Report: NSA Knew of, And Exploited, Heartbleed Bug for Two Years

[008Zulu_v1legacy]

I am not surprised by this. I mean it, I have been surprised at the levels they will stoop to, but it desensitizes you after a while. The only thing that would surprise me about them at this point would be if they didn't have Hitler's brain in a jar talking to them through a computer.

 

[RJ 17]

But didn't Google also know about it and apparently not think to tell anyone?

My understanding is that Google and the US Government are hand-in-hand walking through a field of daisies at this point, so I honestly wouldn't be surprised.

Also: Snowden or it didn't happen.

Take it away, EDI
EDI: "....that was a joke."
Thanks EDI, I just wanted to be clear.

 

[Yabba]

boy do i really need to spell it out?

why do the american PEOPLE, the CITIZENS, allow the NSA, to invade their privacy without consent, and abuse system bugs to gain information, again, without consent, compromising the security of the data of these people, as well as their privacy, like i said


and since USA isnt the only country that uses the internet and most internet traffic goes through USA, NSA activities also compromise the security and privacy of the people around the world

Boy, does this really need to be spelled out? [i/]Because we don't know what they are doing.[/i] That's the whole bloody point of spies - to gather intelligence without the other side knowing. What do you propose we do? Have the NSA regularly release a document of all their findings? That would undermine the (slimy) organization's entire purpose. I guess we could protest, that worked soooo well after the Snowden deal. Oh, wait, no it didn't; another bs PR job was created and the NSA was smacked on the wrists. Maybe it's just my cynicism boiling over, but with both parties being effectively the same and assuredly almost completely corrupt, there is little the American people can do except wait until the government pushes too far and we can rebel, overthrow, and rebuild it (as is our right by the Constitution).

As for the whole consent thing, that's... stupid. "Hello, NSA? could you please not look up anything that has to do with me? Thanks." "Hmmm, I wonder what he's trying to hide..."

Beyond that, the NSA is an American government department; in other words, why should they care about compromising the rest of the world? That'd make their job easier, in fact.

And finally, only 2 anonymous sources are saying this. We have [i/]no idea[/i] if they were exploiting this for 2 years. I don't mean for all this to sound mean or to defend the NSA (I despise them), but examine the evidence before jumping to conclusions please.

About the politicians agreeing, normally I say "No, the parties have two different ideals and stop being so cynical." However after seeing how both parties (one of which says they are totally against government in the citizens lives, and the other one which says that they are for the people who cant defend themselves) didn't even really oppose this I lost hope. The only reason why a few spoke against it was for public appeal. It is truly disgusting.

 

[Living Contradiction]

Yawnity yawn. And the NSA kept a secret that allowed it to exploit others. In other news, politicians lie (except when they don't, because PR), birds fly (except kiwis, because kiwi), and those with power use it to screw over those that don't have it (except for people who care about others, because human condition).

Folks, if the NSA knew about this for a couple years, chances are that quite a few other entities knew about it too and used it merrily to make large amounts of money and spam. Since the NSA is an all-time favourite target for computer-related blame, behold! The press has found a trusty scapegoat to give to the public as a reason to stop panicking about Heartbleed so they can focus on the next shiny abomination.

Pay no attention to those exploiting the bug for profit or other forms of material gain! It's much more fun to blame the NSA, those creepy weirdos.

 

[Bvenged]

I understand the distrust of the NSA right now, but isn't it getting a little out of hand to think they do absolutely every little thing revolving around the internet?

At this point, I bet if we find little gremlins living in the internet, news would break tat the NSA put them there.

 

[cookyt]

Actually, it's not their job to find and fix glitches in security protocol. That's the DEV'S job.

I just want to address this. If the NSA had knowledge of the bug (and I'm not saying they did), then I would say that they should have reported or submitted a patch for it. From a moral standpoint, it's best for the overall security of the net, and from a practical standpoint, the potential damage to the US of letting this bug stay in the code (from a security and financial standpoint) would be much more than the potential benefits of leveraging it. So, while you're right that it's not their job to find/fix the glitches, I would say that they're obliged to act on it if they happen to stumble across it.


Aside from that, why is everyone jumping to conclusions here? We have a single source of dubious validity that says that the NSA knew about the bug. While their denial says nothing about the truth[footnote]I wouldn't put it past them to do something like this, but I would assume they would deny it even if it were true as most data gathered from exploiting this bug would likely be illegal, and them admitting to using it would contribute against their case in the inevitable investigation.[/footnote], we should still make sure that our information is credible to a certain degree before pointing fingers.

 

[flying_whimsy]

Aside from that, why is everyone jumping to conclusions here? We have a single source of dubious validity that says that the NSA knew about the bug. While their denial says nothing about the truth[footnote]I wouldn't put it past them to do something like this, but I would assume they would deny it even if it were true as most data gathered from exploiting this bug would likely be illegal, and them admitting to using it would contribute against their case in the inevitable investigation.[/footnote], we should still make sure that our information is credible to a certain degree before pointing fingers.

The public has already found the NSA guilty because there is nothing the NSA can do to assure anyone of their innocence in this: any denial they make or proof they provide will be doubted and their previous record of behavior points towards what they are accused of rather than their innocence from it. There's also a certain amount of irony in the fact we assume the NSA is guilty as that is what they assume of us by spying on us.

Also, they have effectively painted themselves into a corner wherein (as you mentioned) if they did admit to it they would add further fuel to whatever investigations would come up in the future while any denial they make is instantly discounted in light of their history.

The NSA is in a no-win scenario here and unless some major reforms that include some form of transparency happen, they'll have to keep facing more and more of these issues as time goes on. If they don't change voluntarily, resentment from these scandals will eventually boil over and someone will make them change.

 

[insanelich]

Any indication whatsoever that these are reliable sources?

None whatsoever.

 

[EiMitch]

This information comes from Bloomberg, which spoke to two sources familiar with the matter.

Who were those sources? They're anonymous! Sorry, but thats not enough to convince me.

Its not that I want whistleblowers to expose themselves, and I don't deny that anonymous whistleblowers have done good in the past. But I do need more than their word in order to believe. I need some kind of corroborative evidence that they're legit whistleblowers rather than bs made-up by Bloomberg. What evidence does the article provide? Leaked documents or other records of NSA activity? Or something else? Anything at all?

There is no trace of evidence of the NSA doing squat in the article at all. Just rehashing of what Heartbleed is and what the NSA, or anyone else with nefarious intent, hypothetically could've done. But no solid proof, nor circumstantial proof, nor even fake proof. We're to just take the word of two "sources" that may not even exist for all we know. Again, that isn't enough to convince me that this is anything more than tabloid-style click-bait.

 

[BoogieManFL]

Something you all need to remember - this is just a rumor. It may be true, and it may not be true.

Neither would surprise me in the slightest however.

 

[McMullen]

What I'm wondering is why the staff of the Escapist still haven't addressed the fact that this site is vulnerable. Sure, there's not much harm apparent in having your Escapist password stolen (assuming you're not foolish enough to use it anywhere else), but it's still kind of negligent to leave your users open to that kind of thing.

Or does the Escapist keep payment info for their premium members? In that case, wtf are you guys doing?!

 

[Riverwolf]

I do feel the need to point something out: I actually wanted to check if Heartbleed has even been around for two years just to see if it's even conceivable for the NSA to know about it for that long. As much as I hate the NSA, I actually found myself wanting the Heartbleed bug to only be a few months old, if only to throw a wrench into propaganda (which I think is evil) and twitch-reactions (such as the one I had earlier in this thread) in order to keep focus on their real crimes rather than fake ones.

The search engine I use, Startpage, links to a CNET article about Heartbleed, which states:

The bug afflicts version 1.0.1 and 1.0.2-beta releases of OpenSSL, server software that ships with many versions of Linux and is used in popular Web servers, according to the OpenSSL project's advisory on Monday night. OpenSSL has released version 1.0.1g to fix the bug, but many Web site operators will have to scramble to update the software. In addition, they'll have to revoke security certificates that now might be compromised.

(Can someone tell me how to do numbered annotations? I'd like to also point out that the article links to a web tool which checks a domain for vulnerability; it wasn't able to get to escapistmagazine.com, indicating that this site could be safe, but it can't be sure. This is the tool: http://filippo.io/Heartbleed/ )

So I checked the release dates for version 1.0.1, and it turns out the first release of that version was on March 14, 2012.

So... yeah, it's entirely conceivable that they knew about it from the beginning and have been using it. Gotta admit, I'm disappointed. If this is a fake scandal, whoever came up with it did their homework.

 

[TaboriHK]

I honestly would be surprised if they didn't. It's basically free reign to take information on a mass level, and for the NSA (and also the rest of the world), information is power.

 

[Strazdas]

Yes, please spell out what you want them to do. Everyone knows the problem, no one has a solution.

Shoot the NSA wholesale?

well one thing NSA could do and should have done is plug the heartbleed bug when they discovered it instead of abusing it, thus allowing actual malicious hackers gather information. You know, the Security part in National Security Organization.

 

[lacktheknack]

Yes, please spell out what you want them to do. Everyone knows the problem, no one has a solution.

Shoot the NSA wholesale?

well one thing NSA could do and should have done is plug the heartbleed bug when they discovered it instead of abusing it, thus allowing actual malicious hackers gather information. You know, the Security part in National Security Organization.

I'm not talking about what the NSA should do. That much is obvious. He asked "Why do Americans allow this?" And I'm pointing out that they allow it because they currently don't have much choice in the matter.