Slog

Slog Music

Music, Nightlife,
and Drinks

Friday, April 11, 2014

Jesus Fucking Christ! The NSA Knew About Heartbleed for TWO YEARS?!??

Posted by on Fri, Apr 11, 2014 at 12:35 PM

Michael Riley at Bloomberg writes that not only did the NSA reportedly know about Heartbleed for years, but they allegedly exploited Heartbleed for their own information-gathering purposes:

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

Isn't the NSA supposed to protect Americans? What the fuck are they supposed to be protecting us from, if not what is likely the largest cybercrime in the history of the world?

UPDATE 3:58 PM: The NSA denies this news, saying they weren't previously aware of Heartbleed. So I guess the question is: How much do you trust the NSA?

 

Comments (16) RSS

Oldest First Unregistered On Registered On Add a comment
Will in Seattle 1
Duh

Just like the BC Law Society knew Trinity Western is full of bigots
Posted by Will in Seattle http://www.facebook.com/WillSeattle on April 11, 2014 at 12:52 PM · Report this
2
Well, of course they did. As an intelligence agency, if you find a way to eavesdrop on what your adversaries think is a secure channel, you keep quiet about it.

The real outrage is the NSA considers their own citizens to be the enemy too, and in their mind, they exist to protect us from ourselves.

Expecting the NSA, CIA or FBI to publicly point out flaws in privately used cryptography is unrealistic. It's against their own interests. They have a long history of trying to weaken and thwart widespread adoption of private individuals using strong cryptography.

It's no wonder many software engineers are libertarian. Seeing your own government as your adversary can do that to a person.
Posted by Paul F on April 11, 2014 at 12:54 PM · Report this
treacle 3
No, Paul, the NSA is not "supposed to protect Americans?", it's supposed to protect the government. Come on, you should know this by now.

We are cattle.
Posted by treacle on April 11, 2014 at 1:07 PM · Report this
Urgutha Forka 4
Knew about it? Hell, the NSA probably created the fucking thing.
Posted by Urgutha Forka on April 11, 2014 at 1:13 PM · Report this
6
Hail Hydra.
Posted by Conrad McMasters on April 11, 2014 at 1:40 PM · Report this
7
What's the world coming to when spy agencies don't tell everybody all their secrets?
Posted by GermanSausage on April 11, 2014 at 1:45 PM · Report this
fletc3her 8
This doesn't surprise me at all.

The real question is whether they introduced the bug in the first place.
Posted by fletc3her on April 11, 2014 at 1:50 PM · Report this
9
Paul's capacity to be surprised seems to be unlimited.
Posted by Jizzlobber on April 11, 2014 at 2:06 PM · Report this
10
It's open-source code. God knows, no one else was looking at it.
Posted by Toe Tag on April 11, 2014 at 2:09 PM · Report this
11
@4 @8 coding errors like that exist everywhere, and are very easy to make - especially in the mess of code that is OpenSSL.
Posted by Paul F on April 11, 2014 at 2:10 PM · Report this
Doctor Memory 12
If the NSA doesn't have at least a dozen full-time employees who's job it is to subscribe to and carefully review the commit notifications of every major open source crypto project (openssl, gnutls, etc) and to regularly do top-to-bottom code audits, then I would say that they're not doing their jobs terribly well.
Posted by Doctor Memory http://blahg.blank.org on April 11, 2014 at 5:01 PM · Report this
Doctor Memory 13
@11 is correct. The error was committed by a volunteer coder for the OpenSSL project (a german, I believe-- the press is being impressively circumspect about naming him, but it's easily findable), and was exactly the sort of error that programmers tend to make when writing networked programs in C. It sailed through code review because OpenSSL is mantained by a bunch of seriously underpaid volunteers, and is a legendarily awful spaghetti snarl of amateur-hour code in the first place. Never attribute to malice what can easily be explained by stupidity.

The real question is why, in C.E. 2014, we still continue to allow people to write any code at all that exists between the kernel and a network socket in a language without bounds checking, garbage collection, and native exception handling. Apparently we are slow learners.
Posted by Doctor Memory http://blahg.blank.org on April 11, 2014 at 5:07 PM · Report this
14
Well, Bloomberg is citing anonymous sources, but the NSA has lied to Congress, so a press release would be no sweat. I'd say it's a toss-up.
Posted by unpaid reader on April 11, 2014 at 5:10 PM · Report this
seattlestew 15
Ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssshocking.
Posted by seattlestew on April 11, 2014 at 6:02 PM · Report this
17
@13: Because c is a useful language. But your basic point is well made. In some languages, memory management is so important the programmer must do it. In other languages, memory management is so important you don't let the programmer near it.
Posted by Christopher J on April 12, 2014 at 5:56 PM · Report this
Doctor Memory 18
@17: C is, to be sure, a useful language. If you want to write a weak clone of multics to run on a PDP-11, there's really nothing better suited to the task. :)
Posted by Doctor Memory http://blahg.blank.org on April 13, 2014 at 5:52 PM · Report this

Add a comment

Commenting on this item is available only to registered commenters.
Advertisement

All contents © Index Newspapers, LLC
1535 11th Ave (Third Floor), Seattle, WA 98122
Contact | Privacy Policy | Terms of Use | Takedown Policy