The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.
I’m so surprised.
Update: NSA denies.
It’s possible that this is something he wasn’t aware of, but if it turns out that he knew about this, but was waiting until the bug was found in order to leak that to the world, then it just might be the evidence that turns me against him. I’m not giving the NSA a pass, fuck them, but there are millions of people at risk because of this and withholding it for “national security” or to score “political points” are both bullshit reasons.
Have I missed something, or has Snowden ever claimed he read every document he leaked personally?
He isn’t leaking anything anymore. He released the documents en masse to some trusted journalists, and they choose what and when to release information. He’s out of the game, more or less. Love him or hate him, he did what he came to do nearly a year ago, and has been in exile since.
It amazes me how little some people actually read or understand current affairs.
That’s BS and you know it. He still has copies of the documents he shared and has hinted at future revelations (meaning he’s read them). Being condescending while talking out of your ass may convince people who are inclined to agree because you valid their pre-existing beliefs, but that doesn’t make what you say true.
None of which means he would have read all of them and he most likely hadn’t read even a small fraction of them at the time he obtained them. It’s actually likely that he has been going through what he actually has got in his hands while on the lam. And still, it in no way or form would mean that he has managed to go through it all yet.
I never said that he didn’t. Putting words in my mouth so you can call me a liar is not only condescending, something you just accused me of, but also childish and stupid of you.
I’m not going to dig up all the articles written about how the power to release information is now in Greenwald’s and Poitras’ hands; it’s available all over the Internet and has been discussed to death. I stated facts, and you got your butt hurt because it didn’t line up with the way you see things. It happens, get over it and grow up.
If it’s so easy then site your sources.
“Site”? Really? Okay, how about this:
http://www.nytimes.com/2013/10/18/world/snowden-says-he-took-no-sec…
There are tons more, but frankly it’s my only day off and I’m not going to waste it on you. It’s okay to be wrong every now and then, dude. Just don’t be an ass about it.
” I stated facts, and you got your butt hurt because it didn’t line up with the way you see things. It happens, get over it and grow up.”
Its nice to see you doing your part to raise the level of discourse too.
Just responding in kind; it’s a flaw that I readily admit. It was a civil conversation until he made it personal.
Look, you were right about the facts. That’s clear now. My initial post was based on a premise that he still had and was able to leak information. That’s not the case, as I now who since you provided information to the contrary.
However, read over your comment asserting your surprise at my ignorance. Now read Lorin’s post below. That’s how you tell somebody they’re wrong, with specific, and without making sweeping judgments. I was wrong on the facts here, clearly, but I was not the one who turned this into a “flame war.”
I see why you took offense to that, and I’m sorry you took it personally. It was a generalization and not specifically aimed at you; I just have a pet peeve about people who speak from ignorance instead of reading about an issue first. I could definitely have left that out as it was more of a “crap, not another one” stream of consciousness than a deliberate dig at you. Again, I’m sorry about that.
However, I do think you were already in a negative state of mind based on the wording of your initial statement, and I get the feeling that you would have attacked me no matter what. I may be wrong about that, of course. Anyway, you’ve seen my “troll defense” side now; sorry you had to witness that.
Well my, “That’s BS and you know it!” line didn’t do anything to help things for sure. It’s always a good thing when these “fights” are just the result of momentary rises in blood pressure.
What everyone is forgetting is that one of the conditions for asylum was that he did not disclose any more information, he probably learned about this at some point but would have been forbidden to say anything publicly.
I find doubtful that NSA knew about this bug too long beforehand.
It would create a counter-intelligence nightmare. The NSA is not the only agency in world engaging in cyber espionage. Plenty of very large American companies was using the vulnerable version of this software. And these secrets values a lot for European, South American and Chinese companies. The trade off is just to great to be afforded.
And the bug is too unreliable to get information quickly. To successful get a user access using it would require days, even weeks, sending server requests with malformed heartbeats, and a very keen eye to identify useful information in the middle of all garbage.
A really secure environment, of the type that “American enemies” store critical information, will not simple accept requests from a random IP from nowhere and likely neither be connected on internet, it would take a compromised computer from inside and large chunks of luck that a sysadmin would not take notice.
Maybe.
They are either evil (if they knew the bug)
useless (because with their insane budget, they could spend a few tens of millions auditing code, doing really useful things),
or incompetent.
They can also be simultaneously evil, useless and incompetent.
I vote for hopelessly evil.
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/31/the-ns…
NSA even buys off security vulnerabilities from all kind of companies, uses those vulnerabilities and do NOT report them, keeping them open for anybody else. This is offical known, there are millions of dollar spend on that every year and never ever, not one single time, did they report any such security hole nor did they care if others are using it against e.g. US companies. This just isn’t there mission, they are not into defense but into data-collection. And therr is no control how that happens.
What makes you think its all different this time with this vulnerability? Because NSA denies? Because the new General Alexander says so? Yeah, the least untruthful lie, thats what they gave to congress. But hey, its all different this time, it just must be!!1
p.s. see also http://masssurveillance.info – its not like we didn’t expect it to happen. Its just that Obama picked the wrong choice and it has consequences. Expect more of them.
Edited 2014-04-12 10:19 UTC
Article, written on September 9, 2013 in technologyreview:
http://www.technologyreview.com/news/519171/nsa-leak-leaves-crypto-…
”
Two NSA tactics prominent in Thursday’s report highlight widely known and fixable flaws in the way most online services operate. In one of those tactics, the agency collects encryption keys from online services so it can decode intercepted data at will.
[…]
the new reports appears to confirm long-held suspicions that the agency can overpower a [relatively weak?] form of encryption used by most websites that offer secure SSL connections
[…]
The software that Internet companies use to implement SSL, in particular a widely used open source package called OpenSSL, is one of many pieces of the Internet’s security infrastructure that will be more closely scrutinized after last week’s reports
”
And that, more closely watching OpenSSL, is what Google did, Heartbleed was found and now people question that NSA knew about it while it was in the leaked documents all the time. Humans, denying is so much easier.
Edited 2014-04-12 16:58 UTC
Their mission…
Edited 2014-04-18 17:40 UTC
Not to mention the NSA has backdoor access to the trunks, which we know thanks to the AT&T whistleblower. The NSA using Heartbleed would be about as pointless as someone who drives a tank through your house going back to then pick the lock on the door, it would be pointless and frankly waste more time than is required.
You may be unfamiliar with how SSL works.
Assuming the NSA is logging all encrypted traffic (which they claim they do – and are storing indefinitely), then they could potentially go back and decrypt the traffic after the fact if they are able to obtain the server’s private key (which Heartbleed was proven to reveal in some circumstances).
This encrypted data would otherwise be hidden from their view, no matter how many taps they have on the trunks.
There are some mitigation mechanisms that help prevent such retrospective decryption, such as Forward Secrecy – but not all servers enable this feature by default, and not all browsers support it.
You mean less than a day ?:
http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge
Not that I disagree with your opinion about how likely the NSA knew about this.
Edited 2014-04-15 18:42 UTC
Hey! Look at the bright side!!
Now we can surf any dark russian, far-east, chinese, whaterver, site and run any unholy w4r3z we want…
I mean, after all, it turns out we wouldn’t be risking getting powned much more that using “legit” GMail or MS Office.
On the other hand, I sometimes wonder if this could not be a huge bluff where the USA is just creating this image in order to scare the rest of the world… a psychological strategy.
“When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day†vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.”
Then from Wikipedia:
“Stuxnet attacked Windows systems using an unprecedented four zero-day attacks (plus the CPLINK vulnerability and a vulnerability used by the Conficker worm[43])”
Edited 2014-04-12 02:32 UTC
WHO says “NSA knew for 2 years”? Who is saying this? What are their back-ups, where is the evidence for such outlandish claims? Or is everyone trying to hide behind Snowden?
The way I see it, every time that f*cker opens his mouth, it must be the absolute truth for some very naive people. Sorry, but that sh*t just doesn’t fly up here.
“Two people familiar with the matter”, which is twice as good as “I read it on the interwebz!”.
As an admin who spent last week finding all of his vulnerable machines, and patching them, and having watched some of the presentations on the NSA’s activities, I’m a bit skeptical of this claim.
First, the likelihood of getting an SSL key, or a password, or any bit of useful information via heartbleed requires many, many, many efforts at retrieving the desired data (or luck), because you’re grabbing semi-random 64kb chunks of memory.
The NSA isn’t interested in tools that only give them randomly useful information. They want specific information and lots of it.
More importantly, with the sophistication of their known, documented, man-in-the-middle attacks, they don’t NEED the heartbleed bug. It’s like putting gas in your car with a teaspoon, when you’ve got a 5 gallon gas can available.
They’ve already hijacked the network near you, and the network at the service you’re connecting to (and possibly your router), and they’ve got the equipment installed to not only hijack your connection, but intercept the data being sent back to you, alter it, and make sure the altered packets get back to you first.
Or, using this vulnerability, they could spend hundreds of computer hours trying to randomly steal and assemble information they’ve already got.
I suggest anyone interested track down Jacob Applebaum’s presentation “To Protect and Infect”, and watch it. It’s somewhat depressing, but enlightening.