
NSA Said to Exploit Heartbleed Bug for Intelligence for Years - taylorbuley
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
======
molecule
Bloomberg really puts its bias on display:

 _> The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the
OpenSSL protocol, highlights one of the failings of open source software
development._

And its discovery and resolution highlights one of the advantages of open-
source software development.

~~~
pyronite
> _And its discovery and resolution highlights one of the advantages of open-
> source software development._

I wouldn't say that its discovery (two years later) says anything good about
open source development.

~~~
TallGuyShort
And I also wouldn't say that the existence of a bug was caused by the license
that was used. It's not like me keeping all the code to myself would make me a
better programmer.

------
spenvo
Here we observe a side affect of the NSA/GHCQ operating in a manner which
always gives _offensive capability_ precedence over the _defense_ of civilian
systems.

In case you haven't made the time yet -- ACLU's interview of Snowden at SXSW
was excellent and dives into the implications of this:
[https://www.youtube.com/watch?v=UIhS9aB-
qgU](https://www.youtube.com/watch?v=UIhS9aB-qgU)

On another (ironic) note this PSA from the US government is about 2 years
late:
[http://www.bbc.com/news/technology-26985818](http://www.bbc.com/news/technology-26985818)

------
danenania
I don't know if Heartbleed could reach this point, but I think probably the
only possibility for getting average citizens up in arms about this kind of
thing is for them to start seeing major _personal_ detrimental effects (like
oops, all my email has been stolen and deleted and my bank account's empty),
and then learn that the NSA could have easily prevented it if they weren't
having so much fun being super-hackers instead.

~~~
maxerickson
I don't think average people (so to speak) really care about their email.

~~~
Zigurd
Even n00bs understand that if their email gets jacked, that can be used to
reset all their other passwords and jack those accounts.

~~~
jlgaddis
I'm not so sure, I know plenty of people who don't realize that until it's
pointed out to them. Even then, many don't even care ("I don't have anything
important anyways...").

~~~
nitrogen
Should be possible to convince them with "Hacker makes incriminating but false
post on your Facebook" -> "Employer checks your Facebook" -> "Employer shows
you the door."

"Why would anybody do that?" For the lulz ("random acts of malice"), sadly.

------
higherpurpose
This is how NSA "protects America" and its infrastructure from "cybercrime" \-
by allowing a bug like this to exist for years without telling anyone about
it.

I hope it's now clear to everyone what NSA's vision about "cybersecurity" is.
They think having vulnerabilities like this in the Internet's infrastructure
is a _good thing_ , because then they get to attack their "targets", to
"protect us". It has nothing to do with _actual security_. Weakness is
strength. Vulnerability is security.

------
jobu
This looks like another case where the actions of the NSA are the _opposite_
of what's in the best interest of US Citizens.

~~~
onewaystreet
Was it though? The NSA's job is to spy on behalf of the country. While keeping
the bug a secret put people at risk, there is an argument to be made that it
was a useful tool. Law enforcement regularly makes the decision to allow low
level criminals to continue to commit crimes in order to catch their leaders
even though doing so puts people at risk. There are always tradeoffs.

~~~
diydsp
Their job is not to spy on behalf of the country.

Their job is to keep us safe.

Letting us all run around with humungous holes in our security for years was a
risk to our national security. How do you think the Chinese were able to clone
our weapons systems so well? Shit like this.

~~~
Steko
Yeah NSA's job is to fix open source bugs, whatever.

NSA is a spy agency, expecting them not to use vulnerabilities they find is
like sending them into a gunfight with a pocketful of rocks. Ask the
Palestinians how that works out in the long run.

I think much of the NSA's surveillance is unconstitutional and should be
rolled back by at least 2 orders of magnitude. That doesn't have to entail
turning the world over to Russian and Chinese hackers.

~~~
smtddr
_> >That doesn't have to entail turning the world over to Russian and Chinese
hackers._

Boogey man FUD, I'm not worried about any hackers from
[Insert_forgein_country_elites_want_you_to_hate]. The USgov, NSA and corrupt
law enforcement are the only terrorists I'm worried about.

~~~
jryle80
Pretty interesting statement.

Why? Nations have track records of not killing/spying on each others?

~~~
LyndsySimon
Nations certainly have a record of killing large numbers of their citizens -
particularly in the past century.

It's reasonably to be suspicious of government.

------
mindstab
Evidence? And if so, pretty much what we expected and exactly why this
behaviour is terrible

~~~
joshstrange
>> The U.S. National Security Agency knew for at least two years about a flaw
in the way that many websites send sensitive information, now dubbed the
Heartbleed bug, and regularly used it to gather critical intelligence, _two
people familiar with the matter said._

(emphasis mine)

It's pretty weak IMHO but I don't really doubt it.

~~~
sp332
Probability that story is true | Bloomberg reporting it == Probability that
the sources are right * Probability that Bloomberg isn't lying about having
sources ~= 80%.

The sources could be lying for many reasons. As a prank, to discredit
Bloomberg when they report on other NSA stories, because they're embarrassed
the NSA didn't know earlier, etc. But Bloomberg knows this and presumably
required some evidence to satisfy themselves before reporting. So the deciding
factor is really Bloomberg's reliability.

~~~
reedlaw
Why do you think Bloomberg was any more thorough in its Heartbleed
investigation than Newsweek was in outing Dorian Nakamoto as the author of
Bitcoin?

~~~
gwern
Newsweek was purchased by some shady people and hasn't been famous for
investigation for... ever?; Bloomberg is one of the leading financial
periodicals which is a major part of the Bloomberg empire and hooked into all
sorts of circles. Would you be so skeptical if it was being reported on
nytimes.com?

------
JackC
I've been seeing a lot of comments recently along the lines that we "need"
more evidence before we assume that the NSA took advantage of heartbleed. I
don't get that at all.

I'd love to have harder evidence of what the NSA has been up to. I get that.
But here are some things we know: the NSA believes its mission is to collect
100% of the world's data, with the possible exception of data that definitely
belongs to US citizens. The NSA has boasted internally of cracking SSL
implementations as part of its work. The NSA employs more people who are
qualified for and tasked with finding this kind of exploit than anyone else.
The NSA's leadership is willing to lie under oath to Congress -- let alone to
anyone else -- about its activities. The NSA's secrets are about as heavily
defended as secrets can be -- actually providing the kind of evidence
requested here is widely considered treason against the United States. And now
an investigative reporter with a serious reputation says that he has two
sources who can confirm that the NSA knew about heartbleed shortly after it
was created.

So let's assume you might behave differently in some way -- in any way -- if
the NSA knew about and exploited heartbleed. You have imperfect information
and you have to make a call. What else could you "need" before you decide to
behave as though this article is accurate?

I think we "need" to assume that the NSA took advantage of heartbleed starting
shortly after it was introduced. We'd just "like" to have a little more
confirmation about what the hell they've been up to.

------
mschuster91
No fucking way. This is _disastrous_ PR stuff, second only to the Snowden
revelations.

It should be clear by now that the NSA does not restrict themselves from
anything... and should be disbanded.

~~~
tptacek
I don't know how "disastrous" this really is.

NSA knows approximately 1 zillion vulnerabilities we don't know about and
won't know about. They range from RCE's in Windows and Apache to flaws in
cryptographic hash functions.

It's NSA's charter to stockpile these things, and, yeah, to use them against
foreign adversaries.

It's bad though, because this one was so easily exploitable. It's the kind of
thing a reasonable organization finds out about and wants fixed ASAP.

~~~
Touche
> It's NSA's charter to stockpile these things, and, yeah, to use them against
> foreign adversaries.

I don't see how leaving American companies vulnerable fulfills the NSA's
charter.

~~~
tptacek
American companies are vulnerable to literally hundreds of vulnerabilities NSA
knows about; that's something that was widely known (public, in fact) almost a
decade before Snowden.

I agree that this bug is different, but that might have been a subtle case to
make inside the organization.

~~~
mschuster91
The worst problem with the NSA knowing about Heartbleed is the total lack of
accountability.

If I were _any_ US-based company CEO whose customers got hacked by Heartbleed
exploits, I'd drag their corpses to the court if necessary.

Sidenote: People have asked "Why are you doing JS-based cryptography on
passwords if you have HTTPS?" \- here we have the ideal answer. Encrypting the
passwords using public-key crypto in addition to HTTPS and doing the
decryption in RoR/PHP/nodejs would at least have spared the users from the
need to change their passwords.

~~~
danielweber
It wasn't _traffic_ that was revealed, it was _server memory_. Which could
just have easily contained the decrypted passwords as the encrypted ones.

~~~
mschuster91
Heartbleed only leaks SSL-related memory - not program memory!

------
jostmey
The NSA protected us by not disclosing to us a serious security vulnerability
in our software. It is hard for me to wrap my brain around reasoning of the
intelligence agencies.

~~~
john_b
To be fair to the NSA, it's not just them. Many other government agencies
operate under the assumption that society is better off if people are
protected from themselves. It's why we have FCC censorship and the war on
drugs. Questioning this core assumption is verboten in these organizations
because it is equivalent to questioning their reason for existing. So when
they take criticism from the public they naturally retreat to their core
assumptions and values, even if they have to dress it up with doublespeak.

------
humancontact
> _two people familiar with the matter said_

As much as Snowden has shown us the amount of effort NSA puts into this kind
of stuff, I think we need more evidence than this article is giving.

------
tptacek
Yeah, that's not good.

------
mcculley
This is according to "two people familiar with the matter". While nobody would
be surprised that the NSA had exploited heartbleed, this article gives no
compelling proof.

I wish newspaper articles had a bit of metadata that indicated whether the
sources are verifiable. Then we wouldn't have to waste any time reading them
when they aren't.

------
ArtDev
“It flies in the face of the agency’s comments that defense comes first”

The NSA needs to be dissolved. It is a costly liability whose actions work
against the nations interests as a whole.

------
antonius
Good luck trying to wiggle out of this one, NSA.

------
taylorbuley
The NSA is denying this report.

> Statement: NSA was not aware of the recently identified Heartbleed
> vulnerability until it was made public.

[https://twitter.com/NSA_PAO/status/454720059156754434](https://twitter.com/NSA_PAO/status/454720059156754434)

~~~
ceejayoz
Full statement:
[http://twitter.com/ajamlive/status/454724369429045248/photo/...](http://twitter.com/ajamlive/status/454724369429045248/photo/1)

The NSA has a good history recently of lying through their teeth, and the bit
at the end "Unless there is a clear national security or law enforcement
need..." is a pretty damned large asterisk.

------
thefreeman
So is there a single shred of evidence besides something unquoted by `two
people familiar with the matter said`

because if not this is just straight up link bait.

------
lawnchair_larry
It's going to be pretty hard to say you're playing "defense" with a straight
face after this one.

------
lauradhamilton
It certainly seems believable, but do we have anything more concrete to go on
than "two people familiar with the matter?" Is that even two people with top-
secret clearance at the NSA?

~~~
cheald
Well, consider what that would look like. Given the way that the US Government
has pursued Snowden and other whistleblowers for embarrassing them, if you had
privileged information indicating that the government was deliberately leaving
nearly all Americans' online information exposed, would you want your name
attached to it?

~~~
humancontact
I think lauradhamilton's point is that "familiar with the matter" is too
subjective.

~~~
cheald
Oh, I totally get that, and agree. I'm just saying that even if these are
bulletproof sources with deep insider knowledge, it would be incredibly risky
for them to associate any credentials other than "familiar with the matter"
with the story.

It's wiggle-room a mile wide, but I'm not sure if there's a better alternative
given the current climate.

------
zacinbusiness
While there's no evidence (yet) that the NSA knew about or exploited this bug,
I would not be the least bit surprised if they did. Honestly, my first thought
when reading about Heartbleed was "I wonder how much the NSA paid the
contributor. Or did they just threaten his family?" It seems there have been a
lot of "oops" errors being found in critical security systems these days, and
every single one of them is directly beneficial to the NSA and its mission to
"h4ck the plan37!"

------
malandrew
A reasonable policy upon discovering this type of bug is to allow the agency a
fix period of time to exploit the bug and then require that they provide
support in fixing the bugs for as many major US companies and institutions as
possible as quickly as possible.

If they are given carte blanche to use the exploit indefinitely, they will
keep it forever and let the world discover and exploit it as well. If they
have a finite time period like 1-3 months, they will prioritize exploiting
those systems that are actually valuable for national security. While they are
doing so, they should keep an auditable log of all the systems they use the
exploit against so that oversight may be performed in hindsight. Furthermore,
they should absolutely be barred from using any exploit against a target with
a US-based IP, or possibly even any IP address in allied nations.

It is far less likely that the agency will have the opportunity to abuse
exploits if they are forced to prioritize targets due to a fixed deadline on
disclosure.

During the deadline period, they should also be working on a plan that
minimizes the amount of damages once disclosure is forced. i.e. there should
be a list of people and companies that get the information first and everyone
on the list should be people in charge of protecting computer systems (i.e. no
one involved in offensive activities is on the list). Companies like Google,
Facebook, Akamai, Apple and the package maintainers for all the major *nix
distros should be on that shortlist of those that get priority notification.

------
jrochkind1
> _The agency found the Heartbleed glitch shortly after its introduction,
> according to one of the people familiar with the matter,_

Presumably if the anonymous sources here were discovered, they'd be in big
criminal trouble, right? I am curious how far the government goes to try and
discover them.

And I think there is no way these anonymous sources would have contacted the
journalists without Snowden going first, to establish the context and
interest. Snowden's actions continue to benefit us all, cascading.

~~~
gojomo
Not necessarily, this might actually be an approved ass-covering leak.

You may think it's awful that the NSA knew for 2 years, and didn't push
fixes... but their funders and overseers, in Congress and the DoD, would be
more likely angry if, given the NSA's massive budget and mission, the NSA
_didn 't_ know about this bug right away via code audit/analysis. Knowing
vulnerabilities first is the whole job of the "Cyber Command".

And, the best defense isn't necessarily a panicked fire-drill of preemptive
patching ASAP, if you're sure you're the only ones who know. It could make
tactical and economic sense to simply prepare contingency plans, and wait for
the first evidence of a 2nd-discoverer.

~~~
malandrew
A possible smoking gun in this case would be to check if most of the NSA's and
the DOD systems over which it has oversight were not vulnerable this entire
time while the private sector remained vulnerable.

If they truly didn't know about this, you'd expect that a lot of the US
government infrastructure has also been vulnerable this entire time.

I've seen the Alexa top 1000 list showing who was vulnerable. I wonder if
there is a similar list for the top 1000 computer systems and networks over
which the NSA has security oversight.

------
bhousel
Whether it's true or not, I think the correct thing for the NSA to do would be
to _say_ that they knew about it for years and exploited it. That is their
job, after all.

~~~
mpyne
NSA has two jobs:

1\. Gain signals intelligence on specified foreign targets. 2\. Protect U.S.
signals from having the same done to the U.S. by other states.

The second responsibility is why there are things like SELinux, NSA "Suite B"
cryptography, etc. It has also led to security bugfixes to open source code
(such as X.org) used by NSA or within government.

The reason that both duties are held in NSA is because the best way to defend
against the best SIGINT hackers in the world is to have the expertise of the
best SIGINT hackers in the world. It's why NFL teams have their offense
practice against their own defense and vice versa.

In this case the flaw is so completely egregious (and relatively easy to spot
for other states' spy agencies reviewing commit diffs) that the duty of NSA
would quite clearly to have been to get OpenSSL fixed, if only because so much
government IT could be affected by this.

The bug was introduced pre-Snowden as well, so it's not like NSA didn't have
other cyber weapons to use to achieve the effects they need. So if it's true
that NSA knew about the bug and let it remain open to protect "methods and
sources" then they definitely chose wrong and someone needs to explain how
they came to that choice...

------
stcredzero
Your friends tell you about your flaws and shortcomings. The people who keep
quiet or even exploit your flaws? They are not your friends.

So, what's to keep some organization that runs a package repo from publishing
OpenSSL packages that claim to be like OpenSSL 1.0.1g but actually display the
heartbleed bug? I also ask myself, would the NSA seek to implement such a
thing? They would, though that is an entirely different question from if they
have.

~~~
mschuster91
This is why you can, on Debian/xbuntu, always run a apt-build from the source
and verify the patch is present in the code. Or on Gentoo, it's building from
source anyways.

(Or just use Debian in the Gentoo flavour from the beginning)

------
schrodingersCat
I hesitate to believe that in 2 years time, the agency hasn't found another
backdoor to the web. OpenSSL might be patched, but what else is still
vulnerable?

------
protomyth
I'm wondering if any State Attorney Generals are tech savvy, don't like the
current administration, and want some publicity[1] enough to start an
investigation? I would imagine a subpoena asking for the financial records of
the OpenSSL contributors would be a first step (to find Gov payments). I can
see a very scary witch hunt.

1) that part might be a little rhetorical, every AG likes good publicity.

~~~
tptacek
Presumably, any State Attorney General will have gone to law school, and will
thus know that the Federal Government is immune to suits from the states.

~~~
protomyth
They are not actually immune, states sue the federal government (or at least
departments) all the time. Look at the ACA cases for an example. They can also
go after the individual people involved as long as they are not serving in the
government.

~~~
tptacek
The states can presumably go to court to keep from being compelled to comply
with an unconstitutional law. They cannot sue the state for damages.

~~~
protomyth
The states can go for a variety of reasons when the feel the federal
government is overstepping their bounds or has committed a constitutional
violation. They can open investigations into federal behavior.

I never said anything about damages.

------
jrochkind1
> _The SSL protocol has a history of security problems, Lewis said, and is not
> the primary form of protection governments and others use to transmit highly
> sensitive information._

> _“I knew hackers who could break it nearly 15 years ago,” Lewis said of the
> SSL protocol._

Anyone know wtf he's talking about?

~~~
cheald
TLS has been subject to a lot of attacks:

[http://en.wikipedia.org/wiki/Transport_Layer_Security#Attack...](http://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS.2FSSL)

Plus, since the whole thing is based on CAs, if you can get an intermediate
cert (and does anything think the NSA can't?) and you have the means to MITM
someone, that's as good as breaking it, too.

15 years ago, we were using keys with much lower entropy, as well, which may
have simply been outpaced by computing power.

------
ChrisLTD
The US government seems intent on destroying the viability of the Internet as
a commerce platform.

------
devindotcom
FWIW, we asked the NSA and NSC; both deny:

[http://www.nbcnews.com/tech/security/nsa-denies-it-used-
hear...](http://www.nbcnews.com/tech/security/nsa-denies-it-used-heartbleed-
bug-gather-intelligence-n78356)

------
smegel
> highlights one of the failings of open source software development.

Sorry? Paid programmers writing closed code with probably less review and
auditing have been shown to create less bugs? What are they trying to say?

~~~
ksk
What data did you use to estimate the probability of code review? Would be
interesting to see if anyone has studied this.

------
otterley
I've never understood theories about NSA capability. Everyone complains that
Government officials are barely competent, if at all, yet when it comes to
NSA, those same people think NSA staff is at least ten times as brilliant as
the general population.

Everything I've seen NSA do is largely based on the same techniques Google
uses, except 10 years later, much more expensively, and with much uglier
PowerPoint presentations. The only thing NSA has that private organizations
don't is the compelled cooperation of telecom companies.

------
dsugarman
What upsets me the most is that they new this existed, and that a lot of the
US economy relies on our tech companies, and they did nothing to inform the
companies about the security flaw.

------
anonbanker
Now would be the time to start looking up the backgrounds of the people who
implemented heartbeat support. For instance, the same guy responsible for the
Heartbeat spec was the author of the OpenSSL implementation.

While we do not want to make this into a witch hunt, now that the NSA is
involved in Heartbleed, we should definitely rule out malice by checking for
direct ties between contributors of known flawed/malicious code related to the
implementation of Heartbeat.

~~~
malandrew
We absolutely do not want this. We rely on the goodwill of a lot of really
smart people to produce the open source security software we rely. Even if the
person who introduced this bug did in fact conspire with the NSA, we would do
far more damage by going on a witch hunt. The majority of people working on
this software are well-intentioned and if contributing to open source means
that they risk being subject to a witch hunt for their contributions they will
be far less likely to partake.

The only reasonable course of action is to apply oversight of the NSA. If
people in open-source are moles, the only reasonable way to discover this is
via oversight of the agency. If there are moles, there are records within the
agency showing this to be the case. Getting ahold of those records is how you
prove this and you get those records by getting congress to do their job and
provide oversight.

~~~
anonbanker
Sounds like an great plan. Perhaps you could provide an example from history
where your idea works? I'm having difficulty finding one.

------
tzs
> The U.S. National Security Agency knew for at least two years about a flaw
> in the way that many websites send sensitive information, now dubbed the
> Heartbleed bug [...]

Interesting that they say "at least" two years. The bug is two years old, so
they could have also chosen to say "at most" two years or "up to" two years.
Least biased would be to just say "since the bug was introduced, two years
ago".

------
leeoniya
s/Flawed Protocol/Flawed Implementation/

------
higherpurpose
Well this was flagged fast.

------
forgotAgain
Sounds plausible to me. I would think the NSA, and other spy agencies, pour
over every release of a security package to see if any exploitable errors were
made.

------
err4nt
Do we have anything that leads us to believe the NSA was aware of heartbleed
at all before we found out, other than speculation because of their resources?

~~~
lot49a
We have "two people familiar with the matter" which is to say sources that
Bloomberg thought were credible enough to lead a story with.

~~~
danielweber
Who is "familiar with the matter"? NSA insiders? People who've read the
Snowden docs?

I wonder if Bruce "probability is close to one that every target has had its
private keys extracted by multiple intelligence agencies" Schneier is one of
them.

------
abdullahkhalids
You can assume that any bug in open source software that could have been found
using systematic and automated analysis has already been found by the NSA.

------
dombili
My first thought: if this is the case, then why did they try so hard (and get
"trolled" in the progress) to get the SSL keys from Lavabit?

~~~
tptacek
Because NSA didn't try to get Lavabit's keys at all; DOJ did. Two very
different organizations. Not as incestuously linked as people think they are.

Also, worth mentioning: it's not particularly easy to get private keys out of
servers with the bug.

~~~
dombili
That makes sense, I guess. I'm not American so I don't know much about the
inner workings of these institutions.

Is it unlikely for FBI to ask NSA's help?

~~~
tptacek
It is probably illegal for FBI to ask for NSA's help in gaining evidence for a
US criminal case, although pointing that out is sure to start a raucous
subthread about "parallel construction".

~~~
gojomo
If it's "probably illegal", surely you can cite the law?

Notably, the FISA cell phone record orders passed information to the NSA
_through_ the FBI, so no hint of a "chinese wall" there. Secret bulk
collection for 'national security', everyone bathing in the same pool of data.

I do suspect it's policy not to casually request, or become overly dependent
on, such NSA-to-domestic sharing. And – as we've seen in the "parallel
construction" revelations you allude to – it's definitely policy to try to
obscure any such sharing when it happens.

But to reassure people that it's "probably illegal" is flimsy hand-waving when
you can't name the law, and there's public evidence that it happens to the
contrary.

------
muyuu
This is flamebait. Sad it's getting so many upvotes.

~~~
ikt
I agree, in the first 3 paragraphs I shook my head 3 times

"two people familiar with the matter said." <\- so you made it up

"threatens to renew the rancorous debate over the role of the government’s top
computer experts." <\- you made this up as well

"Heartbleed appears to be one of the biggest glitches in the Internet’s
history" <\- Not even close.

"as many as two-thirds of the world’s websites" <\- less than 17% of SSL based
webservers, certainly not two-thirds of the entire freakin internet.

"it’s possible that cybercriminals missed the potential in the same way
security professionals did, suggested Tal Klein, vice president of marketing
at Adallom"

"this article is shite, suggested ikt, junior vice president of
Compuglobalhypermeganet"

~~~
muyuu
The point about it being VERY serious, I can accept. The rest... yep, pure
bull. Also "btw Open Source sucks, proprietary good".

The article is rubbish.

