Hacker News new | past | comments | ask | show | jobs | submit login
Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say (nytimes.com)
173 points by brown9-2 on Apr 12, 2014 | hide | past | web | favorite | 75 comments

It's very hard to take this initiative seriously. Software vulnerabilities are what software vulnerabilities are: the fundamental enabler of modern network signal intelligence. When you see Obama sign an executive order ending foreign signals intelligence, you can at that point start to believe that the USG is primarily in the business of fixing rather than stockpiling vulnerabilities.

NSA's first and overriding mission is in conducting signals intelligence against our adversaries. As people have pointed out here and elsewhere: regardless of what other missions NSA may have crept into in the last 40 years, when SIGINT comes into conflict with some other NSA mission, SIGINT wins.

(This analysis is descriptive, not normative.)

My expectation is that if they were serious about this initiative, they very likely would've stepped forward with some vulnerabilities for disclosure.

But it seems like it's just words and business as usual.

I'm curious what their response would be in the perfect storm scenario. A foreign country or criminal enterprise causes severe damage to much of the US. Both the intelligence agencies, government secrets, and the technology industry are severely impacted, crippled even. And the enabler? A series of vulnerabilities they didn't disclose.

How much damage has to be done before people wake up and realize that what NSA doing is effectively pointing armed nuclear warheads at high-value targets in the US and giving our enemies the controls? The fact that NSA refuses to disclose serious vulnerabilities is an indication to enemy governments and criminals that spending money finding these vulnerabilities is going to be an extremely effective tactic.

I mean this seriously: this is actively telling our enemies how to attack us. How is this not treason?

> Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.

Actually, I think this could be the basis for an effective political point. Simplify it to hammer this message home:

"If we have a policy of not disclosing the vulnerabilities we know, what we're really doing is promising foreign countries that the exploits they discover against us will work forever."

Take it seriously to the extent that they need to consider whether or not hoarding a vulnerability is likely to enable other powers to carry out SIGINT against important US sites.

Consider that while something like Heart Bleed would be an enormous asset to the NSA, if both NSA and a foreign powers found out about it at the same time it'd provide the foreign power with a disproportionate benefit because they'd likely have fewer other ways of infiltrating many sites.

I'm sure that in situations where they're confident they're the only ones with the knowledge, they'll still hold off on releasing anything.

> provide the foreign power with a disproportionate benefit because they'd likely have fewer other ways of infiltrating many sites.

You forget to mention the assumption that NSA willfully ignore the IA component of its mission.

> I'm sure that in situations where they're confident they're the only ones with the knowledge, they'll still hold off on releasing anything.

How can they be sure? They simply can't. And this means they're putting US business at risk for their own benefit.

(The other way to put US business at risk is via worldwide reputation damage.)

I doubt this makes US companies more interesting for investors.

> Take it seriously to the extent that they need to consider whether or not hoarding a vulnerability is likely to enable other powers to carry out SIGINT against important US sites.

And yet that didn't prevent them from sitting on heartbleed for two years (since approximately the moment it was introduced).

Dont be fooled.

This is a PR move.

Compare this to GITMO

"GITMO sucks, i vow to close it immediately" -- "Oh congress blocks me, my hands are tied! Tear!"

"Security vulnerabilities suck, i vow to make them open!" -- "oh look at that, the security apparatus says it makes US vulnerable, my hands are tied! Tear!"

His hands are tied aweful lot.

But when it comes to pure presidential powers like killing people in foreign countries from the skies his hands arnt tied.

The NSA may be trying to repair its image. This is a bit offtopic, but I think the NSA is in serious trouble because they need good hackers to join them, and it seems like almost nobody will want to after last year's revelations. (Even their salary offers seem to suck in comparison to an important SV engineer's salary, which struck me as odd.)

One way to start to repair their reputation would be to responsibly disclose some vulnerabilities and then take credit for their disclosure. That might motivate whitehats to join them, and whitehats are exactly the type of people they need.

In 10 years, the US is going to be in trouble unless they can continue recruiting good hackers. In 20 years, they'll be in serious trouble when foreign powers have clearly begun dominating the SIGINT arena. And at the rate technology is changing, those timelines seem optimistic.

I doubt the NSA's image problem is that large. I suspect many NSA recruits fall more toward the "black hat" end of the spectrum. They break into things without thinking about the consequences of their actions.

The NSA can likely get all the recruits it needs by just offering the chance to hack with legal immunity.

Snowden doesn't seem like a blackhat. Certainly looks can be deceiving, but it's hard to believe they'd be so shortsighted as to hire mostly people who are in it for the thrill of doing usually-illegal things.

Can't the NSA just monitor the whole network to detect anyone else using an exploit? So once they discover one, just use it to their heart's content until they start seeing it in the wild. At that point, disclose it.

Can't the NSA just monitor the whole network to detect anyone else using an exploit? So once they discover one, just use it to their heart's content until they start seeing it in the wild. At that point, disclose it.

We also kind of want the NSA to stop monitoring the whole network.

That would be a nice statement to make, if you lived in some small world were there's just America and its interests (well, the interest of SOME of its citizens, to be exact).

On the internet, and to global citizens, what you write amounts to "screw those people" (non-US Hacker News readers).

Agreed on what the NSA's mission is, but there are much better and easier ways of doing that than stockpiling exploits. Our government, with its mass amounts of data collection, could just as easily socially engineer someone (for example, impersonating a trusted associate) to give up the right information.

I don't believe the NSA's mission comes into conflict with Obama's order, it merely suggests the NSA change how they go about their mission. But it's still just as clear to me how one would solve it, and IMHO they would have an easier time going the social engineering route anyway.

Social engineering would be HUMINT, not SIGINT.

That was also my first reaction. It seems like just another lie even before it finishes leaving his mouth, another predictable broken promise, a priori.

I don't think he's lying. I don't think he understands what he's saying.

He's not dumb. Therefore, he's made a conscious decision not to.

I'm not dumb, but I'm capable of saying stupid things about podiatry.

Everyone puts their foot in their mouth from time to time, I guess.

That is an amazing non-sequitur.

https://en.wikipedia.org/wiki/Non_sequitur_(logic) Non sequitur (Latin for "it does not follow"), in formal logic, is an argument in which its conclusion does not follow from its premises.

Perhaps I should explain my reasoning a bit then.

midas007: It seems like just another lie

tptacek: I don't think he's lying. I don't think he understands what he's saying.

me: To paraphrase President Nixon, the President ought to know whether or not he himself is a crook.

So if tptacek is correct in that Obama doesn't actually understand what he is saying, the universe divides into two possibilities. In universe (1) Obama is so dumb as to be incapable of understanding the issues involved. In universe (B) Obama has the capability to understand the issues but has for some reason chosen not to exercise it.

Because Obama is a scholar, I assert that (1) is unlikely. Thus Obama, like many of us when confronted with complex but ultimately tractable problems (such as optimal Pokemon strategy), has made a conscious decision not to immerse himself deeply in the issue.

This represents a problem for Democracy because the President is our civilian leader who is supposed to be in command of the military. If in fact it is the military/intelligence that is leading him, then the Presidency has failed.

C.f. Reagan https://en.wikipedia.org/wiki/Iran%E2%80%93Contra_affair

Hrm. I can either argue with you about your continued lack of logic (moving from a non-sequitur to a false dichotomy where you presume a world of two types of people), or I can make a larger point. So I'll do the one that's more productive:

> This represents a problem for Democracy because the President is our civilian leader who is supposed to be in command of the military. If in fact it is the military/intelligence that is leading him, then the Presidency has failed.

Democracy is not a government of presidents. It is a government of people. I agree that you can usefully argue that "the Presidency has failed", but the existence of the Presidency was always a hack, in software terms. It was never a well-designed system; it was a convenience which has been subject to feature creep due to a long history of abuse and counter-abuse. Try to put yourself in the Founders' shoes and seriously think about the question of why the executive branch needs to be headed by a single person; it doesn't. It was just easier that way.

To fix this, the response isn't to whine about NSA overreach or Presidential doublespeak. It's to actually establish a democracy.

(P.S., it is inaccurate to characterize the POTUS as in command of the NSA. He is responsible and accountable for them, but he is not in command. The continued incapability of HNers to internalize basic facts listed on Wikipedia suggests either, how did you put it, that they are either "dumb" or choosing "not to exercise their capability" in understanding their government. I think I like your false dichotomy after all.)

POTUS is Commander-in-Chief of the US military. NSA is an organization under the US Department of Defense.

POTUS can fire the head of the NSA. Truman fired Macarthur.

It's an interesting discussion the extent to which reality matches the law, but according to the US Constitution Obama is in command of the NSA.

The Department of Defense is a civilian structure. It is not a military. This is a meaningful distinction, not least because it means NSA personnel do not necessarily waive the same constitutional rights that members of the United States Armed Forces do, nor do they necessarily swear to obey the POTUS, which is an explicit difference between the civilian and military oaths.

The authority that the POTUS has over the NSA is more analogous to that of a CEO over a departmental division than that of a general over a battalion. As I said, the POTUS is responsible and accountable for the NSA, in the same way he is responsible and accountable for what our diplomats and ambassadors say to foreign governments, in the same way he is responsible and accountable if the FCC fails to secure network neutrality.

One of the more interesting consequences of this is that, if you were to place the USAF under the authority of the NSA, it would not violate the principle of civilian control of the military.

The authority that the POTUS has over the NSA is more analogous to that of a CEO over a departmental division than that of a general over a battalion.

This is getting tiring.

Take a look at this list of former Directors of the NSA and count how many are ranking uniformed military officers. Spoiler: since the founding of the agency, all 17 of them.


It looks especially silly when the NSA has never been credited as reporting any vulnerability to any vendor, ever.

They could at least throw a few over the fence and get their names in some advisories to at least pretend there is a shred of truth to this.

And wasn't this already the policy?

> "You are not going to see the Chinese give up on ‘zero days’ just because we do"

This is a dishonest argument - many of the zero days held by the Chinese are likely to be the same zero days being withheld the N.S.A., so by disclosing them the N.S.A. would be dealing a huge blow to our adversaries' offensive capabilities.

The NYT should have gotten a quote to counter-balance this argument from a "senior intelligence official" (upon whom they shamefully, but predictably, bestowed anonymity). Now many of the people reading this article will come away believing this is akin to nuclear disarmament, which is a totally inapt comparison.

The reporter is David Sanger. He's more or less a direct propaganda/press outlet for Washington.

> upon whom they shamefully, but predictably, bestowed anonymity

I'm with you on the rest of your points but not on this one. Balance would be nice but anonymity is often key to good reporting. There's nothing shameful about soliciting a quote and then keeping that person anonymous.

I'm not against all anonymity, but in general, anonymity is bad for journalism. It makes it impossible for readers to judge the credibility of the source, and puts people who want to challenge the source at a disadvantage. It permits the source to say whatever they want, without any fear of it harming their credibility.

In narrow circumstances, such as whistle-blowing where the source would face harm from a disclosure of their identity, anonymity is both appropriate and essential (and in such a case it's essential for the newspaper to do as much verification as possible before conferring anonymity). But a government employee spewing pro-government propaganda does not need the protection of anonymity.

Edit: reworded for clarity.

For some details to back up agwa's statement, http://ajrarchive.org/Article.asp?id=1596 has some interesting history on anonymity in newspaper reporting. For example:

> During his shuttle diplomacy in the Middle East, Kissinger insisted on anonymity even though the information was reported by the press traveling with him and attributed to the "senior official on the plane." On one of Kissinger's sojourns, humorist Art Buchwald attributed information to a "high U.S. official with wavy hair, horn-rimmed glasses and a German accent."

> Periodically, journalists grow weary of the insistence on anonymity and rebel. But generally not for long.

> In 1971, then-Washington Post Executive Editor Ben Bradlee ordered that information provided by Kissinger about a pending summit meeting be attributed to him because it was simply too important to be reported anonymously, according to Walter Isaacson's book "Kissinger."

> "The Post's action caused a widespread realization that reliance on backgrounders had gone too far," Isaacson wrote. Nevertheless, the White House Correspondents Association soon passed a resolution agreeing to abide by Kissinger's briefing rules.

How does it help us, the public, to let Kissinger choose when to make anonymous statements?

Overall that American Journalism Review link points out that time and time again, with only a few exceptions, anonymity is abused.

> many of the zero days held by the Chinese are likely to be the same zero days being withheld the N.S.A

Are you sure?

Is he sure that's it's likely? I'm sure that it's likely he does.

"President Obama has decided that when the National Security Agency discovers major flaws in Internet security it should – in most circumstances — reveal them to assure they get fixed, rather than stockpile them for use in espionage or cyberattacks, senior administration officials said Saturday."

Emphasis added is mine.

The "in most circumstances" means they can pretty much do whatever the hell they want.

Agreed, so large you can drive a truck through it analogy.

Why is there not more of a furore about this? When Bush set up (and it was found out) about the extensive activities of the NSA, the reaction was vitriolic in every sense of the word. Here Obama is tacitly agreeing to similar intrusion. This is not a comment on Bush vs Obama, it is more a comment on the media and public reactions.

That's the problem with people-oriented politics. Who's going to complain? The people doing it now, or the people that did exactly the same thing earlier?

Also would like to stress "President Obama has decided". This is not a law, Obama (or the next guy) can change their mind at any time. No one will be held liable in court for not abusing rather than disclosing security flaws.

Wow! The NYT has changed the title of this article from "Obama Decides U.S. Should Reveal, Not Exploit, Internet Security Flaws" to "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say"

Kudos to them for switching it to a much more accurate description of the situation.

Newsdiffs.org is useful to track both minor and major changes made to stories.

More generally, it's a convenient if limited way into the publishing process. It deserves scrutiny, all the more so for those PR-type articles that essentially try to covey nonsense.


Wow, I was wondering why the HN title and NYT title were almost exactly opposite. This diffing site is interesting, thanks.

The new title doesn't seem to fit well with the rest of the article, though.

It's like looking through Winston Smith's commits.

This is arguably good military strategy, too - the US has ample resources to allocate to finding novel or even one-off exploits on an ongoing basis, where some poorer powers might want to rely more on keeping secret existing exploits for a longer period. Perpetually making enemies' weapons obsolete.

Also, the US has a much larger attackable surface area and far more to lose in this domain. So it makes perfect, cynical sense if the US government wants internet security in general to be better.

Just like a naval power with strong international trade interests has reasons to keep shipping lanes open to all and to deter naval piracy.

None of this requires benevolence, it's all self-interested

The naval analogy is interesting. One of the six missions of a global naval presence is to protect the sea lanes of communication. Even if that means the North Koreans occasionally manage to acquire some centrifuge tubes, the global value of trade outweighs the costs.

By very direct corollary, one would hope the NSA regards protection of the digital lanes of communication open as one of its principle missions. Trade begets economic interdependence. It's tough to go to war with major trade partners.

What's a "novel" or "one-off" exploit? I don't see the realistic dividing line between "NOBUS" exploits that NSA could realistically believe it has a proprietary grasp on and the kinds of exploits that get deployed at Pwn2Own.

Configuration Errors are an example of "one-off" exploits. Things which are specific to a environment, rather then a code base.

Stutnex used zero day flaws so when they make a statement like:

"When Federal agencies discover a new vulnerability in commercial and open source software ... it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose."[1]

I have to scratch my head because I can't reconcile this. I also can't reconcile what meaningful impact the White House statement will have since it has such a vague loophole. The White House statement reminds me of when Putin plays lip service to democratic processes inside Russia. Lots of words, little if any meaning or change.

[1] http://blogs.wsj.com/digits/2014/04/11/nsa-says-it-wasnt-pre...

    But Mr. Obama carved a broad exception for “a clear 
    national security or law enforcement need,” the officials 
    said, a loophole that is likely to allow the N.S.A. to 
    continue to exploit security flaws both to crack 
    encryption on the Internet and to design cyberweapons.

But Mr. Obama then went on to say "discount everything I've just said, the NSA should go on with business as usual, interpreting all current and future situations to further their offensive needs regardless of what is best for the American people or becoming of a modern democracy."

> But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,”

Or a law enforcement need? So this is almost pointless then. Don't expect regular iPhone or Android bugs to be reported, because law enforcement uses them all the type to tap people, so of course in their view there's a "need" for them.

He should've just left it to NSA only, and for very specific cases, if at all. Everyone else (FBI, police, DHS, etc) should be reporting the exploits.

As it is, don't expect them to reveal more than one relatively major bug every 2 years or so - and even that sounds optimistic, I think.

Call it paucity of imagination on my part, but I was wondering if somebody could make explicit some legitimate examples of situations involving a "clear national security need"? It's not like they're just making a legal exception for a "Blockbuster" scenario, where terrorists are about to nuke a city and a lone hacker saves the day by breaking SSH, right?

Is this supposed to apply to instances where the flaw affects the competition more than civilians -- say, a security flaw that somehow disproportionately affects Iran, China and Russia over the US? (there are obvious reasons why the government cannot explicitly acknowledge this, but I'm wondering if this is a direct implication)

The NSA would monitor hacker message boards and the various black market websites for exploits like this.

If they find something which they don't see any chatter about on any of these sources, then it's reasonable to presume no one has found it. Moreover, actually exploiting heartbleed would leave a signature. You can fake SSL certificates, but eventually someone has to lose their money, or some innovation has to come out of the blue. MitM's involve traffic diversions unless they're conducted at a government level.

Espionage always leaves a trail - even if you don't know where someone gets their intel, you can always tell they must be getting it somehow.

Honestly, it seems like the only way the US could get credibility on this "front" is to create an open, well-funded agency whose only purpose would be to enhance world Internet security. Give it a mandate to be entirely separate from any would-be signal intelligence exploiters and let it loose. Yes, I'm sure something akin to this exists but if this had 10% of the US intelligence budget, it would be an eye-opener.

Prior to the NSA leak, "cyber warfare" was quite the buzzword. China, Iran, and other countries threatened the all US infrastructure from abroad. There was even debate as to if a foreign "cyber attack" could justify an armed military strike. The solution allegedly was the US government spending all kinds of money on these "cyber defenses."

Snowden's leak suddenly left people wondering if the United States itself posed the greatest threat to the US's own "cyber security." There is little doubt that the revelations did severe and lasting damage to US companies who want foreign customers.

Today the problems are, someone might have been able to access your Yahoo mail in the past two years. As computing and bandwidth expands and blends in to the background, future exploits will be things like, every moment, visual and audio, of the past two years of your life, was recorded and is available to playback in full detail. For better or worse, of course the government will get heavily involved.

The Snowden leak told no one who was capable of any amount of critical thinking anything they didn't already realize.

It was base-level obvious that the US, EU and every other nation had cyber-warfare programs because there was no technical reason they couldn't, and the risks were the same as they were to China and others: its an invisible, zero-casualty engagement, indistinguishable from the actions of lone individuals or groups.

Moreover, it should always have been apparent that things inside the US could be arbitrarily subjected to search and seizure. This is not a problem companies are unfamiliar with - mining companies are big on sovereign risk, but moreover, it's not like Microsoft stores it's technical data on Google cloud services for exactly the same reasons.

The most surprising thing which has been disclosed nowhere by the Snowden leaks is any evidence of the NSA passing stolen technical schematics or plans off to US companies for competitive advantage. I'm sure a lot of people will insist this totally happened, but no one has come up with hard evidence that it has.

I note that Department of Homeland Security funded Coverity Scan service for 3 years to find bugs in open source software using static analysis, resulting in more than 6000 bugs fixed.

(Coverity Scan contract expired in 2009, but Coverify found out finding bugs in open source software is a great marketing campaign anyway, and continued the service.)

This "change" is so nuanced as to be essentially indistinguishable from the status quo.

"Obama says" versus "Obama does."

Actions, not speeches, count.

"Obama does x" is the headline when when the news is in general positive.

"The government/administration/specific department" is the headline when it is negative. Look out for it...

"Obama exploited heart bleed" isn't a very accurate statement.

It's almost as inaccurate as "NSA says it should disclose exploits."

This is why the NSA should be chopped in half. Offense and defense in different agencies so there's less conflict of interest

NY Times updated their headline:

"Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say"

NSA decides it shouldn't and should, respectively.

> – in most circumstances —

>But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,”

Read: unless we really want to.

So how's the US government's track record in reporting flaws to vendors?


President doesn't know what the economy is either.


In black and white hat circles it is understood that using an internet security flaw is in fact revealing it as your adversaries find out by such acts..

His ex order has not rational meaning that context, the context of NSA's mission, the CIA's mission or DoD's mission..

What does Obama think we effing five?

What is up with the "Mr. Obama ..." crap? Did the NYT have a change in policy recently? I do not remember Sanger writing like that in Confront and Conceal.

Ok, is there any odds that a diff of Red Hat and Debian would reveal patches that Red Hat's largest customer, the Pentagon, has pushed?

Nothing but pandering, and not even a very good job of it. Business as usual down at the NSA.

"We should reveal security flaws! ...Except in 99% of situations."

Go to hell you fucking snake.

Contrast this with the recent NSA statement[1] made about heartbleed. This is how they intend to interpret this decision.

1. https://news.ycombinator.com/item?id=7575802

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact