As Thom Brow mentioned in another thread: What can you actually get from this security hole? The private key appears to be highly unlikely.
blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
The tech world is aflutter over the Heartbleed encryption flaw in OpenSSL, but it seems that the bug was no surprise to the analysts of the NSA, since they have reportedly been using it for two years to spy on data traffic. Two sources familiar with the matter told Bloomberg that NSA staff picked up on the fatal flaw shortly …
As Thom Brow mentioned in another thread: What can you actually get from this security hole? The private key appears to be highly unlikely.
blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
s/the rich/itself/
If you think the NSA acts on the whims Bill Gates, Warren Buffet or Prez Obama, you'd be severely wrong. The NSA will have eprobes into these people's lives.
NSA has become like the KGB of old - completely above the law and any government oversight. They become paranoid: anyone outside the organisation becomes the enemy.
Obama thinks he can reign them in with strict guidelines etc, but he is wrong.
The only way the NSA can be managed is to shut them down, investigate the hell out of them, and criminally presecute those that have not done. Half measure won't do it.
NSA has become like the KGB of old - completely above the law and any government oversight. They become paranoid: anyone outside the organisation becomes the enemy.
Sadly, all the NSA are likely to learn from the Snowden debacle, is that there is also the enemy within. I would expect far greater effort has gone into assuaging their paranoia with data compartmentalisation and audits than has been spent effecting behavioural change in their dealings with the wider world.
The Big 0 has no interest in reigning them in.
Neither would any other POTUS. There's political sauce to be made from expressing sympathy with privacy advocates, outrage over infractions of civil rights, etc; but there's no pragmatic advantage for the nominal head of the Executive Branch to reduce the power of that branch. The only reason for a US President to actually try to restrict the NSA would be ideological, and that's not the sort of ideology that gets you elected.
More importantly, there's no way the president could effectively control the intelligence apparatus at this point. It's firmly established and much too large for a presidential administration to survey effectively, much less police. The president could fire some of the top administrators (in theory; whether anyone would take the risk is another question), but that would have very little effect on day-to-day operations.
Protect themselves.
The Twitter claim of knowing nothing until public disclosure is breathtaking. I mean by April 7th a patch had been written and committed for 1.0.1e, heartbleed.com had been registered for 3 days, there had been considerable correspondence between the Finnish company and the authors. Google had allegedly already patched it servers.
And the NSA had not known this?
Which leads to the conclusion they are incredibly incompetent or barefaced liars. Your choice.
And if they lied about 2 days or 2 weeks how can one believe it wasn't two years?
"The open source community has been criticized for failing to spot the flaw, but it lacks the resources of the NSA, which employs hundreds of code checkers to find flaws in common code."
I thought the whole point of open source was that countless numbers of NEETs were supposed to be sitting in their mommys' basements checking the code.
Code checking is a real drudge job and no one likes doing it. And if you don't have a concise specification it is nearly impossible.
The steps for writing quality code are
1. Write a spec
2. Write a test plan based on the spec
3. Write the code
4. Conduct a code review
5. Unit test the code.
I wonder how many of those steps were followed in this case?
The steps for writing quality code are
1. Write a spec
2. Write a test plan based on the spec
3. Write the code
4. Conduct a code review
5. Unit test the code.
I wonder how many of those steps were followed in this case?
Numbers 1 and 3. And the specification and code were written by the same person; and the specification says that the code should discard malformed requests, but it doesn't. So there you have it.
In just the same way that there isn't any obvious trace when a miscreant uses this method to try to collect data from a site, maybe the NSA had silently monitored selected sites to capture details of attackers who were exploiting the security hole. By allowing the leak of relatively non-critical data through what would in effect be a set of giant honeypots they could have been compiling details of their enemies.
As to the costs, a) it wouldn't be their money; and b) this would go to show just how important their work really is.
> Pretty sure opens source code review is not high on the list of things they are getting paid for.
Since one of their primary mandates is the security and defense of American interests, and knowing full well that they have enormous Internet-related expertise and resources, I would be shocked to discover that the most widely used security protocol library used by pretty much all US websites had not been pored over with a fine tooth comb for just this kind of thing, even if it is to find something that they could use themselves.
It's not like the resources to do that kind of thing wouldn't even be on the cost radar for an organisation like the NSA.
I would be shocked to discover that the most widely used security protocol library used by pretty much all US websites
I have to point out that the final phrase is a grotesque exaggeration. There are a great many websites which don't use SSL/TLS at all; and there are many which don't use OpenSSL - mostly the ones running IIS, but there are other competitors (GnuTLS, BSAFE, CyaSSL, Apple's implementation, etc) as well.
"used by many US websites" is a reasonable formulation; "pretty much all" is not.
"If the NSA didn't know about this bug... what are they getting so much money for?"
So... you expect them to be utterly all-seeing and all-powerful, but at the same time take issue with the fact?
*sometimes* several million people come up with stuff that several thousand highly trained professionals don't.
It just happens.
"One of the NSA's specific roles is to safeguard national communications and online security infrastructure"
That seems a bit naive. Nowhere do they claim to protect individual/corporate communications or individual/corporate online security and why would they? As far as the NSA is concerned everyone and everything that isn't the U.S. government is a potential threat to national security and that includes its own employees. After all it's a post-Snowden world and you can't trust anyone since tear-wrists ar' eevy-whirr!
So why didn't they tell the government?
Either the Army, Navy, Airforce, Marines, Coastguard, congress, CIA, SS etc all were informed about this bug and fixed it - without the news leaking out. Or the NSA didn't tell them and has been risking the lives of our service men and women in combat by allowing secret details to be vulnerable to hackers.
You tell me, only 26 U.S. Gov't servers were ever reported as vulnerable and best I can determine none of those were dealing with national security issues. The rest were either patched or not vulnerable in the first place. Of course they could all be like the desktops and running software a dozen years old, but that doesn't play to the story now does it?
The most likely reason that most US Government were not vulnerable to Heartbleed because they were using OpenSSL versions earlier than 1.0.1 or, in some cases were running Windows-based web servers, which do not use OpenSSL. That would include those associated with DoD or other agencies one might think of as involving national security.
OpenSSL versions 0.9.8 and 1.0.0 (not vulnerable) both appear to be actively maintained and so could be used within the government.
Sure, they could be using 1.0.0 or GnuTLS, CyaSSL, PolarSSL or a bunch of others. Somehow since most all the packages comply with NSA Suite B and the NSA did do a bunch of work on SELinux I have to believe they know their stuff. If you read carefully I never said either way if they knew about it beforehand or not. My point was, and still is, that the NSA isn't in the "protect your bank account, communications to mom, instagram sessions and Google data slurps" because those functions aren't in the national interest no matter how important we think we are.
The NSA isn't going to prevent you from taking a shiv in the kidney in a dark alley but they might be able to do something about the incoming attack helicopter or guided missile frigate. I'll let the conspiracy experts argue about who knew what and when. Perhaps naive was the wrong word, I should have used vain or immodest.
"NSA isn't in the "protect your bank account[...]" because those functions aren't in the national interest no matter how important we think we are."
You must have missed the financial crash a few years ago. A way of pulling down small numbers of bank accounts is not a problem. A way of hoovering up credentials quietly until you have a million or so accounts that you can vaporise in one night of action would be untargetted but definitely a threat to the nation's well-being.
If the FDIC and NCUSIF had to start paying out huge sums, the NSA might have a look after the Secret Service and FBI asked for their help. Even then given the average account balance runs around $6,000 and 56% have total savings under $25,000 someone draining a million accounts is only getting 6 to 25 billion dollars. Sure, it would sting and a million or so people would be hurting pretty badly for a while and yes it's a substantial fraction of the intelligence budget but it still wouldn't qualify as being in the national interest even though it's near the same scale as the auto company bailout during that financial hiccup you speak of.
Of course it could be targeted to the wealthiest million people or corporations but to move those kinds of assets it would likely take a state sponsor and, like Mount Rushmore, it would be pretty hard to hide overnight. Likewise, no, the FBI isn't going after the random shop lifter pocketing a pack of gum, a turkey or even a watermelon because it's not what they do either.
"but it still wouldn't qualify as being in the national interest "
Even factoring in the financial instability caused by a massive hack of this kind? Do you think all those big bank account holders would just leave their money there for the taking? They run like fuck to someone else, probably taking the bank down with them.
But they didn't mention it before everyone knew about it. When they might have had some credibility, y'no?
Flash! Alert! Lisbon will be destroyed in a 9.0 earthquake!
Well okay, I'm a few hundred years late there. How about:
Major news! Russia invades Ukraine, says they are liberators!
Am I 69 years late or 69 hours too soon?