back to article NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS

The tech world is aflutter over the Heartbleed encryption flaw in OpenSSL, but it seems that the bug was no surprise to the analysts of the NSA, since they have reportedly been using it for two years to spy on data traffic. Two sources familiar with the matter told Bloomberg that NSA staff picked up on the fatal flaw shortly …

COMMENTS

This topic is closed for new posts.
  1. A Non e-mouse Silver badge

    As Thom Brow mentioned in another thread: What can you actually get from this security hole? The private key appears to be highly unlikely.

    blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed

    1. The Man Who Fell To Earth Silver badge
      Boffin

      Agreed

      The Bloomberg report is probably NSA disinformation.

    2. Dave C

      Not so unlikely after all

      Within a day two people successfully met Cloudflare's challenge and obtained the private key from their test site by exploiting heartbleed.

      https://www.cloudflarechallenge.com/heartbleed

      1. Anon5000

        Re: Not so unlikely after all

        Loved their update in the the blog:

        "This result reminds us not to underestimate the power of the crowd and emphasizes the danger posed by this vulnerability."

      2. The Man Who Fell To Earth Silver badge
        Boffin

        Re: Not so unlikely after all

        It took 2.5M hits in the servers. I hope Cloudflare servers not noticing what is basically a DOS attack like that isn't indicative of Cloudflare's product effectiveness.

    3. Anonymous Coward
      Anonymous Coward

      Used it?

      They invented it.

  2. ecofeco Silver badge

    Protect?

    The ONLY thing ANY gov agency protects these days is the rich.

    We have the gov we deserve.

    1. Charles Manning

      Re: Protect?

      s/the rich/itself/

      If you think the NSA acts on the whims Bill Gates, Warren Buffet or Prez Obama, you'd be severely wrong. The NSA will have eprobes into these people's lives.

      NSA has become like the KGB of old - completely above the law and any government oversight. They become paranoid: anyone outside the organisation becomes the enemy.

      Obama thinks he can reign them in with strict guidelines etc, but he is wrong.

      The only way the NSA can be managed is to shut them down, investigate the hell out of them, and criminally presecute those that have not done. Half measure won't do it.

      1. ecofeco Silver badge

        Re: Protect?

        By the rich I meant the corporations.

      2. TopOnePercent Silver badge

        Re: Protect?

        NSA has become like the KGB of old - completely above the law and any government oversight. They become paranoid: anyone outside the organisation becomes the enemy.

        Sadly, all the NSA are likely to learn from the Snowden debacle, is that there is also the enemy within. I would expect far greater effort has gone into assuaging their paranoia with data compartmentalisation and audits than has been spent effecting behavioural change in their dealings with the wider world.

      3. Tom 13

        Re: Protect?

        The Big 0 has no interest in reigning them in. It's how he gets data on HIS political enemies.

        1. Michael Wojcik Silver badge

          Re: Protect?

          The Big 0 has no interest in reigning them in.

          Neither would any other POTUS. There's political sauce to be made from expressing sympathy with privacy advocates, outrage over infractions of civil rights, etc; but there's no pragmatic advantage for the nominal head of the Executive Branch to reduce the power of that branch. The only reason for a US President to actually try to restrict the NSA would be ideological, and that's not the sort of ideology that gets you elected.

          More importantly, there's no way the president could effectively control the intelligence apparatus at this point. It's firmly established and much too large for a presidential administration to survey effectively, much less police. The president could fire some of the top administrators (in theory; whether anyone would take the risk is another question), but that would have very little effect on day-to-day operations.

    2. Anonymous Coward
      Anonymous Coward

      Re: Protect?

      "We have the gov we deserve."

      No, you have the gov that they bought and paid for.

    3. dlc.usa
      Joke

      Re: Protect?

      As Alan Cox observed, Snowden should have run to the only place on Earth beyond the reach of U.S. law enforcement: Wall Street.

    4. Stuart 22

      Re: Protect?

      Protect themselves.

      The Twitter claim of knowing nothing until public disclosure is breathtaking. I mean by April 7th a patch had been written and committed for 1.0.1e, heartbleed.com had been registered for 3 days, there had been considerable correspondence between the Finnish company and the authors. Google had allegedly already patched it servers.

      And the NSA had not known this?

      Which leads to the conclusion they are incredibly incompetent or barefaced liars. Your choice.

      And if they lied about 2 days or 2 weeks how can one believe it wasn't two years?

  3. Forget It
    Mushroom

    sort these three words in order:

    FAN SH*T HITS

    1. John Brown (no body) Silver badge

      HITS SHUT FAN?

      1. Anonymous Coward
        Anonymous Coward

        SHOT HITS FAN ?

        1. Sir Runcible Spoon Silver badge

          HOT FAN SHITS?

  4. RobHib
    Facepalm

    "The NSA declined to comment on the report whether it was aware of the Heartbleed flaw or if it had used the flaw to spy on communications."

    Good journalism isn't necessarily unbiased. In these circumstances, you're both wasting time and calls on an already-known certainty.

  5. Len Goddard

    Not surprised, just disgusted

  6. Thoguht Silver badge

    "The open source community has been criticized for failing to spot the flaw, but it lacks the resources of the NSA, which employs hundreds of code checkers to find flaws in common code."

    I thought the whole point of open source was that countless numbers of NEETs were supposed to be sitting in their mommys' basements checking the code.

    1. Sureo

      @thought

      Code checking is a real drudge job and no one likes doing it. And if you don't have a concise specification it is nearly impossible.

      The steps for writing quality code are

      1. Write a spec

      2. Write a test plan based on the spec

      3. Write the code

      4. Conduct a code review

      5. Unit test the code.

      I wonder how many of those steps were followed in this case?

      1. Michael Wojcik Silver badge

        Re: @thought

        The steps for writing quality code are

        1. Write a spec

        2. Write a test plan based on the spec

        3. Write the code

        4. Conduct a code review

        5. Unit test the code.

        I wonder how many of those steps were followed in this case?

        Numbers 1 and 3. And the specification and code were written by the same person; and the specification says that the code should discard malformed requests, but it doesn't. So there you have it.

    2. SumDood

      "I thought the whole point of open source was that countless numbers of NEETs were supposed to be sitting in their mommys' basements checking the code."

      What that comment suggests is that the closest you've been to technical expertise is the lower echelons of mummy's-basement NEETdom.

  7. Anonymous Coward
    Anonymous Coward

    SHIT!!!

    So they know all about my flying car designs! In all seriousness - he who knows most is ruler and the 21st century makes no difference to that concept so fuck the cheesy peeping tom stuff thanks;

  8. Suricou Raven

    If the NSA knew about this bug, they are deliberately leaving innocent internet users exposed to malicious actors.

    If the NSA didn't know about this bug... what are they getting so much money for?

    1. Anonymous Coward
      Big Brother

      > ...what are they getting so much money for?

      To spy for their corporate pay masters of course.

    2. IanTP

      Even as I upvote this, I can hear the helicopters...

      1. Anonymous Coward
        Trollface

        @IanTP - "Even as I upvote this, I can hear the helicopters..."

        If they were really coming to get you, they would use the silent helicopters.

        Since you can hear them, that means they are just trying to scare you...

        1. Sir Runcible Spoon Silver badge

          "Since you can hear them, that means they are just trying to scare you.."

          Probably just a drone - ignore it

        2. DropBear Silver badge

          If they were really coming to get you, they would use the silent helicopters.

          So I was wondering - does remembering "Blue Thunder" mean that I'm an old fart now?

          Ehhh, on second thought... never mind answering that...

        3. Tom 13

          Re: Since you can hear them

          Nah, those are the news chopper so they can have film at 11.

    3. David Pollard

      If the NSA knew ...

      In just the same way that there isn't any obvious trace when a miscreant uses this method to try to collect data from a site, maybe the NSA had silently monitored selected sites to capture details of attackers who were exploiting the security hole. By allowing the leak of relatively non-critical data through what would in effect be a set of giant honeypots they could have been compiling details of their enemies.

      As to the costs, a) it wouldn't be their money; and b) this would go to show just how important their work really is.

      1. SumDood

        Re: If the NSA knew ...

        "By allowing the leak of relatively non-critical data through what would in effect be a set of giant honeypots they could have been compiling details of their enemies."

        Enemies = everyone not bunkered down with NSA?

    4. midcapwarrior

      "If the NSA didn't know about this bug... what are they getting so much money for?"

      Pretty sure opens source code review is not high on the list of things they are getting paid for.

      1. Anonymous Coward
        Anonymous Coward

        > Pretty sure opens source code review is not high on the list of things they are getting paid for.

        Since one of their primary mandates is the security and defense of American interests, and knowing full well that they have enormous Internet-related expertise and resources, I would be shocked to discover that the most widely used security protocol library used by pretty much all US websites had not been pored over with a fine tooth comb for just this kind of thing, even if it is to find something that they could use themselves.

        It's not like the resources to do that kind of thing wouldn't even be on the cost radar for an organisation like the NSA.

        1. Michael Wojcik Silver badge

          I would be shocked to discover that the most widely used security protocol library used by pretty much all US websites

          I have to point out that the final phrase is a grotesque exaggeration. There are a great many websites which don't use SSL/TLS at all; and there are many which don't use OpenSSL - mostly the ones running IIS, but there are other competitors (GnuTLS, BSAFE, CyaSSL, Apple's implementation, etc) as well.

          "used by many US websites" is a reasonable formulation; "pretty much all" is not.

    5. Psyx

      "If the NSA didn't know about this bug... what are they getting so much money for?"

      So... you expect them to be utterly all-seeing and all-powerful, but at the same time take issue with the fact?

      *sometimes* several million people come up with stuff that several thousand highly trained professionals don't.

      It just happens.

  9. Eddy Ito Silver badge

    "One of the NSA's specific roles is to safeguard national communications and online security infrastructure"

    That seems a bit naive. Nowhere do they claim to protect individual/corporate communications or individual/corporate online security and why would they? As far as the NSA is concerned everyone and everything that isn't the U.S. government is a potential threat to national security and that includes its own employees. After all it's a post-Snowden world and you can't trust anyone since tear-wrists ar' eevy-whirr!

    1. Anonymous Coward
      Anonymous Coward

      So why didn't they tell the government?

      Either the Army, Navy, Airforce, Marines, Coastguard, congress, CIA, SS etc all were informed about this bug and fixed it - without the news leaking out. Or the NSA didn't tell them and has been risking the lives of our service men and women in combat by allowing secret details to be vulnerable to hackers.

      1. Eddy Ito Silver badge

        You tell me, only 26 U.S. Gov't servers were ever reported as vulnerable and best I can determine none of those were dealing with national security issues. The rest were either patched or not vulnerable in the first place. Of course they could all be like the desktops and running software a dozen years old, but that doesn't play to the story now does it?

        1. tom dial Silver badge

          The most likely reason that most US Government were not vulnerable to Heartbleed because they were using OpenSSL versions earlier than 1.0.1 or, in some cases were running Windows-based web servers, which do not use OpenSSL. That would include those associated with DoD or other agencies one might think of as involving national security.

          OpenSSL versions 0.9.8 and 1.0.0 (not vulnerable) both appear to be actively maintained and so could be used within the government.

          1. Yet Another Anonymous coward Silver badge

            Or they weren't using SSL at all because it's illegal for un-authorized users to access a government server so there is no need for any security !

          2. Eddy Ito Silver badge

            Sure, they could be using 1.0.0 or GnuTLS, CyaSSL, PolarSSL or a bunch of others. Somehow since most all the packages comply with NSA Suite B and the NSA did do a bunch of work on SELinux I have to believe they know their stuff. If you read carefully I never said either way if they knew about it beforehand or not. My point was, and still is, that the NSA isn't in the "protect your bank account, communications to mom, instagram sessions and Google data slurps" because those functions aren't in the national interest no matter how important we think we are.

            The NSA isn't going to prevent you from taking a shiv in the kidney in a dark alley but they might be able to do something about the incoming attack helicopter or guided missile frigate. I'll let the conspiracy experts argue about who knew what and when. Perhaps naive was the wrong word, I should have used vain or immodest.

            1. Ken Hagan Gold badge

              "NSA isn't in the "protect your bank account[...]" because those functions aren't in the national interest no matter how important we think we are."

              You must have missed the financial crash a few years ago. A way of pulling down small numbers of bank accounts is not a problem. A way of hoovering up credentials quietly until you have a million or so accounts that you can vaporise in one night of action would be untargetted but definitely a threat to the nation's well-being.

              1. Eddy Ito Silver badge

                If the FDIC and NCUSIF had to start paying out huge sums, the NSA might have a look after the Secret Service and FBI asked for their help. Even then given the average account balance runs around $6,000 and 56% have total savings under $25,000 someone draining a million accounts is only getting 6 to 25 billion dollars. Sure, it would sting and a million or so people would be hurting pretty badly for a while and yes it's a substantial fraction of the intelligence budget but it still wouldn't qualify as being in the national interest even though it's near the same scale as the auto company bailout during that financial hiccup you speak of.

                Of course it could be targeted to the wealthiest million people or corporations but to move those kinds of assets it would likely take a state sponsor and, like Mount Rushmore, it would be pretty hard to hide overnight. Likewise, no, the FBI isn't going after the random shop lifter pocketing a pack of gum, a turkey or even a watermelon because it's not what they do either.

                1. Sir Runcible Spoon Silver badge

                  "but it still wouldn't qualify as being in the national interest "

                  Even factoring in the financial instability caused by a massive hack of this kind? Do you think all those big bank account holders would just leave their money there for the taking? They run like fuck to someone else, probably taking the bank down with them.

  10. Fink-Nottle

    > Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.

    The statement begs the question: Is NSA aware of any other vulnerabilities in OpenSSL?

  11. Notas Badoff
    FAIL

    Bloomberg: "... two people familiar with the matter said."

    But they didn't mention it before everyone knew about it. When they might have had some credibility, y'no?

    Flash! Alert! Lisbon will be destroyed in a 9.0 earthquake!

    Well okay, I'm a few hundred years late there. How about:

    Major news! Russia invades Ukraine, says they are liberators!

    Am I 69 years late or 69 hours too soon?

  12. Anonymous Coward
    Anonymous Coward

    Smelling bullshit

    Having discovered a pretty obscure (if elegant) vulnerability so soon after it was introduced and before the affected code was widely deployed in the field would suggest a level of efficiency most unlike any governmental institution.

    From the same people who let any old sysadmin walk away utterly unnoticed with Terabytes of their data (OK, not exactly theirs)?

    1. Anonymous Coward
      Anonymous Coward

      Re: Smelling bullshit

      Looking for exploitable holes in encryption implementations is the NSA's mandate and they have a massive budget and labour force and tools to do this. Their resources are far greater than those of the guys who write and maintain openssl in the first place.

      It's their **job** to specifically look for this stuff, and, yes, with every new release. Why? Because with a new version, especially a significant one, you get new errors, and thus new potential opportunities for exploits.

      Sure, we don't know if the NSA found the bug right away. Maybe they didn't. But even if they found it 6 months after release of 1.0.1, that still leaves about 18 months of exploitation fun.

    2. Michael Wojcik Silver badge

      Re: Smelling bullshit

      Having discovered a pretty obscure (if elegant) vulnerability so soon after it was introduced

      All they'd need to do is have one person watching the commit logs for OpenSSL and reviewing the committed changes. It's not a big job; there isn't that much commit activity for OpenSSL. And the bug is hardly obscure. As I've noted in other threads, anyone who's ever written a Wireshark dissector, for example, ought to be able to spot it almost immediately. Dealing with malformed self-describing data from the peer is a given in comms programming.

      and before the affected code was widely deployed in the field

      Presumably because they would have found it by inspecting the source. It could be found by pen-testing the binaries (fuzz-testing the TLS Heartbeat functionality in particular), but source inspection is a more likely route in this case. I don't think this bit makes the story any less plausible.

      would suggest a level of efficiency most unlike any governmental institution.

      Pfft. All you need is one programmer with decent code-inspection and debugging skills assigned to look for vulnerabilities in OpenSSL. If that employee is any good, he or she is following the OpenSSL discussion lists and watching the commit log.

      This is a trivial job compared to most of what the NSA is responsible for, if they want to fund such a position. That's really the question. If they have such a position, and they didn't know about Heartbleed, then they should be looking closely at whomever they're paying to keep an eye on OpenSSL.

  13. JLV Silver badge

    wonder if that's true and what the fallout will be if it is

    To start with, I don't usually pay much attention to the NSA this and NSA that chatter that goes on these forums. Yes, I agree with Snowden and yes, the intelligence agencies abuse their remit, likely to not that much benefit compared to the loss of liberty. Western democracies should revert back to peacetime investigative behavior and follow judicial procedures.

    But the actual end result for myself? Not that relevant day to day. I don't like it, but I am not going to spend all day being outraged about it. I suspect this is what a large part of the public feels as well. Whether or not that's an attitude that is ethical is up for debate.

    Why, if this turns out be true, could this change everything?

    Suppose it turns out that the NSA did know about this (or any major system-wide bug with a huge potential for mischief to the general public, corporations and indeed the US govt at large). Suppose it then just sat on the knowledge, happily ignoring the risk to all these _US_ individuals and organizations.

    Given the potential for misuse of Heartbleed and the time it has been active, how exactly could it claim to be protecting the interests of the average US citizen then? Will those same citizens, if they, or someone they know, have been affected by identity theft or fraud, blame the NSA's laissez-faire? What about criminal groups funding terrorism precisely through this flaw? What about espionage by foreign countries? What will Joe Average think about having to change his passwords, while knowing that the cops did nothing?

    IF they knew, this would a practical demonstration of blatant day to day disregard for the well-being of all its own citizens. Hopefully, but not holding my breath, they should be held accountable by Congress* if it turns out to be true and people should lose their jobs.

    Canada's Revenue Agency shut down some/all SSL parts of its site yesterday, right during tax season. They may yet turn out to be over-reacting (don't think so myself), but the point is that, at this level of risk, government agencies do have responsibilities beyond their immediate remit.

    * If they knew as well, the same questions would apply to all our pet counter-terrorism "protectors", be they GHCQ, Canada's CSIS or the French DGRS or whatever it's called. Sadly, for all the criticism the NSA warrants, at least they get some flak, other countries' agencies tend to get an even free-er pass.

    1. Anonymous Coward
      Anonymous Coward

      Re: wonder if that's true and what the fallout will be if it is

      "Western democracies should revert back to peacetime investigative behavior"

      Brilliant, Madam or Sir, brilliant. (even though "behaviour" has troubling spelling...) That's exactly the issue.

  14. Annihilator
    Happy

    "The NSA has now said it knew nothing about the Heartbleed bug in a brief statement on Twitter."

    Cool, that's that settled then.

    1. tom dial Silver badge

      Seems to me at best a draw. Two unidentified informants say one thing and an NSA spokesperson says something to the contrary. It is far from obvious why one source should be considered more credible than the other.

      1. Ole Juul

        NSA credibility?

        "It is far from obvious why one source should be considered more credible than the other."

        You didn't mean that did you?

        1. tom dial Silver badge

          Re: NSA credibility?

          I did indeed "mean that". It comes down to a matter of trust.

          Are anonymous spokespersons for the NSA and DNI worthy of trust? Probably not very much.

          Is Michael Riley (whom I do not know) paraphrasing two unnamed sources worthy of trust? Again, probably not very much. And the incorrect and misleading description of the Heartbleed flaw in Riley's article, while irrelevant to the claim about the NSA, still does not engender confidence in the diligence of his research or his (or Bloomberg's) fact checking.

          Does any of the sources have a reason to lie or shade the truth? You bet they do, and motives are easily guessed.

          Is either claim easy to verify? No.

          Is "not very worthy of trust" in the first case roughly comparable and independently indistinguishable form "not very worthy of trust" in the second? I think it is, pending availability of actual evidence.

      2. Anonymous Coward
        Anonymous Coward

        Because one source has an extensive recent history of deep untruthiness.

        1. Psyx

          "Because one source has an extensive recent history of deep untruthiness."

          Whereas 'unnamed sources' have?

          'Unnamed sources' is newspaper talk for 'we made it up and this way don't have to give a citation or be legally accountable'.

          If pressed on the matter, they can claim it was a mate in the pub who empties dustbins.

        2. Michael Wojcik Silver badge

          Because one source has an extensive recent history of deep untruthiness.

          I think you'll find both sources (the NSA and unidentified informants cited by the press) fall into that category. Yes, anonymous whistleblowers and deep sources often provide information that is later borne out by investigation or the gradual uncoverings of history; but they also often provide misinformation, fantasy, or simple error.

          As I noted above, I don't think it's at all implausible that the NSA knew of Heartbleed, and indeed I'd be a bit disappointed in them (however relieved) to find out they didn't; incompetent evil is so depressing. But I put no more credence in Bloomberg's unnamed sources than I do in official statements from the NSA.

      3. Anonymous Coward
        Anonymous Coward

        > It is far from obvious why one source should be considered more credible than the other.

        Except that at least one of them has form for very publicly telling outright lies to congress.

  15. Jim O'Reilly

    Did the NSA write this bug?

    The hole is so elegant and so widespread that you would wonder if NSA wrote it.

    If indeed they failed to act, that implies they didn't see this as a threat to any national data, which suggest they knew it wasn't originated overseas or by black hat types. That means they are likely perps!

    1. tom dial Silver badge

      Re: Did the NSA write this bug?

      The hole is not "elegant". It is a programming error.

      Unless, of course, you consider the OpenSSL maintainers to be the NSA or in the employ of the NSA.

      1. Ken Hagan Gold badge

        Re: Did the NSA write this bug?

        It is "elegant" in the sense that it does not adversely affect clients that send well-formed packets, it will never (for sufficiently small values of packet length) crash the server, is pretty unlikely to do so for larger values, and you can just set up a server farm hoovering up data from zillions of targets 24/7 for a few years and see what turns up. It costs you nothing more than the leccy bill.

        Given their resources and their mission, they (and like-minded agencies in other countries) ought to have people reviewing the changes being committed to OpenSSL, as they happen. If they didn't spot the flaw within a week or two of it being committed then they should be asking themselves why.

    2. Psyx

      Re: Did the NSA write this bug?

      "The hole is so elegant"

      No it's not.

      "you would wonder if NSA wrote it."

      Only if ill-equipped with facts and predisposed towards such an opinion. It's certainly not one that it would be easy to come to without a hefty bias towards conspiracy.

      "If indeed they failed to act, that implies they didn't see this as a threat to any national data"

      Assuming they knew about it, which is hell of a leap. "Something exists ergo the NSA know about it and if they don't, they suck" is a completely irrational and illogical response.

      "which suggest they knew it wasn't originated overseas or by black hat types. That means they are likely perps!"

      Assumption based on assumption.

      Odd how it conforms to your existing opinion.

  16. DougS Silver badge

    The NSA needs to be split up

    Having one organization that is (supposedly) responsible for helping secure the US internet infrastructure and for spying has conflicting goals.

  17. Anonymous Coward
    Anonymous Coward

    The tech world is aflutter over Heartbleed encryption flaw?

    That's at least TEN separate stories on Heartbleed, we got it OK, "open sores" isn't secure ...

  18. btrower

    Time to fess up

    There is a programmer out there that made the first commit with the bug in it. Who is it? They need to come forward and state for the record whether or not it was done under orders.

    As much as I favor une feuille d'étain chapeau, my instinct is that this is just a bug. Even so, the NSA absolutely has dirt all over its hands when it comes to the state of network security.

    Regardless of their role in Heartbleed I am quite convinced that there are a large number of 'law enforcement' types that belong behind bars.

    I am not sure how you shut down a military industrial complex backed by years of half-trillion dollar budgets and sitting on weapons that can destroy the world, but maybe we should try before they start weaponizing graphene.

    1. bpfh Bronze badge
      Headmaster

      Re: Time to fess up

      .Chapeau en papier d'alu

      > fix'd

      1. moiety

        Re: Time to fess up

        Paper hat in garlic?

    2. arctic_haze Silver badge

      Re: Time to fess up

      >>There is a programmer out there that made the first commit with the bug in it. Who is it? <<

      This isn't rocket science to find that out in an open source project. The author of the commit was Robin Seggelmann and its reviewer Dr. Stephen Henson of OpenSSL.

    3. Anonymous Coward
      Anonymous Coward

      Re: Time to fess up

      You need to read more.

      There have been stories for the last 20 hours about the guy who wrote it apologising and saying he made a mistake and that he is mortified blah blah blah.

      I sincerely doubt the NSA knew about this, given the amount of damage to America's corporate political machine (Amazon, Microsoft, Walmart etc) foreign intelligence agencies (thinking specifically certain Communist Far East countries) could do using it. Although people can go "ah but they could have spied on their own people using this", the risk of others using it would have been too high. Far better to just nobble the certificate issuers to get a shadow copy of the private keys and leave the protocol itself "secure".

  19. Anonymous Coward
    Anonymous Coward

    No proof but I wouldn't be surprised if it were true

    Part of the NSA's job is to look for exploits exactly like this, and then use them for spying rather than report them. It doesn't matter if the NSA knew about this specific exploit. They most certainly know about, and regularly use hundreds of others that are just as powerful and just as harmful to the general public and to international commerce. And if any of those come to light, you can bet that the NSA will deny knowing about them too, even when questioned by Congress.

    All of this is showing that Snowden was right: the NSA's irrational and obsessive focus on total surveillance is undermining their mandate to protect American cybersystems.

    As is becoming increasingly clear, the NSA has done more economic harm to the U.S than any foreign actor in recent history, aside from perhaps China.

    1. Ken Hagan Gold badge

      Re: No proof but I wouldn't be surprised if it were true

      "As is becoming increasingly clear, the NSA has done more economic harm to the U.S than any foreign actor in recent history, aside from perhaps China."

      I don't wish to be too cynical here, but in peacetime it is generally true that the main damage to a country's interests come from the incompetence of its own government. They have so much more power than any other actor and yet they are subject to all the usual human frailties and incompetence.

  20. them

    EFF reports additional evidence that heartbleed was already being exploited by spooks in 2013

    https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013

    Not conclusive on its own, but still another piece of evidence pointing to our "democratic" surveillance infrastructure betraying the public interest, and exploiting rather than reporting security holes.

  21. John Tserkezis

    "One of the NSA's specific roles is to safeguard national communications and online security infrastructure"

    Yeah, and the other is to monitor the national communications and online security infrastructure.

  22. AussieCanuck46

    Who Knew?

    If the NSA claims they didn't know about the Heartbleed bug isn't that an admission that they knew about it?

    By the way, are my submissions to El Reg completely secure? I wouldn't want my government to know that I'm a subversive.

    1. Chemist

      Re: Who Knew?

      @ AussieCanuck46

      " I wouldn't want my government to know that I'm a subversive."

      Don't use your real name then !

    2. midcapwarrior

      Re: Who Knew?

      "If the NSA claims they didn't know about the Heartbleed bug isn't that an admission that they knew about it?"

      Say what?

      So if they claim they did know about it would that be an admission that they didn't?

      1. arctic_haze Silver badge

        Re: Who Knew?

        NSA already works like an institution from Russia.

        And it was a 19th Russian diplomat who said "I don't believe in news that has not been denied".

  23. Chad H.

    So the NSA say they didn't know about it... this isn't one of those "We don't know about it because we called it something else" things they accused the big tech companies of doing is it?

  24. Anonymous Coward
    Anonymous Coward

    Deny and still be damned

    The NSA can deny they knew till they're blue in the face and still no one will believe them unless they're pre-inclined to do so; after all, they can't prove they didn't know, and they do have copious form.

    Given that the NSA has a habit of making up its own rules then not sticking to them anyway, I'm personally going to enjoy seeing them with their nuts firmly clamped in a vice on the basis of innuendo, a tactic they and their spook compatriots have been happy enough to visit upon their opponents down the years - enough of what they did verifiably do is worthy of shutting them down for anyway. I certainly hope the irony of being strung for being untrustworthy rather than for provable misdeeds isn't lost on them.

    America's facile obsession with 'security' on its own skewed terms turns out to have delivered anything but that for most people, merkin or not, and I hope that isn't lost on anyone either when we're rethinking what 'security' actually means.

  25. Marketing Hack Silver badge
    Unhappy

    The problem with the NSA's denial is that they no longer have any credibility

    They were obviously taking advantage of the vulnerabilities in iOS and Windows before they were public. And they were taking advantage of the unencrypted traffic traveling between Yahoo! and Google datacenters before that vulnerability was made public. So why not Heartbleed too?

    I don't KNOW that the NSA knew about Heartbleed and exploited the vulnerability instead of closing it. But the one indisputable fact is that IF the NSA (or any of the other 5 Eyes or Western SigInt agencies) were exploiting Heartbleed, the first thing they would do when queried about their use of it would be to "lie & deny" to protect a classified SigInt program. That's where we are now.

  26. thomas k.

    NSA denies exploiting this bug ...

    Power Point slides confirming their having done so should appear in the next few days then.

  27. Bradley Hardleigh-Hadderchance
    Trollface

    In other news...

    The Queen of England denied reports she has been shagging her beloved Corgis for decades.

    "Any similarity between my beloved and Prince Charles is purely coincidental, said her Maj".

  28. Anonymous Coward
    Anonymous Coward

    Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.

    That's a statement from a public affairs department, I suspect they know very little about what the NSA really knows, or doesn't know.

    You have to remember you're talking about an organisation whos director knew so little about what they did and didn't do/know that he effectively lied to the Congressional oversight committee.

    Do you really think their Public Affairs department have any idea about what the NSA do or know?

    1. Pseudonymous Coward

      > You have to remember you're talking about an organisation whos director knew so little about what they did and didn't do/know that he effectively lied to the Congressional oversight committee.

      I thought he knew full well what was going on and purposely answered "no", later explaining that his "no" answer as to whether data on millions of Americans was collected had been due to a fascinating definition of the word collect from the "1982 Department of Defense Procedures Governing The Activities Of DOD Intelligence Components That Affect United States Persons":

      "Collection. Information shall be considered as ‘collected’ only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties….Data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form."

      In other words, when they only collect data and machine-scan it that doesn't count as collected. It's only collected once it's been used by an employee.

  29. Winkypop Silver badge
    Facepalm

    Sick and tired

    Of explaining this to family and friends.....my heart bleeds!

  30. Robert Carnegie Silver badge

    Maybe I'm naive,

    but if the NSA had this, would they have needed to do all or any of the other bad things we recently learned they were doing?

    1. Richard 12 Silver badge

      Re: Maybe I'm naive,

      What makes you think this isn't one of the methods they were using?

      They aren't going to list descriptions of vulnerabilities in use on PowerPoint slides meant for the higher ups.

      Basically, if the NSA did not know about this before public disclosure then they are incredibly incompetent because it's something they claim to be doing, and if they did know about it, then how long do they sit on vulnerabilities like this before nudging someone else to disclose?

      1. Psyx

        Re: Maybe I'm naive,

        "Basically, if the NSA did not know about this before public disclosure then they are incredibly incompetent because it's something they claim to be doing"

        How the heck do you expect the NSA to find every security flaw before the rest of the entire planet?

        If I walk into your office and spot a way of doing something better, does that mean you are incompetent? By your measure it does.

        1. Ken Hagan Gold badge

          Re: Maybe I'm naive,

          "How the heck do you expect the NSA to find every security flaw before the rest of the entire planet?"

          I don't, but...

          There are relatively few SSL suites in widespread use and pretty much all secure communication on the internet is built on top of them, so they are pretty important. OpenSSL happens to be open source, but that's probably not an issue since I'm sure the necessary arms can be twisted if the NSA want a look-see at Microsoft's crypto libraries. If the NSA, with a budget in the billions, doesn't have a team poring over these suites then someone needs to have their employment contract reformatted.

          I expect that team to find a buffer overrun vulnerability in a codebase that lies square in the middle of their competence with a couple of years of it being published. Whether that is before the rest of the world is another matter entirely. I also assume that several other nations have teams doing much the same, so they might get there first.

  31. raving angry loony

    It's obvious

    They've official denied it. This proves, beyond any reasonable doubt, that they actually did do it.

  32. Anonymous Coward
    Anonymous Coward

    At least El Reg is not vulnerable

    It doesn't use Https and has us send our forum username and password in clear text. Makes it far easier to obtain without any of that pesky encryption.

  33. Crisp Silver badge

    Anything prefixed with "NSA denies"

    Can be taken as the gospel truth.

  34. fpx
    Devil

    Re: "NSA was not aware of the recently identified Heartbleed vulnerability until it was made public."

    Of course not. The internal codename for this vulnerability was not "Heartbleed."

    1. Sir Runcible Spoon Silver badge

      What would that statement mean if the 'Heartbleed vulnerability' wasn't recently identified (by the NSA)?

      "Oh you mean the Heartbleed vulnerability we idenified 18 months ago? Well why didn't you say so?"

  35. Psyx

    "NSA was not aware of the recently identified Heartbleed vulnerability until it was made public."

    ...and someone isn't getting their bonus because of it.

  36. Yugguy

    Spies in "Did some spying" shocker.

    1. Anonymous Coward
      Anonymous Coward

      I love how comments such as this completely ignore the changing reality of spying in the modern world.

      In years gone by it cost substantial money to track and spy on individuals meaning that it was impractical/impossible to conduct mass surveillance on a truly large scale. That limiting factor led to limited targeted spying.

      With the cost of mass surveillance having plummeted over the last few decades it is now technically/financially practical to spy indiscriminately on large amounts of people and the need to target your surveillance is reduced.

      To ignore this reality is to ignore the modern ethical questions that massive state surveillance has introduced.

      If it was discovered that the police where using some ethically questionable methods to conduct their work would you also say - Police in "Did some policing" shocker.....Nice way to completely sidestep the difficult questions....

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019