
Statement on Bloomberg News story that NSA knew about the “Heartbleed bug” - rinon
http://icontherecord.tumblr.com/post/82416436703/statement-on-bloomberg-news-story-that-nsa-knew
======
gojomo
What if they have a unique definition of 'vulnerability', much like they had a
unique definition of 'collect'?

As a bit of internal jargon, the NSA only considered information 'collected'
when an analyst looked at it. So, they could record & store bulk data about
all Americans, but still claim (with a secret wink) that they didn't
intentionally "collect" data on Americans.

Maybe for them, 'vulnerability' means both "the bug exists" _and_ "bad guys
know enough to exploit it". After all, if a tree falls in the woods, and
there's no one there to hear it, does it make a sound?

This definition even makes sense, if you have an advanced, economic and
strategic understanding of security as something that's a matter of relative
priorities and dynamically-changing situations. There are plenty of bugs,
known and unknown, in all software. Perhaps they only count as
'vulnerabilities' when they're practically exploitable, and practical
exploitation has as an absolute prerequisite, discovery by malicious actors.
(On the other hand, when we, "the good guys", discover the bug, it's not a
vulnerability: it's an asset! Search for [NOBUS NSA] for more reporting about
this style of reasoning.)

Still, using such a fine-grained bit of internal jargon, even if it makes
sense among people who share your terms, is deceptive if used to hoodwink the
public and Congress, exactly as the 'collect' finesse definition was long
used.

~~~
lkd
Or they straight out lied.

Wouldn't be the first time.

~~~
krick
Or they didn't.

See, now we have complete set of possible answers! So, what does it means when
NSA officially announces something? I'd say, it means nothing.

~~~
ithought
If they did know, they would not admit it.

Maybe they didn't know. But we certainly do not have the right to know if they
did know or not. This means something.

------
patrickg_zill
Just keep in mind that the NSA routinely lies... even in direct testimony
under oath to Congress.

[http://www.slate.com/articles/news_and_politics/war_stories/...](http://www.slate.com/articles/news_and_politics/war_stories/2013/06/fire_dni_james_clapper_he_lied_to_congress_about_nsa_surveillance.html)

~~~
malloreon
we need to begin putting government officials in prison for this.

~~~
baddox
Unfortunately that "we" is the government officials themselves.

~~~
res0nat0r
Clapper couldn't divulge the existence of a classified program in an open
session hearing. If they really wanted answers vs. trying to grill the NSA in
a public forum they could have asked the question in a closed session with
only participants who've met the proper clearance level for said program
disclosures.

Unfortunately on HN anything NSA related is going to devolve into conspiracy
theory groupthink these days vs. actual rational discussion that the NSA is
not all knowing (unlike every other government agency which is apparently
incompetent).

~~~
unclebucknasty
Clapper always had the option to decline answering a question. Choosing
instead to lie means something.

~~~
userbinator
Interesting to note that in Asian languages there is actually a word for
"neither yes nor no":

[http://en.wikipedia.org/wiki/Mu_(negative)#.22Unasking.22_th...](http://en.wikipedia.org/wiki/Mu_\(negative\)#.22Unasking.22_the_question)

------
SwellJoe
Last sentence reads: "Unless there is a clear national security or law
enforcement need, this process is biased toward responsibly disclosing such
vulnerabilities."

So, should the NSA decide that there is a national security interest or law
enforcement need, they will not disclose such vulnerabilities. Given their
past behavior and explanations for what was considered acceptable compromise
for national security, I am not particularly reassured by this statement.

Yes, it's good that they weren't hoarding this particular exploit. But, they
have clearly not denied being in possession of other exploits; they've only
said that the ones they might hold would be because of national security or
law enforcement need.

~~~
ipsin
Their statement would carry much more weight if they could point to one
example of an exploitable zero-day they've actually disclosed.

I don't particularly trust the NSA, but this example probably exists.

~~~
eliteraspberrie
With regard to the Linux kernel, for example, their policy was to not look for
vulnerabilities and only contribute features:

 _Did you try to fix any vulnerabilities?_

 _No, we did not look for or find any vulnerabilities in the course of our
work. We only changed enough to add our new mechanisms._

[http://www.nsa.gov/research/selinux/faqs.shtml#I16](http://www.nsa.gov/research/selinux/faqs.shtml#I16)

------
anonbanker
> Unless there is a clear national security or law enforcement need, this
> process is biased toward responsibly disclosing such vulnerabilities.

wow, those two caveats are broad enough to remove any real meaning from the
process.

~~~
Zigurd
The cool part is that you can actually measure how weasely are those weasel
words: As other security experts have pointed out here, the NSA's hoard of
zero-days is numbers in the thousands. How many times have they practiced
"responsible disclosure?"

------
mpyne
"The Federal government relies on OpenSSL to protect the privacy of users of
government websites and other online services."

This is my big point from the other thread. _If_ NSA knew then not disclosing
this type of serious bug should get someone's head to roll as it could imperil
the security of other important USG communications.

That still leaves open the question of why NSA wasn't able to find this bug
themselves though -- you'd think they'd be looking for bugs related to the
introduction of new features into OpenSSL.

~~~
hadoukenio
Has this actually verified? It was only newish versions of OpenSSL that were
vulnerable. Websites that ran on IIS and other platforms were not vulnerable.

Does anyone have a historical list of critical government websites and their
web server versions? An old nmap list would suffice to show that high-priority
sites were vulnerable or not.

~~~
mpyne
Many parts of government run Linux, including NSA themselves, other military
platforms, and advanced research/development labs. Certainly there's tons of
MS, but govvy is just so big that even OpenSSL being rare would still be
highly concerning for USG security.

------
cyphunk
In other news, NSA thinks responsible disclosure is the way to go but
apparently has no 0days to responsibly disclose. I didn't know TAO sucked so
hard. Can't see how any one will buy this.

~~~
w_t_payne
I was actually inclined to give them the benefit of the doubt, but your point
actually sort of makes sense. I don't like this feeling of not knowing where
the boundary between wacko conspiracy theory and ... y'know ... real life ...
begins and ends.

~~~
fnordfnordfnord
If they're not lying, that's arguably worse!

------
wrs
The third paragraph flatly says it is in the national interest to disclose
zero-days.

The fourth paragraph says there is a "reinvigorated" process for deciding
whether it is or not.

Obviously the fourth paragraph is more correct -- is the third paragraph just
there for an easy inaccurate quote?

------
diminoten
If this is true, and the NSA knew about the Heartbleed vulnerability, then how
come the EFF hasn't been getting more log data showing the vulnerability being
exploited against sites?

How come, so far, only _one_ person has thus far come forward with _ANY_
evidence that might demonstrate a knowledge of this bug before it was
discovered?

I just find it depressing how ready the media is to jump on the NSA for things
they may not have done. There's plenty to work with in the realm of things
they _did_ do, why draw conclusions before there's evidence? So far I've yet
to see a static analysis tool that would have caught this, and I don't have
any reason to believe the NSA is hand-searching code for vulnerabilities.

~~~
krick
> I just find it depressing how ready the media is to jump on the NSA for
> things they may not have done.

I don't like journalism and such, but I think it's OK in this case and I don't
find it a bit depressing, maybe even otherwise. Why? Because we should be
aware. Always. There's no sense in blaming NSA for something. It's stupid to
blame spies for spying. There's no sense in saying something they do is
immoral, because it couldn't stop them from doing it. So if you care about
them doing something wrong the only way to stop it is to make it impossible.
If you don't want NSA to know some data that belong to you — you are enemies,
because NSA wants to know _anything_. And it's OK. It's what they are for.

You obviously cannot prevent what already happened, you can only try to fix
the consequences and be more careful in the future. So it's always sensible to
assume NSA knew about any single security bug discovered for a long time. And
nobody can possibly know if something is true about NSA's knowledge (maybe
even not NSA themselves). So even if it's not true — spreading rumors about it
is completely fine I guess.

------
rinon
Now who do we believe... an anonymous source or an official press release
(from an agency with both motivation to lie and a history of misleading
statements). Both seem fairly unsubstantiated to me.

------
cyphunk
If the statement is true or not doesn't matter because this gem screams
bullshit:

    
    
        it is in the national interest to responsibly disclose 
        the vulnerability rather than to hold it for an
        investigative or intelligence purpose.
    

Or to read that differently "The intelligence community would disclose 0days
rather than use them as weapons".

~~~
mpyne
It's reads pretty obviously IMHO.

"Any 0day has an obvious national security interest in being responsibly
disclosed and fixed".

That's not a very direct affirmation though, merely an "interest"... the
caveats show up at the end, but even that is at least honest.

You'd be crazy if you thought NSA would disclose a server 0day that e.g.
affects only websites running under a Russian locale, when those websites are
known to be used by the Russian armed forces bordering Ukraine. That's the
type of thing which could be useful to NSA while having practically nil effect
on U.S. infrastructure.

~~~
cyphunk
I would agree with you except that they added the "rather than". It is a
debate between the 0days value as a weapon through holding secret vs value of
release to everyone else. If there was any merit to them holding any bias
toward the latter we would see at least ONE public disclosure of a
vulnerability by them.

------
disbelief
Is this even a legit website? The NSA makes announcements via their Tumblr
now? Doesn't that strike anyone else as strange?

~~~
gregschlom
No doubt this is part of their PR strategy. "Look, we use Tumblr just like
you. We don't have any fancy blogging platform. In fact, we don't have any
fancy tool at all. All we do is boring administrative work."

------
downandout
I find it a stretch to believe that some part of the NSA didn't know about,
and/or have a hand in introducing, Heartbleed. There has to be an NSA team
dedicated to both causing and exploiting issues with very popular open source
software. If there isn't, the NSA isn't living up to its reputation.

The reality is that we'll never get the truth out of them, and it doesn't
matter anyway because nothing they say can be believed. They might as well
never say anything. Assume that they have intercepted all of your traffic and
have dumps of your RAM, and act accordingly.

~~~
bigiain
"The reality is that we'll never get the truth out of them, and it doesn't
matter anyway because nothing they say can be believed."

This is clearly now true for many of us.

I wonder how true it's becoming for the people to whom the NSA provide their
information? When Clapper happily uses phrases like "the least possible
untruthful answer" when explaining to congress why he said "No" when the
answer was "Yes", I can't help but wonder if the
FBI/CIA/Pentagon/President/B-613 are starting to question/disbelieve every
word that comes out of the NSA?

------
kaffeinecoma
Sincere question: is the NSA on record for having responsibly disclosed any
previous security holes? Is there some track record of them having actively
help close security holes in software?

~~~
lxwang
The most famous example is the DES S-boxes, where the NSA made a change that
nobody else understood - until years later, when it was discovered that they
had made the algorithm more secure against cryptanalysis techniques that had
just been "discovered", but which had evidently been known to NSA long before.

~~~
gizmo686
To expand on the DES example, the S-boxes are essentially large 'random'
lookup tables. The NSA took the S-boxes, and replaced them with their own
tables. At the time, it was not clear if this was to protect against an
unknown attack, or to introduce an unknown attack (which may involve knowing
some secret key used to generate the S-boxes).

------
lawnchair_larry
First, tumblr? Really?

Second:

 _" When Federal agencies discover a new vulnerability in commercial and open
source software – a so-called “Zero day” vulnerability because the developers
of the vulnerable software have had zero days to fix it – it is in the
national interest to responsibly disclose the vulnerability rather than to
hold it for an investigative or intelligence purpose."_

This is demonstrably false. That's not even a point of debate, by their own
admission.

The whole statement is worthless.

~~~
georgemcbay
"First, tumblr? Really?"

That was my first reaction too. I'm probably late to the party on this, but
when I saw the tumblr domain I thought it was some kind of satire at first.

~~~
dllthomas
Likewise. I'm still not 99% sure...

------
btown
"If the Federal government, including the intelligence community, had
discovered this vulnerability prior to last week, it would have been disclosed
to the community responsible for OpenSSL."

I see numerous disclosures from technology companies, security researchers in
industry and academia... but for the life of me, I can't recount an instance
in which a disclosure came from intelligence-community researchers. Is there
any historical evidence of disclosures from the NSA to the open-source
community?

~~~
mpyne
Depends on whether things like this are a security disclosure or not (seems
not to me, but I'm not a vuln developer): [http://lists.x.org/archives/xorg-
devel/2010-August/012207.ht...](http://lists.x.org/archives/xorg-
devel/2010-August/012207.html)

I don't know of better examples though.

~~~
btown
I'm also not a vuln developer, but this looks like someone else reported it,
and an NSA-affiliated researcher created the patch to fix it.

------
tbolse
The press is all over this topic, but as usual doesn't do its research well
enough. Some insight: the bug was submitted in December 2011 and was only
present in OpenSSL 1.0.1 - not in previous releases. 1.0.1 was released on
14th of March 2012. It usually takes a long time until this new versions get
largely adopted into other software. Even today 1.0.1 isn't used everywhere.
That leads me to doubt that the agencies could have used this vulnerability
for a very long time. A year seams reasonable, years rather not. It's very sad
thou, that they choose not to contribute to secure software and rather exploit
the vulnerability.

------
homulilly
The NSA has already proven that its willing to lie to the public, not just
omit information or mislead, when its talking about something the agency
considers related to National security. Of course it's still possible they
could be telling the truth in this instance, and Bloomberg could have failed
to properly vet its sources. However, taking the recent past into account I
think most people would agree it is far more likely that Bloomberg is
providing accurate information and the NSA is not.

------
staunch
It does seem like a judgement call is unavoidable. If they discover exploits
that are extremely difficult to use, and extremely unlikely to have been
discovered by others, it might make sense to use them. But it also seems clear
that they should have an obligation to _find and make public_ exploits similar
in nature to Heartbleed. Sitting on a bug like this should be a criminal
offense.

~~~
geophile
Use the bug for what purpose? The NSA constantly lies, and also just spies on
non-terrorist organizations because terrorism:
[http://techcrunch.com/2014/04/08/snowden-council-of-
europe-t...](http://techcrunch.com/2014/04/08/snowden-council-of-europe-
testimony). They are so beyond deserving the benefit of any doubt.

~~~
staunch
For spying. No one, least of all Snowden, is calling for an end to the NSA's
spying days.

~~~
mpyne
Hell, even Julian Assange has spoken up in support of _targeted_ spying
efforts.

------
mikeash
They would say this if it were true and they would say this if it were false.
Total information content: zero.

------
smoyer
Well ... that's disappointing!

As a top-notch surveillance organization in a top-notch surveillance state,
I've come to expect more from the NSA. If their job is to protect my wimpy
life from those rowdy terrorists, they should be at the forefront of all
hacking activities and it's really disconcerting that they didn't introduce
the bug into the code in the first place. A vulnerability that big deserves a
big brother to protect it.

On a more serious note, the NSA is segmented and unaccountable ... I doubt
anyone including the director can make a blanket statement guaranteeing that
it has or has not done something. In the next installment of the NSA saga, a
reporter with access to the Snowden documents will find proof that this is a
lie.

------
bredren
That the Bloomberg report resulted in a denial so quickly demonstrates the
defensive position of US intelligence services today.

Strong suspicion that the a federal agency would withhold vital info about
Heartbleed is a direct result of the shocking revelations of mass-
surveillance.

I believe the sentiment expressed around this issue is not entirely contained
to Heartbleed.

This is about distrust of the federal government to make good administrative
decisions around highly technical issues that affect the public. Keep in mind
Kathleen Sebelius just resigned largely due to optics around IT management
failures.

Widespread distrust of federal organizations ability to manage technology
appropriately will only erode faith in federal government as a whole. That's
not a good problem to have.

------
cybernoodles
Nothing says official like Tumblr.

------
meowface
Aren't the utilization of the 0-day exploits in Stuxnet proof that DoD and the
intelligence community generally don't care about responsible disclosure? I'm
sure Microsoft would've liked to know about those. I'm also pretty sure many
US government systems were vulnerable to many of the exploits, including the
MOF file one.

I suppose the NSA counts that as "a clear national security or law enforcement
need."

------
brianmwaters_hn
Why is there a scarcity of comments here questioning the Bloomberg article?
For that matter, why was there a scarcity of discussion questioning Reuters'
December '13 article about RSA and Dual EC? Neither provided any evidence for
their claims, and I presume that, in both cases, the information was obtained
from anonymous sources who could not provide documentation a' la Snowden.

------
d1str0
Letting a bug/vuln this broad go unpatched for years for the NSA's own benefit
is beyond negligent concerning our nation's security.

~~~
dllthomas
Practically treasonous. As they say, lots of important things protected by
OpenSSL, and if the NSA _did_ know about it two years ago, when did similar
organizations in other governments spot it?

------
kposehn
While the ambiguity in later paragraphs is par for the course, the directness
of the initial statement is refreshing.

------
joncooper
Are we sure this isn't a parody?

~~~
georgefox
[http://www.odni.gov/index.php/carousel-items/916-the-
intelli...](http://www.odni.gov/index.php/carousel-items/916-the-intelligence-
community-launches-ic-on-the-record)

~~~
joncooper
You just can't make this sh*t up: the "No Fear Act".

~~~
Intermernet
Or "Notification and Federal Employee Antidiscrimination and Retaliation Act".

Does legislation that can't be summarized in a clumsy acronym ever get passed?
I can just imagine cabinet meetings: "Sure, world peace is a nice _idea_ , but
we can't think of terrible enough acronym for it, so we've decided against
it."

------
us0r
"it is in the national interest to responsibly disclose the vulnerability
rather than to hold it for an investigative or intelligence purpose."

Like all of the exploits used in their "FOXACID" program?

------
nraynaud
Oh so now the NSA publicly comments on allegations about its operations?

------
caligarn
Plot twist, the NSA is sending all the data it has "collected" to aliens
living on Mars via the Mars Rover. Now it all makes sense.

------
hackinthebochs
I haven't seen this mentined in this thread yet, so I just want to remind
everyone of the Suxnet virus that contained four 0day vulnerabilities and was
in active deployment from anywhere between two to five years. If you believe
that they were the originators of this virus then this directly contradicts
the claim that 0days are responsibly disclosed in a timely manner.

------
niels_olson
I don't think I have ever upvoted so many comments in one HN thread. The NSA
earned every ounce of distrust that is currently being pointed at them. I just
wish people were investing as much time in OpenSSL as they are in discounting
NSA statements.

~~~
hadoukenio
Lol. I was thinking the same thing. Almost all current comments in this thread
have value.

------
aunty_helen
Sorry US GOV but the piggy bank of trust is currently sitting empty.

This statement isn't worth the memory it's stored in.

------
corywatilo
TL;DR: We've already got your data from other sources so we didn't need to get
it via Heartbleed.

------
mixologic
I sure hope Mr. Snowden has evidence to the contrary.

~~~
goatburger
I don't think we really need Ed's disclosures to tell us anything they say is
utter bullshit.

~~~
dllthomas
But it's so much more gratifying when we have them.

