Google Apparently Chose Not To Tell The NSA About Heartbleed
from the trust-issues dept
Well, this is interesting. I naturally assumed that when the various researchers first discovered Heartbleed, they told the government about it. While I know that some people think this is crazy, it is fairly standard practice, especially for a bug as big and as problematic as Heartbleed. However, the National Journal has an article suggesting that Google deliberately chose not to tell the government about Heartbleed. No official reason is given, but assuming this is true, it wouldn’t be difficult to understand why. Google employees (especially on the security side) still seem absolutely furious about the NSA hacking into Google’s data centers, and various other privacy violations. When a National Journal reporter contacted Google about the issue, note the response:
Asked whether Google discussed Heartbleed with the government, a company spokeswoman said only that the “security of our users’ information is a top priority” and that Google users do not need to change their passwords.
Here’s the thing: if the NSA hadn’t become so focused on hacking everyone, it wouldn’t be in this position. The NSA’s dual offense and defense role has poisoned the waters, such that no company can or should trust the government to do the responsible thing and help secure vulnerable systems any more. And for that, the government only has itself to blame.
Filed Under: heartbleed, nsa, privacy, security, surveillance
Companies: google
Comments on “Google Apparently Chose Not To Tell The NSA About Heartbleed”
Hypothetical...
What if Google reports it to the gov, and the gov then turns around classifies the info and forbids Google from disclosing it? Non-Google customers would still be screwed. Not sure how legal that would be but they seem to just do whatever they please.
Re: Hypothetical...
The gov’t can classify all they want. Google is under no legal obligation to hold that information in confidence since that information didn’t come from the government to begin with.
Re: Hypothetical...
Lettre de cachet
?? orders directly from the king, often to enforce arbitrary actions??
Re: Hypothetical...
“Legality” is an abstraction that is defined at the tip of a sword. Don’t let anyone convince you otherwise. ALL systemic prosecution and deliberation becomes dog and pony show the second even one major group decides to go their own way as the NSA has.
Nelson from the Simpsons says it best, “Haha!”.
Every time I see...
…Google and the NSA butting heads in the same post, I can’t help but think of the NSA as the the forerunner of Skynet, and Google as John Connor.
Re: Every time I see...
But in reality, they’re both Skynet wannabe’s competing against each other.
Re: Re: Every time I see...
Kinda, but as has been said many times before, Google can’t imprison, torture or execute me. I could put up with customised ads if it was a straight fight between the two. I think it’d be a toss-up who won as well.
Re: Re: Re: Every time I see...
Quote: “Google can’t imprison, torture or execute me. I could put up with customised ads…”
The problem is that the ads leak data to the advertisers. Imagine an insurance company hiring a campaign among people with a high-risk medical condition. Boom, you don’t get that life insurance policy anymore.
Google can’t imprison but they can lead to life sentences.
Re: Re: Re:2 Every time I see...
Assume you’re right, AC @3.28am.
How would Google know, unless they’re scanning the content of your emails to discover whether you’re merely curious about brain tumors or actually have one?
Now imagine the number of staff they’d have to hire to get human eyes on the email content that mentions high-risk medical conditions so they can pick out the ones that mention a person actually having one, then pass it on to the HR dept. of an insurance company.
Hold that thought: the much-maligned ACA FORBIDS insurance companies to refuse cover for pre-existing conditions. For all its faults, that’s one thing it does. Getting rid of it would bring back the risk of refusal.
Can we please stop the dog-whistle cries of “Socialism!” over the ACA? The origin is from industry shills who don’t want to pay out to people who actually need care. They’re in business to make a profit, not to help us. “The Market” doesn’t have the solution to this because there’s no profit in it.
Re: Re: Re:3 Every time I see...
Quote: “How would Google know, unless they’re scanning the content of your emails to discover whether you’re merely curious about brain tumors or actually have one?”
Remember Google Health…
Re: Re: Re:3 Every time I see...
Taking money by force from people who earn it honestly and transfering it to those who claim to need it IS socialism. The means of production in the medical industry are certainly being more and more commandeered by government.
That the much-maligned ACA prohibits insurance companies from refusing insurance to those with pre-existing conditions is one of many reasons to malign it. That kind of provision is a violation of the individual rights of the persons offering a service. If an employer “needs” my labor but I don’t want to give it to him, does he have a right to draft me into his service simply because he professes a need? No one has a “right” to enslave anybody else, regardless of how much he “needs” to enslave that person.
Re: Re: Re:4 Every time I see...
“Taking money by force from people who earn it honestly and transferring it to those who claim to need it is socialism.”
Then you really do not understand Marx at all because you are so wrong there! What you are describing is the warped sense of socialism that the capitalists push into everyone since birth so people think socialism is a bad thing, when in actual fact, marxist socialism can actually work, but people will need to unlearn all the capitalist propoganda that has been drilled into them for hundreds of years which as manipulated them into becoming slaves to capitalism & money.
And don’t give me any crap that socialism has been tried & tested and doesn’t work. There has never ever been a true marxist socialist government on this planet EVER! Russia was never communist, sure, Lenin called his party communists, but he never implemented any marxist ideas at all. The communism you know is not the communism that marx theorised.
Russia was state capitalist from the get go, not marxist!
Re: Re: Re:5 Every time I see...
“Taking money by force from people who earn it honestly and transferring it to those who claim to need it is socialism.”
Lets also take this concept and put it in the spotlight on what is actually happening under democracy and capitalism.
The Fed (a private company) issues currency and charges interest on it, the give that currency to the treasury, the treasury gives them bonds (repayable with interest).
So you work, you earn your money honestly, The IRS (another private company acting on behalf of the FED) then takes that hard earned money from you and gives it back to the FED. meanwhile, the fed cashes in their bonds and gets paid interest on them in return for that so called tax money. Which they then loan out to the private banks again, who repay them with interest. the gov then borrows more & the cycle repeats.
So your honest earned money is taken from you and given back to a private company and is paid by you to take it from you. So onder capitalism, your money is given to private companies, and not the needy. And you think giving to the needy is unfair?
Re: Re: Re:4 Every time I see...
“Taking money by force from people who earn it honestly and transfering it to those who claim to need it IS socialism.”
If that is the case, then the only form of government that has ever existed is a socialist government. That makes the term “socialist” an effectively meaningless one, since it can’t be used to draw distinctions.
Which is pretty close to the truth of how the word is used nowadays, now that I think of it — an effectively meaningless insult that is thrown at anything the person using the term doesn’t like.
Re: Re: Re:4 Every time I see...
Lots of people claim things, it’s not socialism when an Office of X country Bureaucracy decides wheter one gets something or not.
If only that ACA gave Health responsability to Provinces like up here, 1)the state-wide only servers wouldn’t be overloaded like that federally centralized fiasco 2)People would feel like they have more power over state tax/money since “state” is one step closer to them than the big bad faceless Federal Government.
There’s a lot of things I’d change in canada, like british parliamentarism, give me a republic with proportionate voting for different parties and I’d really like it here cos Canada is not a centralized federation but a Confederation.
Hint hint at Ukraine, just do that and your ridiculous in fighting between brother would be over.
Re: Re: Re:3 Every time I see...
What planet have you been living on? The medical industry–doctors, insurance, hospitals, equipment makes, etc.–has been fabulously profitable. There is massive profit in “The Market”, as you call it. The ACA is about one thing and one thing ONLY: gaining control over people’s health and therefore, control over their lives. It’s straight up Socialism of the USSR brand. Of course the insurance industry is on board and wants to profit as best they can, they have no choice in a government takeover.
Re: Re: Re:4 Every time I see...
Oh yeah, up here in canada, we call it single payer system, it’s better. May the expriment in Vermont show you all. Health of citizens falls into the same thing taxes are for, infrastructure that would be too complicated in your populous country like roads and libraries where some dickheads would refuse to pay tax for such essentials, a state of me-myself-and-I anarcho-capitalist state would ensue and there would be mass riots. You guys are already real close to embracing anarcho-capitalism, I bet you’d one of the first ones to complain that there’s potholes everywhere, which could cause physical injury nobody would be pitching in for to help.
Individualism only goes so far, I’m very individualist but I’m realist that some things have to be socially organized or chaos and evil ensues.
p.s. what about all those Americans who drive/fly to Canada so they can fly to Cuba (we don’t stamp Americans’ passports when they go there) to get A-1 class medical surgeries? Cuba is close to being the only communist experiment that worked, it would be extremely successful if the US got rid of that childish embargo on them.
Familiar with the Human Development Index? It’s made of other indexes, Cuba last time I checked (maybe a year or 2 ago) was equal at #1 for Medicine with 5 or 6 countries (equal index ratings). They’re also way up there education wise. Have you ever seen a documentary about real Cubans, not those in florida who are ultra nationalist right wingers. Those people all help each other repair each other’s household items, houses, even roads…This guy had a remote for a tv but there was a piece broken in it, he just paid visits to his neighbours, where nobody lock their doors and will talk to you even if you show up there asking if they can help you fix that TV remote. It took him a few days before finding someone who could do it, but the social fabric there isn’t sick beyond repair like in “the west”.
Also this guy’s house had serious needs of repair because some rain would accumulate in the apartments on top. Everyone who wanted to (a lot) in the neighbourhood helped them. I know people who were so deep in debt here who had a similar problem, water would go through the attic and into their tenants apartments upstairs. They had to sell the house and good luck just walking around the neighbourhood trying to find people to help you fix it for free (it was definitely a multiple people job). Nah, here people all distrust each other and everyone locks their door during day time.
I wonder what is healthier of a society….just kidding I don’t.
Re: Every time I see...
I either read somewhere or a friend told me that at some point (research shows 2009) the US Military (USAF) had been trying to build something akin to Skynet from ~2500 daisy-chained PS3s. facepalm
Re: Re: Every time I see...
The last I heard was this bit about Sony removing a feature that allows the USAF to use their products in this project.
“Google users do not need to change their passwords.”
That’s exactly what an NSA-affiliated company would say! All conspiracies aside, that’s still a negligent stance to take given what we know. The price of PR should not be a false sense of security.
Re: Re:
[Citation required]
Re: Re:
“that’s still a negligent stance to take given what we know.”
It’s not a negligent stance if Google determined that their servers did not contain the broken SSL code. They may have used something other than OpenSSL.
Re: Re: Re:
This.
They could also have used an OpenSSL version from before the bug was introduced. Or, given how much Google optimizes their servers, they could be using OpenSSL with the heartbeat code compiled out. This last one is the most probable.
No requirement to change passwords?
Why would users not need to update their passwords when Google silently fixed it themselves, and the assumption that the NSA (or other organization) had access for years is a safe one to make?
Google also didn’t ask users to change passwords for the Gaia breach, to their very password infrastructure, so I guess this behavior is consistent. Asking users to change passwords would incite more panic and bad press than the few accounts that may actually be impacted.
Re: No requirement to change passwords?
Because the vulnerability existed for ~2 years and nobody actually knows if it was being exploited during that time?
Seems like a good reason to me.
Re: Re: No requirement to change passwords?
I failed to parse your comment – you put the negative “not” in an unexpected place and my reading comprehension failed – sorry 🙂
Re: Re: No requirement to change passwords?
Not a good reason at all. First, due to the nature of the exploit, it’s incredibly difficult to determine if it was actually used. No trace is left, no red flags appear in any logs, etc. The only way to tell is through inference. Second, there have been a number of breaches that imply that Heartbleed was successfully used.
I don’t know how I feel about this. I understand fully why they didn’t inform the government, but this was a huge thing, they probably still should have.
I guess there’s one bit of information that would change my mind. Who was it that first broke the news about HeartBleed? Did Google just skip the government and go straight to the public? If they did that, then I’m right there with them. If they kept it secret, then I’m glad I just changed my passwords.
Re: Re:
Neel Mehta of Google Security discovered the flaw on march 21st. They created a patch for OpenSSL on the same day. Google submitted this patch for inclusion to OpenSSL, and simultaneously distributed the patch file to some major distros such as Red Hat and apply it to their own servers.
On or before March 31st, CloudFlare gets the patch file and applies it. They blogged about it, giving the first public notice of the problem.
April 1, Google notifies the OpenSSL team of the vulnerability.
So, Google didn’t immediately go directly to the public, but did immediately go to the major players. This is actually the right way to do it — give the major vectors a chance to patch things up before making the world (and all the bad guys) aware of the vulnerability.
It took 10 days from the time of discovery to the time the world was notified, and they had the fix already in hand when they did so. Google did good on this.
Between the lines...
If I am google, who would you tell in the US government and why? Based upon past events, they must assume that the NSA
already knew about Heartbleed, so no reason to tell the NSA.
Who else to tell in US government that really would or could help?
Re: Between the lines...
Of course the NSA knew about Heartbleed.
Consider: if you’re the NSA, and you’re willing to ignore the Constitution and the law and Congress and the Courts and anyone and everything else in search of as much data as you can possibly acquire, then why wouldn’t you tap the email, phones etc. of security researchers?
You know that they talk to each other. You know who they are. You know that they often seek each other out for peer review or to aid in dissemination of information. You know that they have a far better chance than nearly anyone else of uncovering security flaws. And so you know that every once in a while, a really useful bit of information is going to get picked up.
(This is presuming that the NSA didn’t know years ago, which I think is far more likely.)
Interesting points to note here
1/ Google seems pretty certain the NSA never used Heartbleed against Google, which if true probably means they didn’t know about it. Low probability, I know.
2. Given that the NSA has been using information fed to it’s defence arm to inform it’s offence arm. Even if the US Government was to split the two arms into separate organisations, it’s unlikely anyone could or should trust a new separate defence organisation not to pass information to the offence organisation.
And three, the journalist who wrote the article can’t frigging spell.
Both Google and Microsoft have called NSA/the US gov an “active persistent threat” – why would you give that sort of information to such a dangerous threat? Might as well give notice to the Chinese about it then.
Google should have given the info to 4chan to see if they could use it against the NSA to pry loose some sweet, sweet dox.
Thoughtful
It shows thoughtfulness, that they neglected to mention the weakness to the intelligence community.
If they had, likely what would have happened is that the agencies would ordered them to keep quiet and not touch anything, so the agencies could exploit the weakness.
Demonstrates an amazing level of trust (and not a high level, either).
Blah Google is so great Blah
Google is a fucking front for the NSA. Don’t you get that ?
Re: Blah Google is so great Blah
AS a fellow tin-foil hat wearer, you, sirrah, put me to shame.
Google is clearly more comptent than the NSA thus, it cannot be a front for the NSA.
The NSA is clearly a front for the Social Media Megaconglomerate.
Given that telling the NSA about a security vulnerability that they might not know about is pretty much the same as telling a local gang about an unlocked building full of expensive stuff, and for the same reasons, yeah, not telling the NSA anything seems like a good strategy there.
Googles focus is on securing it’s system. Under insane psychopathic management NSA’s focus is on breaking systems. Why would Google discuss anything at all with the NSA, in fact it should take every possible precaution to secure it’s security information from the NSA, to the point of dismissing any employees with suspected connections with the NSA.
Re: Re:
Close, but if you suspect you’ve got a spy/mole in your company, you don’t fire them, you just shift them to a job/position where they don’t have access to any sensitive information, as if you fire them, then you’ve got to track down the replacement spy/mole.
In the end warning about vulnerabilities in the open is always the best option. No way for the Govt to try to silence it before reaching the public so it can be fixed just because they want to use it for their pseudo-terrorism pseudo-fight.
So what’s up with these stories about Google hiring professional assassins???
Is this “The Parallax View” come to life?
poetic justice
“Google employees (especially on the security side) still seem absolutely furious about the NSA hacking into Google’s data centers, and various other privacy violations.”
I found this part funny.
Google violates the privacy of billions of Internet users on a systematic basis, all is OK. No one has right to complain.
NSA breaks-in into Google datacenters. This privacy violation is unaceptable.
Funny…
Re: poetic justice
Yeah, I violate the privacy of people who willingly share information with me all the time.
Re: poetic justice
There is a difference between software seeing a mention of machine guns, whilst doing historical research and Google trying to show adverts from gun shops, and NSA seeing the same, and notifying the police who send a swat team through your door because somewhere else you were researching where the president goes for his holidays.
because the government neither wrote nor distributes openssl
You inform the parties responsible, and not everyone that could be afflicted. That’s common practice.
I (and most security researchers) don’t see the need to inform the government specifically, unless you expect for instance a CERT to be able to help you.
Who cares if Google didn’t tell the NSA about Heartbleed? Ten bucks says they already knew for a while. Heck, I wouldn’t put it past them to invent it! When I saw the initial post about it with the headline saying that it was worse than no crypto at all, I immediately thought “NSA”.
Blame
When you say government to blame, surely you mean Obama is to blame. Nothing happens without White House authority.
Google and Heartbleed
Not that I trust Google or anything.