualify as being in the national interest even though it's near the same scale as the auto company bailout during that financial hiccup you speak of.
Of course it could be targeted to the wealthiest million people or corporations but to move those kinds of assets it would likely take a state sponsor and, like Mount Rushmore, it would be pretty hard to hide overnight. Likewise, no, the FBI isn't going after the random shop lifter pocketing a pack of gum, a turkey or even a watermelon because it's not what they do either.
"but it still wouldn't qualify as being in the national interest "
Even factoring in the financial instability caused by a massive hack of this kind? Do you think all those big bank account holders would just leave their money there for the taking? They run like fuck to someone else, probably taking the bank down with them.
But they didn't mention it before everyone knew about it. When they might have had some credibility, y'no?
Flash! Alert! Lisbon will be destroyed in a 9.0 earthquake!
Well okay, I'm a few hundred years late there. How about:
Major news! Russia invades Ukraine, says they are liberators!
Am I 69 years late or 69 hours too soon?
Having discovered a pretty obscure (if elegant) vulnerability so soon after it was introduced and before the affected code was widely deployed in the field would suggest a level of efficiency most unlike any governmental institution.
From the same people who let any old sysadmin walk away utterly unnoticed with Terabytes of their data (OK, not exactly theirs)?
Looking for exploitable holes in encryption implementations is the NSA's mandate and they have a massive budget and labour force and tools to do this. Their resources are far greater than those of the guys who write and maintain openssl in the first place.
It's their **job** to specifically look for this stuff, and, yes, with every new release. Why? Because with a new version, especially a significant one, you get new errors, and thus new potential opportunities for exploits.
Sure, we don't know if the NSA found the bug right away. Maybe they didn't. But even if they found it 6 months after release of 1.0.1, that still leaves about 18 months of exploitation fun.
Having discovered a pretty obscure (if elegant) vulnerability so soon after it was introduced
All they'd need to do is have one person watching the commit logs for OpenSSL and reviewing the committed changes. It's not a big job; there isn't that much commit activity for OpenSSL. And the bug is hardly obscure. As I've noted in other threads, anyone who's ever written a Wireshark dissector, for example, ought to be able to spot it almost immediately. Dealing with malformed self-describing data from the peer is a given in comms programming.
and before the affected code was widely deployed in the field
Presumably because they would have found it by inspecting the source. It could be found by pen-testing the binaries (fuzz-testing the TLS Heartbeat functionality in particular), but source inspection is a more likely route in this case. I don't think this bit makes the story any less plausible.
would suggest a level of efficiency most unlike any governmental institution.
Pfft. All you need is one programmer with decent code-inspection and debugging skills assigned to look for vulnerabilities in OpenSSL. If that employee is any good, he or she is following the OpenSSL discussion lists and watching the commit log.
This is a trivial job compared to most of what the NSA is responsible for, if they want to fund such a position. That's really the question. If they have such a position, and they didn't know about Heartbleed, then they should be looking closely at whomever they're paying to keep an eye on OpenSSL.
To start with, I don't usually pay much attention to the NSA this and NSA that chatter that goes on these forums. Yes, I agree with Snowden and yes, the intelligence agencies abuse their remit, likely to not that much benefit compared to the loss of liberty. Western democracies should revert back to peacetime investigative behavior and follow judicial procedures.
But the actual end result for myself? Not that relevant day to day. I don't like it, but I am not going to spend all day being outraged about it. I suspect this is what a large part of the public feels as well. Whether or not that's an attitude that is ethical is up for debate.
Why, if this turns out be true, could this change everything?
Suppose it turns out that the NSA did know about this (or any major system-wide bug with a huge potential for mischief to the general public, corporations and indeed the US govt at large). Suppose it then just sat on the knowledge, happily ignoring the risk to all these _US_ individuals and organizations.
Given the potential for misuse of Heartbleed and the time it has been active, how exactly could it claim to be protecting the interests of the average US citizen then? Will those same citizens, if they, or someone they know, have been affected by identity theft or fraud, blame the NSA's laissez-faire? What about criminal groups funding terrorism precisely through this flaw? What about espionage by foreign countries? What will Joe Average think about having to change his passwords, while knowing that the cops did nothing?
IF they knew, this would a practical demonstration of blatant day to day disregard for the well-being of all its own citizens. Hopefully, but not holding my breath, they should be held accountable by Congress* if it turns out to be true and people should lose their jobs.
Canada's Revenue Agency shut down some/all SSL parts of its site yesterday, right during tax season. They may yet turn out to be over-reacting (don't think so myself), but the point is that, at this level of risk, government agencies do have responsibilities beyond their immediate remit.
* If they knew as well, the same questions would apply to all our pet counter-terrorism "protectors", be they GHCQ, Canada's CSIS or the French DGRS or whatever it's called. Sadly, for all the criticism the NSA warrants, at least they get some flak, other countries' agencies tend to get an even free-er pass.
I did indeed "mean that". It comes down to a matter of trust.
Are anonymous spokespersons for the NSA and DNI worthy of trust? Probably not very much.
Is Michael Riley (whom I do not know) paraphrasing two unnamed sources worthy of trust? Again, probably not very much. And the incorrect and misleading description of the Heartbleed flaw in Riley's article, while irrelevant to the claim about the NSA, still does not engender confidence in the diligence of his research or his (or Bloomberg's) fact checking.
Does any of the sources have a reason to lie or shade the truth? You bet they do, and motives are easily guessed.
Is either claim easy to verify? No.
Is "not very worthy of trust" in the first case roughly comparable and independently indistinguishable form "not very worthy of trust" in the second? I think it is, pending availability of actual evidence.
Whereas 'unnamed sources' have?
'Unnamed sources' is newspaper talk for 'we made it up and this way don't have to give a citation or be legally accountable'.
If pressed on the matter, they can claim it was a mate in the pub who empties dustbins.
Because one source has an extensive recent history of deep untruthiness.
I think you'll find both sources (the NSA and unidentified informants cited by the press) fall into that category. Yes, anonymous whistleblowers and deep sources often provide information that is later borne out by investigation or the gradual uncoverings of history; but they also often provide misinformation, fantasy, or simple error.
As I noted above, I don't think it's at all implausible that the NSA knew of Heartbleed, and indeed I'd be a bit disappointed in them (however relieved) to find out they didn't; incompetent evil is so depressing. But I put no more credence in Bloomberg's unnamed sources than I do in official statements from the NSA.
The hole is so elegant and so widespread that you would wonder if NSA wrote it.
If indeed they failed to act, that implies they didn't see this as a threat to any national data, which suggest they knew it wasn't originated overseas or by black hat types. That means they are likely perps!
It is "elegant" in the sense that it does not adversely affect clients that send well-formed packets, it will never (for sufficiently small values of packet length) crash the server, is pretty unlikely to do so for larger values, and you can just set up a server farm hoovering up data from zillions of targets 24/7 for a few years and see what turns up. It costs you nothing more than the leccy bill.
Given their resources and their mission, they (and like-minded agencies in other countries) ought to have people reviewing the changes being committed to OpenSSL, as they happen. If they didn't spot the flaw within a week or two of it being committed then they should be asking themselves why.
"The hole is so elegant"
No it's not.
"you would wonder if NSA wrote it."
Only if ill-equipped with facts and predisposed towards such an opinion. It's certainly not one that it would be easy to come to without a hefty bias towards conspiracy.
"If indeed they failed to act, that implies they didn't see this as a threat to any national data"
Assuming they knew about it, which is hell of a leap. "Something exists ergo the NSA know about it and if they don't, they suck" is a completely irrational and illogical response.
"which suggest they knew it wasn't originated overseas or by black hat types. That means they are likely perps!"
Assumption based on assumption.
Odd how it conforms to your existing opinion.
There is a programmer out there that made the first commit with the bug in it. Who is it? They need to come forward and state for the record whether or not it was done under orders.
As much as I favor une feuille d'étain chapeau, my instinct is that this is just a bug. Even so, the NSA absolutely has dirt all over its hands when it comes to the state of network security.
Regardless of their role in Heartbleed I am quite convinced that there are a large number of 'law enforcement' types that belong behind bars.
I am not sure how you shut down a military industrial complex backed by years of half-trillion dollar budgets and sitting on weapons that can destroy the world, but maybe we should try before they start weaponizing graphene.
You need to read more.
There have been stories for the last 20 hours about the guy who wrote it apologising and saying he made a mistake and that he is mortified blah blah blah.
I sincerely doubt the NSA knew about this, given the amount of damage to America's corporate political machine (Amazon, Microsoft, Walmart etc) foreign intelligence agencies (thinking specifically certain Communist Far East countries) could do using it. Although people can go "ah but they could have spied on their own people using this", the risk of others using it would have been too high. Far better to just nobble the certificate issuers to get a shadow copy of the private keys and leave the protocol itself "secure".
Part of the NSA's job is to look for exploits exactly like this, and then use them for spying rather than report them. It doesn't matter if the NSA knew about this specific exploit. They most certainly know about, and regularly use hundreds of others that are just as powerful and just as harmful to the general public and to international commerce. And if any of those come to light, you can bet that the NSA will deny knowing about them too, even when questioned by Congress.
All of this is showing that Snowden was right: the NSA's irrational and obsessive focus on total surveillance is undermining their mandate to protect American cybersystems.
As is becoming increasingly clear, the NSA has done more economic harm to the U.S than any foreign actor in recent history, aside from perhaps China.
"As is becoming increasingly clear, the NSA has done more economic harm to the U.S than any foreign actor in recent history, aside from perhaps China."
I don't wish to be too cynical here, but in peacetime it is generally true that the main damage to a country's interests come from the incompetence of its own government. They have so much more power than any other actor and yet they are subject to all the usual human frailties and incompetence.
https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013
Not conclusive on its own, but still another piece of evidence pointing to our "democratic" surveillance infrastructure betraying the public interest, and exploiting rather than reporting security holes.
The NSA can deny they knew till they're blue in the face and still no one will believe them unless they're pre-inclined to do so; after all, they can't prove they didn't know, and they do have copious form.
Given that the NSA has a habit of making up its own rules then not sticking to them anyway, I'm personally going to enjoy seeing them with their nuts firmly clamped in a vice on the basis of innuendo, a tactic they and their spook compatriots have been happy enough to visit upon their opponents down the years - enough of what they did verifiably do is worthy of shutting them down for anyway. I certainly hope the irony of being strung for being untrustworthy rather than for provable misdeeds isn't lost on them.
America's facile obsession with 'security' on its own skewed terms turns out to have delivered anything but that for most people, merkin or not, and I hope that isn't lost on anyone either when we're rethinking what 'security' actually means.
They were obviously taking advantage of the vulnerabilities in iOS and Windows before they were public. And they were taking advantage of the unencrypted traffic traveling between Yahoo! and Google datacenters before that vulnerability was made public. So why not Heartbleed too?
I don't KNOW that the NSA knew about Heartbleed and exploited the vulnerability instead of closing it. But the one indisputable fact is that IF the NSA (or any of the other 5 Eyes or Western SigInt agencies) were exploiting Heartbleed, the first thing they would do when queried about their use of it would be to "lie & deny" to protect a classified SigInt program. That's where we are now.
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
That's a statement from a public affairs department, I suspect they know very little about what the NSA really knows, or doesn't know.
You have to remember you're talking about an organisation whos director knew so little about what they did and didn't do/know that he effectively lied to the Congressional oversight committee.
Do you really think their Public Affairs department have any idea about what the NSA do or know?
> You have to remember you're talking about an organisation whos director knew so little about what they did and didn't do/know that he effectively lied to the Congressional oversight committee.
I thought he knew full well what was going on and purposely answered "no", later explaining that his "no" answer as to whether data on millions of Americans was collected had been due to a fascinating definition of the word collect from the "1982 Department of Defense Procedures Governing The Activities Of DOD Intelligence Components That Affect United States Persons":
"Collection. Information shall be considered as ‘collected’ only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties….Data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form."
In other words, when they only collect data and machine-scan it that doesn't count as collected. It's only collected once it's been used by an employee.
What makes you think this isn't one of the methods they were using?
They aren't going to list descriptions of vulnerabilities in use on PowerPoint slides meant for the higher ups.
Basically, if the NSA did not know about this before public disclosure then they are incredibly incompetent because it's something they claim to be doing, and if they did know about it, then how long do they sit on vulnerabilities like this before nudging someone else to disclose?
"Basically, if the NSA did not know about this before public disclosure then they are incredibly incompetent because it's something they claim to be doing"
How the heck do you expect the NSA to find every security flaw before the rest of the entire planet?
If I walk into your office and spot a way of doing something better, does that mean you are incompetent? By your measure it does.
"How the heck do you expect the NSA to find every security flaw before the rest of the entire planet?"
I don't, but...
There are relatively few SSL suites in widespread use and pretty much all secure communication on the internet is built on top of them, so they are pretty important. OpenSSL happens to be open source, but that's probably not an issue since I'm sure the necessary arms can be twisted if the NSA want a look-see at Microsoft's crypto libraries. If the NSA, with a budget in the billions, doesn't have a team poring over these suites then someone needs to have their employment contract reformatted.
I expect that team to find a buffer overrun vulnerability in a codebase that lies square in the middle of their competence with a couple of years of it being published. Whether that is before the rest of the world is another matter entirely. I also assume that several other nations have teams doing much the same, so they might get there first.
I love how comments such as this completely ignore the changing reality of spying in the modern world.
In years gone by it cost substantial money to track and spy on individuals meaning that it was impractical/impossible to conduct mass surveillance on a truly large scale. That limiting factor led to limited targeted spying.
With the cost of mass surveillance having plummeted over the last few decades it is now technically/financially practical to spy indiscriminately on large amounts of people and the need to target your surveillance is reduced.
To ignore this reality is to ignore the modern ethical questions that massive state surveillance has introduced.
If it was discovered that the police where using some ethically questionable methods to conduct their work would you also say - Police in "Did some policing" shocker.....Nice way to completely sidestep the difficult questions....