
Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say - brown9-2
http://www.nytimes.com/2014/04/13/us/politics/after-heartbleed-bug-obama-decides-us-should-reveal-internet-security-flaws.html
======
tptacek
It's very hard to take this initiative seriously. Software vulnerabilities are
what software vulnerabilities are: the fundamental enabler of modern network
signal intelligence. When you see Obama sign an executive order ending foreign
signals intelligence, you can at that point start to believe that the USG is
primarily in the business of fixing rather than stockpiling vulnerabilities.

NSA's first and overriding mission is in conducting signals intelligence
against our adversaries. As people have pointed out here and elsewhere:
regardless of what other missions NSA may have crept into in the last 40
years, when SIGINT comes into conflict with some other NSA mission, SIGINT
wins.

(This analysis is descriptive, not normative.)

~~~
vidarh
Take it seriously to the extent that they need to consider whether or not
hoarding a vulnerability is likely to enable other powers to carry out SIGINT
against important US sites.

Consider that while something like Heart Bleed would be an enormous asset to
the NSA, if both NSA and a foreign powers found out about it at the same time
it'd provide the foreign power with a disproportionate benefit because they'd
likely have fewer other ways of infiltrating many sites.

I'm sure that in situations where they're confident they're the only ones with
the knowledge, they'll still hold off on releasing anything.

~~~
usefulcat
> Take it seriously to the extent that they need to consider whether or not
> hoarding a vulnerability is likely to enable other powers to carry out
> SIGINT against important US sites.

And yet that didn't prevent them from sitting on heartbleed for two years
(since approximately the moment it was introduced).

------
agwa
> "You are not going to see the Chinese give up on ‘zero days’ just because we
> do"

This is a dishonest argument - many of the zero days held by the Chinese are
likely to be the same zero days being withheld the N.S.A., so by disclosing
them the N.S.A. would be dealing a huge blow to our adversaries' offensive
capabilities.

The NYT should have gotten a quote to counter-balance this argument from a
"senior intelligence official" (upon whom they shamefully, but predictably,
bestowed anonymity). Now many of the people reading this article will come
away believing this is akin to nuclear disarmament, which is a totally inapt
comparison.

~~~
pyronite
> _upon whom they shamefully, but predictably, bestowed anonymity_

I'm with you on the rest of your points but not on this one. Balance would be
nice but anonymity is often key to good reporting. There's nothing shameful
about soliciting a quote and then keeping that person anonymous.

~~~
agwa
I'm not against all anonymity, but in general, anonymity is bad for
journalism. It makes it impossible for readers to judge the credibility of the
source, and puts people who want to challenge the source at a disadvantage. It
permits the source to say whatever they want, without any fear of it harming
their credibility.

In narrow circumstances, such as whistle-blowing where the source would face
harm from a disclosure of their identity, anonymity is both appropriate and
essential (and in such a case it's essential for the newspaper to do as much
verification as possible before conferring anonymity). But a government
employee spewing pro-government propaganda does not need the protection of
anonymity.

Edit: reworded for clarity.

~~~
dalke
For some details to back up agwa's statement,
[http://ajrarchive.org/Article.asp?id=1596](http://ajrarchive.org/Article.asp?id=1596)
has some interesting history on anonymity in newspaper reporting. For example:

> During his shuttle diplomacy in the Middle East, Kissinger insisted on
> anonymity even though the information was reported by the press traveling
> with him and attributed to the "senior official on the plane." On one of
> Kissinger's sojourns, humorist Art Buchwald attributed information to a
> "high U.S. official with wavy hair, horn-rimmed glasses and a German
> accent."

> Periodically, journalists grow weary of the insistence on anonymity and
> rebel. But generally not for long.

> In 1971, then-Washington Post Executive Editor Ben Bradlee ordered that
> information provided by Kissinger about a pending summit meeting be
> attributed to him because it was simply too important to be reported
> anonymously, according to Walter Isaacson's book "Kissinger."

> "The Post's action caused a widespread realization that reliance on
> backgrounders had gone too far," Isaacson wrote. Nevertheless, the White
> House Correspondents Association soon passed a resolution agreeing to abide
> by Kissinger's briefing rules.

How does it help us, the public, to let Kissinger choose when to make
anonymous statements?

Overall that American Journalism Review link points out that time and time
again, with only a few exceptions, anonymity is abused.

------
refurb
"President Obama has decided that when the National Security Agency discovers
major flaws in Internet security it should – _in most circumstances_ — reveal
them to assure they get fixed, rather than stockpile them for use in espionage
or cyberattacks, senior administration officials said Saturday."

Emphasis added is mine.

The "in most circumstances" means they can pretty much do whatever the hell
they want.

~~~
asharpe
Agreed, so large you can drive a truck through it analogy.

Why is there not more of a furore about this? When Bush set up (and it was
found out) about the extensive activities of the NSA, the reaction was
vitriolic in every sense of the word. Here Obama is tacitly agreeing to
similar intrusion. This is not a comment on Bush vs Obama, it is more a
comment on the media and public reactions.

~~~
marcosdumay
That's the problem with people-oriented politics. Who's going to complain? The
people doing it now, or the people that did exactly the same thing earlier?

------
agwa
Wow! The NYT has changed the title of this article from "Obama Decides U.S.
Should Reveal, Not Exploit, Internet Security Flaws" to "Obama Lets N.S.A.
Exploit Some Internet Flaws, Officials Say"

Kudos to them for switching it to a much more accurate description of the
situation.

~~~
LiamMcCalloway
Newsdiffs.org is useful to track both minor and major changes made to stories.

More generally, it's a convenient if limited way into the publishing process.
It deserves scrutiny, all the more so for those PR-type articles that
essentially try to covey nonsense.

[http://www.newsdiffs.org/article-
history/www.nytimes.com/201...](http://www.newsdiffs.org/article-
history/www.nytimes.com/2014/04/13/us/politics/after-heartbleed-bug-obama-
decides-us-should-reveal-internet-security-flaws.html)

~~~
scintill76
Wow, I was wondering why the HN title and NYT title were almost exactly
opposite. This diffing site is interesting, thanks.

The new title doesn't seem to fit well with the rest of the article, though.

------
pekk
This is arguably good military strategy, too - the US has ample resources to
allocate to finding novel or even one-off exploits on an ongoing basis, where
some poorer powers might want to rely more on keeping secret existing exploits
for a longer period. Perpetually making enemies' weapons obsolete.

Also, the US has a much larger attackable surface area and far more to lose in
this domain. So it makes perfect, cynical sense if the US government wants
internet security in general to be better.

Just like a naval power with strong international trade interests has reasons
to keep shipping lanes open to all and to deter naval piracy.

None of this requires benevolence, it's all self-interested

~~~
tptacek
What's a "novel" or "one-off" exploit? I don't see the realistic dividing line
between "NOBUS" exploits that NSA could realistically believe it has a
proprietary grasp on and the kinds of exploits that get deployed at Pwn2Own.

~~~
AlexLord
Configuration Errors are an example of "one-off" exploits. Things which are
specific to a environment, rather then a code base.

------
yukichan
Stutnex used zero day flaws so when they make a statement like:

"When Federal agencies discover a new vulnerability in commercial and open
source software ... it is in the national interest to responsibly disclose the
vulnerability rather than to hold it for an investigative or intelligence
purpose."[1]

I have to scratch my head because I can't reconcile this. I also can't
reconcile what meaningful impact the White House statement will have since it
has such a vague loophole. The White House statement reminds me of when Putin
plays lip service to democratic processes inside Russia. Lots of words, little
if any meaning or change.

[1] [http://blogs.wsj.com/digits/2014/04/11/nsa-says-it-wasnt-
pre...](http://blogs.wsj.com/digits/2014/04/11/nsa-says-it-wasnt-previously-
aware-of-heartbleed/)

------
malandrew

        But Mr. Obama carved a broad exception for “a clear 
        national security or law enforcement need,” the officials 
        said, a loophole that is likely to allow the N.S.A. to 
        continue to exploit security flaws both to crack 
        encryption on the Internet and to design cyberweapons.
    

i.e.:

But Mr. Obama then went on to say "discount everything I've just said, the NSA
should go on with business as usual, interpreting all current and future
situations to further their offensive needs regardless of what is best for the
American people or becoming of a modern democracy."

------
lvs
This "change" is so nuanced as to be essentially indistinguishable from the
status quo.

------
jamesbritt
"Obama says" versus "Obama does."

Actions, not speeches, count.

~~~
stfu
"Obama does x" is the headline when when the news is in general positive.

"The government/administration/specific department" is the headline when it is
negative. Look out for it...

~~~
ethanbond
"Obama exploited heart bleed" isn't a very accurate statement.

It's almost as inaccurate as "NSA says it should disclose exploits."

------
andrewfong
This is why the NSA should be chopped in half. Offense and defense in
different agencies so there's less conflict of interest

------
uptown
NY Times updated their headline:

"Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say"

------
adamnemecek
NSA decides it shouldn't and should, respectively.

------
humancontact
> _– in most circumstances —_

------
joe_the_user
Honestly, it seems like the only way the US could get credibility on this
"front" is to create an open, well-funded agency whose _only_ purpose would be
to enhance world Internet security. Give it a mandate to be entirely separate
from any would-be signal intelligence exploiters and let it loose. Yes, I'm
sure something akin to this exists but if this had 10% of the US intelligence
budget, it would be an eye-opener.

~~~
AJ007
Prior to the NSA leak, "cyber warfare" was quite the buzzword. China, Iran,
and other countries threatened the all US infrastructure from abroad. There
was even debate as to if a foreign "cyber attack" could justify an armed
military strike. The solution allegedly was the US government spending all
kinds of money on these "cyber defenses."

Snowden's leak suddenly left people wondering if the United States itself
posed the greatest threat to the US's own "cyber security." There is little
doubt that the revelations did severe and lasting damage to US companies who
want foreign customers.

Today the problems are, someone might have been able to access your Yahoo mail
in the past two years. As computing and bandwidth expands and blends in to the
background, future exploits will be things like, every moment, visual and
audio, of the past two years of your life, was recorded and is available to
playback in full detail. For better or worse, of course the government will
get heavily involved.

~~~
XorNot
The Snowden leak told no one who was capable of any amount of critical
thinking anything they didn't already realize.

It was base-level _obvious_ that the US, EU and every other nation had cyber-
warfare programs because there was no technical reason they couldn't, and the
risks were the same as they were to China and others: its an invisible, zero-
casualty engagement, indistinguishable from the actions of lone individuals or
groups.

Moreover, it should always have been apparent that things inside the US could
be arbitrarily subjected to search and seizure. This is not a problem
companies are unfamiliar with - mining companies are big on sovereign risk,
but moreover, it's not like Microsoft stores it's technical data on Google
cloud services for exactly the same reasons.

The most surprising thing which has been disclosed nowhere by the Snowden
leaks is any evidence of the NSA passing stolen technical schematics or plans
off to US companies for competitive advantage. I'm sure a lot of people will
insist this totally happened, but no one has come up with hard evidence that
it has.

------
higherpurpose
> But Mr. Obama carved a broad exception for “a clear national security or law
> enforcement need,”

Or a law enforcement need? So this is almost pointless then. Don't expect
regular iPhone or Android bugs to be reported, because law enforcement uses
them all the type to tap people, so of course in their view there's a "need"
for them.

He should've just left it to NSA only, and for _very specific cases_ , if at
all. Everyone else (FBI, police, DHS, etc) should be reporting the exploits.

As it is, don't expect them to reveal more than one relatively major bug every
2 years or so - and even that sounds optimistic, I think.

~~~
maldeh
Call it paucity of imagination on my part, but I was wondering if somebody
could make explicit some legitimate examples of situations involving a "clear
national security need"? It's not like they're just making a legal exception
for a "Blockbuster" scenario, where terrorists are about to nuke a city and a
lone hacker saves the day by breaking SSH, right?

Is this supposed to apply to instances where the flaw affects the competition
more than civilians -- say, a security flaw that somehow disproportionately
affects Iran, China and Russia over the US? (there are obvious reasons why the
government cannot explicitly acknowledge this, but I'm wondering if this is a
direct implication)

~~~
XorNot
The NSA would monitor hacker message boards and the various black market
websites for exploits like this.

If they find something which they don't see any chatter about on any of these
sources, then it's reasonable to presume no one has found it. Moreover,
actually exploiting heartbleed would leave a signature. You can fake SSL
certificates, but eventually someone has to lose their money, or some
innovation has to come out of the blue. MitM's involve traffic diversions
unless they're conducted at a government level.

Espionage always leaves a trail - even if you don't know where someone gets
their intel, you can always tell they must be getting it somehow.

------
pkinsky
>But Mr. Obama carved a broad exception for “a clear national security or law
enforcement need,”

Read: unless we really want to.

------
fredgrott
Doublespeak...

In black and white hat circles it is understood that using an internet
security flaw is in fact revealing it as your adversaries find out by such
acts..

His ex order has not rational meaning that context, the context of NSA's
mission, the CIA's mission or DoD's mission..

What does Obama think we effing five?

------
dfc
What is up with the "Mr. Obama ..." crap? Did the NYT have a change in policy
recently? I do not remember Sanger writing like that in Confront and Conceal.

------
niels_olson
Ok, is there any odds that a diff of Red Hat and Debian would reveal patches
that Red Hat's largest customer, the Pentagon, has pushed?

------
monochromatic
Nothing but pandering, and not even a very good job of it. Business as usual
down at the NSA.

------
davidgerard
So how's the US government's track record in reporting flaws to vendors?

------
line-zero
"We should reveal security flaws! ...Except in 99% of situations."

Go to hell you fucking snake.

------
anonbanker
Contrast this with the recent NSA statement[1] made about heartbleed. This is
how they intend to interpret this decision.

1\.
[https://news.ycombinator.com/item?id=7575802](https://news.ycombinator.com/item?id=7575802)

