The NSA Denies Exploiting The Heartbleed Bug, What If It's Telling The Truth?

rated by 0 users
This post has 14 Replies | 0 Followers

Top 10 Contributor
Posts 26,798
Points 1,212,800
Joined: Sep 2007
ForumsAdministrator
News Posted: Sat, Apr 12 2014 3:18 PM
As Seth covered earlier today, Bloomberg has accused the NSA of benefiting from the Heartbleed OpenSSL bug. The NSA denies this in fairly strong terms. I'd like to draw attention to a different facet of the topic -- first, by discussing the semantics of the NSA's denial and then the wider impact of how that denial is perceived and what it means for the tech community as a whole.

The NSA's Denial is Surprisingly Straightforward

For the past year, the NSA's responses to the Snowden leaks have followed the same strategy: Either the organization claims that its activities are legal or it denies engaging in a similar (but distinct) activity from the one it's actually accused of actually perpetrating. A good example of this is the allegation that the NSA tapped undersea data cables from Google and Yahoo to intercept company data as it moved between server farms.

When asked if these allegations were true, General Alexander responded: "But I can tell you factually we do not have access to Google servers, Yahoo servers. We go through a court order." By refuting a claim that no one actually made, Alexander bet that the majority of readers wouldn't understand the difference between tapping the link between servers and tapping the servers themselves.

With that in mind, what's striking about the Heartbleed denial is that it's unusally straightforward. The NSA's formal response states:
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
This clear, specific statement is exactly what the NSA hasn't been willing to say in its previous remarks. That doesn't mean the organization is being honest, but the scope and severity of this flaw means that it's possible even the NSA would feel obliged to reveal it.

Unfortunately, the fact that we're discussing whether the NSA would actually help patch a bug or deliberately exploit it is, itself, evidence of how perceptions of the organization have changed. A recent (albeit unofficial poll) by Princeton Survey Research Associates found that the NSA was trusted less than Facebook or Google when it came to securing personal information and considered the organization most likely to violate individual privacy.



If corporations and the public no longer trust the NSA to be truthful about what it knows and when it knew it, the organization's role in the wider security ecosystem will be fundamentally compromised. Google and Yahoo responded to the data cable snooping by implementing end-to-end encryption within their data centers. Now, with every major security flaw, the first question is "Did the NSA arrange this or just benefit from it?"

Why No One Trusts The NSA:

It's always been a given that the NSA had to balance the dual mandate of helping to secure the United States while finding ways to spy on targets using exploits and vulnerabilities in software. One of the most damning aspects of the Snowden leaks is the way the organization boasts of finding a legion of unpatched vulnerabilities and using those bugs to further its goals.

But the organization's responses to these leaks has been to alternately hide from the wider implications or to give false rebuttals to questions no one is asking. The general public may be fooled, the technical press and engineers in Silicon Valley are not. It's no accident that this is the third OpenSSL vulnerability to be discovered in a matter of months; it suggests a broad research project aimed at locking down the holes the NSA has used to peer through windows.

In that sense, it doesn't matter if the NSA knew about Heartbleed or not. The agency has established a pattern of refusing to acknowledge a lie (General Alexander has referred to his remarks in front of Congress as the "least untruthful" answer), refusing to acknowledge known truths, and dismissed the concerns of ordinary citizens and Congressman alike. It's not as simple as saying the NSA may or may not have lied -- the NSA is no longer trusted to understand the scope of the problem or care about the concerns of US citizens. The organization is playing by a different rulebook.
  • | Post Points: 185
Top 500 Contributor
Posts 127
Points 950
Joined: Mar 2013

Heartland?

  • | Post Points: 20
Not Ranked
Posts 1
Points 5
Joined: Apr 2014
GergIlly replied on Sat, Apr 12 2014 3:53 PM

bullshit

  • | Post Points: 5
Not Ranked
Posts 12
Points 75
Joined: Feb 2014

ya sure. It's chief mission is to spy and deny.

  • | Post Points: 5
Not Ranked
Posts 2
Points 10
Joined: Apr 2014

What if they EVER told the truth?

  • | Post Points: 5
Not Ranked
Posts 5
Points 25
Joined: Apr 2014

Basically middle america if you will

  • | Post Points: 5
Not Ranked
Posts 7
Points 50
Joined: May 2013

Actually, they are probably firing half their hackers for not discovering it sooner.

  • | Post Points: 5
Top 500 Contributor
Posts 191
Points 1,280
Joined: Jul 2013

IF its telling the truth im the queen of the moon

  • | Post Points: 5
Top 100 Contributor
Posts 1,083
Points 11,725
Joined: Jul 2009
Joel H replied on Sat, Apr 12 2014 5:05 PM

Fixed. Heartland was a different security issue.

  • | Post Points: 5
Not Ranked
Posts 22
Points 170
Joined: May 2013

The sad thing is that you can't trust them to say that they're telling the truth even if they are. That's what happens when you tell bald-faced lies repeatedly. Boy who cried wolf-much? It's a very disappointing world where you can't trust the people who are supposed to protect and serve the People.

  • | Post Points: 5
Not Ranked
Posts 3
Points 15
Joined: Apr 2014

stupid NSA.

  • | Post Points: 5
Top 10 Contributor
Posts 8,775
Points 105,180
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator
realneil replied on Sat, Apr 12 2014 8:42 PM

The only truth that they tell is what we find out without them, everyone already knows, and they ~~MAY~~ tell the truth then.

But we already knew this about them, so it's no surprise to anyone.

If you think about it, they're supposed to have secrets to function in their environment.

Dogs are great judges of character, and if your dog doesn't like somebody being around, you shouldn't trust them.

  • | Post Points: 5
Not Ranked
Posts 2
Points 10
Joined: Apr 2014

If you believe them then you are dumber than I give you credit for lol. xD

  • | Post Points: 5
Top 500 Contributor
Posts 164
Points 1,630
Joined: Nov 2010
MCaddick replied on Sun, Apr 13 2014 6:25 AM

Its a pretty definite statement this time, not like the google/yahoo datacenter access weasleword denial. If this turns out to be untrue then any credibility they still have (not that there is a lot left) is dead, buried, cremated.

Why do people put up with this is beyond my comprehension, a government is supposed to work FOR its employers (the people) not against them.

  • | Post Points: 20
Top 100 Contributor
Posts 1,083
Points 11,725
Joined: Jul 2009
Joel H replied on Sun, Apr 13 2014 12:56 PM

In the past, the NSA operated in alliance with businesses, even if the two groups had different goals at times. The NSA was instrumental in implementing DES, it helped test AES and SHA-1. It contributed to SHA-2. These contributions were always scrutinized, but for decades the NSA was at least an occasional ally.

Under General Alexander, the NSA has embarked on a policy of treating Google, Yahoo, Microsoft, and Apple as effective enemies to be penetrated and spied upon -- even when it had full legal recourse to the information it sought. Furthermore, the organization has yet to produce any evidence that the data it gathered has resulted in convictions or stopped plots that could not have been halted through other, less invasive means.

  • | Post Points: 5
Page 1 of 1 (15 items) | RSS