Linked by Thom Holwerda on Fri 11th Apr 2014 20:21 UTC
Privacy, Security, Encryption

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

I'm so surprised.

Update: NSA denies.

Thread beginning with comment 586936
To read all comments associated with this story, please click here.
I don't think so...
by CapEnt on Fri 11th Apr 2014 21:24 UTC
CapEnt
Member since:
2005-12-18

I find doubtful that NSA knew about this bug too long beforehand.

It would create a counter-intelligence nightmare. The NSA is not the only agency in world engaging in cyber espionage. Plenty of very large American companies was using the vulnerable version of this software. And these secrets values a lot for European, South American and Chinese companies. The trade off is just to great to be afforded.

And the bug is too unreliable to get information quickly. To successful get a user access using it would require days, even weeks, sending server requests with malformed heartbeats, and a very keen eye to identify useful information in the middle of all garbage.

A really secure environment, of the type that "American enemies" store critical information, will not simple accept requests from a random IP from nowhere and likely neither be connected on internet, it would take a compromised computer from inside and large chunks of luck that a sysadmin would not take notice.

Reply Score: 9

RE: I don't think so...
by Treza on Sat 12th Apr 2014 00:15 in reply to "I don't think so..."
Treza Member since:
2006-01-11

Maybe.
They are either evil (if they knew the bug)
useless (because with their insane budget, they could spend a few tens of millions auditing code, doing really useful things),
or incompetent.

They can also be simultaneously evil, useless and incompetent.

Reply Parent Score: 6

RE[2]: I don't think so...
by p13. on Sat 12th Apr 2014 07:51 in reply to "RE: I don't think so..."
p13. Member since:
2005-07-10

I vote for hopelessly evil.

Reply Parent Score: 3

RE: I don't think so...
by cdude on Sat 12th Apr 2014 10:08 in reply to "I don't think so..."
cdude Member since:
2008-09-21

http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/31/the-ns...

NSA even buys off security vulnerabilities from all kind of companies, uses those vulnerabilities and do NOT report them, keeping them open for anybody else. This is offical known, there are millions of dollar spend on that every year and never ever, not one single time, did they report any such security hole nor did they care if others are using it against e.g. US companies. This just isn't there mission, they are not into defense but into data-collection. And therr is no control how that happens.

What makes you think its all different this time with this vulnerability? Because NSA denies? Because the new General Alexander says so? Yeah, the least untruthful lie, thats what they gave to congress. But hey, its all different this time, it just must be!!1

p.s. see also http://masssurveillance.info - its not like we didn't expect it to happen. Its just that Obama picked the wrong choice and it has consequences. Expect more of them.

Edited 2014-04-12 10:19 UTC

Reply Parent Score: 2

RE[2]: I don't think so...
by cdude on Sat 12th Apr 2014 16:54 in reply to "RE: I don't think so..."
cdude Member since:
2008-09-21

Article, written on September 9, 2013 in technologyreview:

http://www.technologyreview.com/news/519171/nsa-leak-leaves-crypto-...

"
Two NSA tactics prominent in Thursday’s report highlight widely known and fixable flaws in the way most online services operate. In one of those tactics, the agency collects encryption keys from online services so it can decode intercepted data at will.
[...]
the new reports appears to confirm long-held suspicions that the agency can overpower a [relatively weak?] form of encryption used by most websites that offer secure SSL connections
[...]
The software that Internet companies use to implement SSL, in particular a widely used open source package called OpenSSL, is one of many pieces of the Internet’s security infrastructure that will be more closely scrutinized after last week’s reports
"

And that, more closely watching OpenSSL, is what Google did, Heartbleed was found and now people question that NSA knew about it while it was in the leaked documents all the time. Humans, denying is so much easier.

Edited 2014-04-12 16:58 UTC

Reply Parent Score: 4

RE[2]: I don't think so...
by zima on Fri 18th Apr 2014 17:40 in reply to "RE: I don't think so..."
zima Member since:
2005-07-06

This just isn't there mission

Their mission...

Edited 2014-04-18 17:40 UTC

Reply Parent Score: 2

RE: I don't think so...
by bassbeast on Sat 12th Apr 2014 22:03 in reply to "I don't think so..."
bassbeast Member since:
2007-11-11

Not to mention the NSA has backdoor access to the trunks, which we know thanks to the AT&T whistleblower. The NSA using Heartbleed would be about as pointless as someone who drives a tank through your house going back to then pick the lock on the door, it would be pointless and frankly waste more time than is required.

Reply Parent Score: 2

RE[2]: I don't think so...
by umccullough on Sun 13th Apr 2014 17:06 in reply to "RE: I don't think so..."
umccullough Member since:
2006-01-26

it would be pointless and frankly waste more time than is required.


You may be unfamiliar with how SSL works.

Assuming the NSA is logging all encrypted traffic (which they claim they do - and are storing indefinitely), then they could potentially go back and decrypt the traffic after the fact if they are able to obtain the server's private key (which Heartbleed was proven to reveal in some circumstances).

This encrypted data would otherwise be hidden from their view, no matter how many taps they have on the trunks.

There are some mitigation mechanisms that help prevent such retrospective decryption, such as Forward Secrecy - but not all servers enable this feature by default, and not all browsers support it.

Reply Parent Score: 6

RE: I don't think so...
by Lennie on Tue 15th Apr 2014 18:41 in reply to "I don't think so..."
Lennie Member since:
2007-09-22

You mean less than a day ?:

http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge

Not that I disagree with your opinion about how likely the NSA knew about this.

Edited 2014-04-15 18:42 UTC

Reply Parent Score: 2