Obama Tells NSA To Reveal, Not Exploit, Flaws… Except All The Times It Wants To Do The Opposite
from the a-bias? dept
Last week there was some confusion as Bloomberg published a story claiming that the NSA was well aware of the Heartbleed bug and had been exploiting it for “at least” two years. That seemed fairly incredible, given that the bug had only been around for slightly over two years. The NSA came out with a pretty strongly worded denial — which left out much of the usual equivocation and tricky wording that the NSA normally uses in denying things. The general consensus seems to be that it is, in fact, unlikely that the NSA knew about Heartbleed (though that makes some wonder if some team at the NSA is now in trouble for not figuring it out). If anything, it seems likely that the Bloomberg reporters got confused by other programs that the NSA is known to have to break parts of SSL, something it’s supposedly been able to do since around 2010.
However, the NY Times had a story this weekend about how this move has forced the administration to clarify its position on zero day exploits. It’s already known that the NSA buys lots of zero day exploits and makes the internet weaker as a result of it. Though, in the past, the NSA has indicated that it only makes use of the kinds of exploits that only it can use (i.e., exploits that need such immense computing power that anyone outside of the NSA is unlikely to be able to do anything). However, the NY Times article notes that, following the White House’s intelligence review task force recommendation that the NSA stop weakening encryption and other technologies, President Obama put in place an official rule that the NSA should have a “bias” towards revealing the flaws and helping to fix them, but leaves open a massive loophole:
But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.
Amusingly, the NY Times initially had a title on its story saying that President Obama had decided that the NSA should “reveal, not exploit, internet security flaws,” but the title then changed to the much more accurate: “Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say.”
Of course, the cold war analogy used by people in the article seems… wrong:
“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.”
Except, it’s meaningless that no one expects the Chinese (or the Russians or anyone else) to give up zero days. The simple fact is that if the NSA were helping to stop zero days that would better protect everyone against anyone else using those zero days. In fact, closing zero days is just like disarming both sides, because it takes the vulnerability out of service. It’s not about us giving up our “weapons,” it’s about building a better defense for the world. And yet the NSA isn’t willing to do that. Because they’re not about protecting anyone — other than themselves.
Filed Under: barack obama, exploits, heartbleed, national security, nsa, surveillance
Comments on “Obama Tells NSA To Reveal, Not Exploit, Flaws… Except All The Times It Wants To Do The Opposite”
“closing zero days is just like disarming both sides”
That’s only true if we know the same 0-days that the others know.
Re: Re:
But the more we close, the less they can use.
Re: Re:
That’s only true if we know the same 0-days that the others know.
The only exploits relevant to this story are the ones the NSA knows about.
The NSA needs to be split – into a defensive agency and an offensive agency. That way, we reduce the likelihood of there being such a situation again.
Re: Splitting the NSA
Then they would spend even more resources fighting each other. But hey, the entertainment value might be worth it. Spy vs. Spy.
Re: Re:
Agreed. Unfortunately, Obama has rejected that idea as soon as he even heard the review panel was going to propose that.
Ever since the US Cyber Command was merged with NSA, it has become a major force of corruption within NSA.
Re: Re:
Far too many people believe the mantra “The best defense is a good offense”. The defensive NSA would become the offensive NSA, it would only be a matter of time.
Re: Re: Re:
What I mean is one agency whose only focus is on finding security flaws and getting them fixed; and a second agency whose only reason for existence is to find and exploit these flaws both in-house and outside.
Re: Re: Re: Re:
GrayArea‘s comment still applies.
Both agencies would waste taxpayer money racing to out’wit’ (I use the term ‘wit’ very loosely) the other agency.
Evidence (or lack thereof) whether the NSA knew about Heartbleed
Based on some of the other Snowden disclosures about NSA’s state-sanctioned hacking program affectionately known as the Tailored Access Operations group, probably the best evidence that the NSA did not know about Heartbleed would be for Snowden and/or the reporters working with his documents to note that none of those documents discuss Heartbleed. Other TAO documents seem pretty blunt about what they like to do, so it would be unlikely for such a powerful disclosure attack to be completely absent from their documents if they did know about it.
Re: Evidence (or lack thereof) whether the NSA knew about Heartbleed
The NSA didn’t know about Heartbleed because that’s not what they called it. However, check out the NSA’s “Project Bullrun”.
According to The Guardian’s analysis of the Snowden documents, under Bullrun, the NSA “has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.”
The NSA’s cracking might be of a different nature. Who knows? But to me, a rose by any other name…
Re: Evidence (or lack thereof) whether the NSA knew about Heartbleed
That’s only because the NSA uses this program under a different name which they will not reveal and Snowden had now way of knowing that. I am pretty sure that those that now are in possession of Snowden’s paper are now pouring over them to identify which of these programs would show the use of Heartbleed.
So the they are both malicious AND incompetent. Wouldn’t it be great if it was non-malicious and competent at the same time?
Not buying it
There is no conceivable way the NSA didn’t know of this vulnerability. None. Zero. Follow the logic.
The error itself is pretty standard. Blame C and buffer handling. The NSA geeks are fully aware of the buffer problems associated with C. They have TEAMS dedicated to finding and exploiting these errors.
The OpenSSL library would be a major target for NSA hackers. The Open Source community audits software. The NSA REALLY audits software, especially an encryption library used by huge numbers of folks.
My conclusion? The NSA knew about this bug within days of its release. It is impossible to come to any other conclusion. You may have issue about the technical competence of the federal government, but the NSA is the cream of the crop. There is no way they didn’t know about this, with hundreds of devs combing through every line of this code.
And speaking of Snowden documents, expect one that details their experience with this exploit. Remember BULLRUN? “Do not ask or speculate on sources or methods underpinning BULLRUN successes.” We don’t have to speculate anymore.
Two exceptions, other governments, and all those bot-herders, who also have massive computing power available, and with zero costs to use it.
Why did he even bother?
What I want to know is why he bothered to say anything along these lines at all. Saying the “NSA will reveal flaws it finds unless thinks they might be useful” is almost precisely the same as saying “the NSA won’t reveal the flaws it finds.”
Re: Why did he even bother?
Perhaps he was hoping to trick people into thinking he was telling the NSA to reveal flaws. And it even worked for a while.
‘Amusingly, the NY Times initially had a title on its story saying that President Obama had decided that the NSA should “reveal, not exploit, internet security flaws,” but the title then changed to the much more accurate: “Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say.” ‘
Presumably there are still people who believe the original headline.
Crazy
That’s simply crazy thinking, right there. Computing power continues to get cheaper every day. Right now, it is technically within many individual’s financial ability to build their own supercomputer. Not one of the best ones, but get a small group of modestly wealthy people together and you’re golden. You can build a supercomputer that rivals anything the NSA has going.
Re: Crazy
Why pay for it?
There are computing operations running right now that have more CPU cycles, more memory, more storage, and more network bandwidth than Google and about a dozen of its peers combined. Botnets with tens of millions of systems are now ordinary.
Granted, not every computing task maps well to that architecture, but a lot of them do. As we’ve seen.
We’re now into the second decade of botnets and so far, nobody has done anything meaningful about them. Nothing. Oh, there have been busts (yawn) and press conferences and agendas and meetings and all kinds of other feelgood happytalk bullshit, but nobody has actually attacked the underlying problem…and thus there’s no reason to expect it to get any better, and lots of reasons to expect it to get worse.
Banksy strikes at GCHQ Or how to make phone users paranoid.
not bad for the ‘most transparent administration in US history’, eh?
Re: not bad for the 'most transparent administration in US history', eh?
I rate this administration well less transparent than the Nixon and G.W, administration. That is its destiny.
It doesn’t even require that basic level of human decency. Even the poorest, most inept warmonger should be able to recognize “make our side immune to enemy attacks” as an extremely good thing. If the NSA had even the slightest shred of competence, they’d be making the country more secure, not less.
Re: Re:
If the NSA had even the slightest shred of competence, they’d be making the country more secure, not less.
I don’t think it’s an issue of competence, but of objectives.
Don't worry, the NSA will reveal flaws to others in the future
They’ll just tell people 50 years after they find them, or however long classified material is supposed to stay classified before getting released to the public.
In other words, it’s the unwritten “everyone important that was involved in this is dead now so who cares if the public finds out” rule.
Cyber “security”
Se-cu-ri-ttty
I still remember like it was yersterday: people chanting “OBAMAAAAAAA” like he was the saviour of the world.
THE ONLY SOLUTION
NEXT ELECTION DO NOT VOTE REPUBLICAN OR DEMOCRAT
END YOUR OPPRESSION AMERICA
What’s the fuss? Aren’t they supposed to exploit? The problem lies in usage for *unlawful* activities.
Re: Re:
The fuss is that they are tasked with both spying, which entails using exploits, and with protecting the network, which entails disclosing weaknesses.
These two task are mutually exclusive. So all we get is them exploiting the network and keeping those exploits a secret, which means those exploits won’t get fixed as quickly, if ever, which means that the entire security of the net is endangered by the NSA.
Share it with Cisco, deny it to Huawei
Share it with Cisco, deny it to Huawei.
That way, NSA could protect their own people while keep on spying on those cheap bastards that buy Chinese knock-offs.
Re: Share it with Cisco, deny it to Huawei
You can’t be serious. There are two main problems with this…
1) If the NSA finds an exploit, so will criminal crackers. It won’t stay a secret.
2) If Cisco equipment uses an exploit, Huawei (and all other similar companies), as well as criminal crackers, will find it as soon as they reverse engineer the Cisco equipment (which all groups do whenever a new model is released). It won’t stay secret.
No matter what, these exploits won’t stay secret. The NSA is even behind the curve in finding them — they purchase most of them form the black and gray markets. By keeping any exploit a secret, the only thing that’s accomplished is that critical infrastructure and everyone using it is left vulnerable to an exploit they may not know about but all the crooks do.
wi-fi
I want to open for my Samsung mobile?