Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Allegedly Exploited Heartbleed

Posted by Soulskill on from the according-to-somebody-who-may-or-may-not-be-a-person dept.

squiggleslash writes: "One question arose almost immediately upon the exposure of Heartbleed, the now-infamous OpenSSL exploit that can leak confidential information and even private keys to the Internet: Did the NSA know about it, and did they exploit if so? The answer, according to Bloomberg, is 'Yes.' 'The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency's toolkit for stealing account passwords and other common tasks.'" The NSA has denied this report. Nobody will believe them, but it's still a good idea to take it with a grain of salt until actual evidence is provided. CloudFlare did some testing and found it extremely difficult to extract private SSL keys. In fact, they weren't able to do it, though they stop short of claiming it's impossible. Dan Kaminsky has a post explaining the circumstances that led to Heartbleed, and today's xkcd has the "for dummies" depiction of how it works. Reader Goonie argues that the whole situation was a failure of risk analysis by the OpenSSL developers.

15 of 149 comments (clear)

  1. Conflict of interest by benjfowler · · Score: 5, Insightful

    Why even have the same agency responsible for foreign electronic intelligence and put them in charge of "cyberdefence" (how I hate that term..).

    It's a massive conflict of interest. You're virtually begging them to find and then sit on dangerous exploits.

  2. Obligatory xk..... by Anonymous Coward · · Score: 5, Funny

    YOU SON OF A BITCH

  3. This sounds likely by gurps_npc · · Score: 4, Insightful

    The basic fact is, if they did not exploit it, then someone working for them is thinking "DAMN, I wish I thought of using that!"

    --
    excitingthingstodo.blogspot.com
  4. Re:It's not a bug by NoKaOi · · Score: 5, Insightful

    it's a (NSA) feature...

    Even if it's not an NSA feature...of course the knew about it! They would have to be even more incompetent than we think not to. They are HUGE, with something like 40,000 employees. At least of few of those employees must be dedicated to code review of OSS looking for vulnerabilities, and more in general looking for vulnerabilities in any widely used software. And if that's the case, then you'd think OpenSSL would be one of the first things they'd look at. The fact that they didn't tell anyone though shows that the S is NSA is bullshit. They cared more about being able to exploit the vulnerability themselves than making their country's computers more secure. If they cared one shit about their country's security then they'd have big teams dedicated to finding software vulnerabilities and working with vendors to fix them.

  5. Re:NSA put the bug there, of course they exploited by 93+Escort+Wagon · · Score: 4, Informative

    The author of this bug and the reviewer of the commit have both been very forthcoming about the mistake. There's little reason to suspect malicious intent in this particular instance.

    That doesn't mean the NSA didn't know about it or exploit it, though.

    --
    #DeleteChrome
  6. You don't understand, yep! by rjh · · Score: 5, Informative

    One cannot simply sue a branch of the government without asking permission from the government to allow it to be sued - guess how often THAT happens?

    Glad you asked: it happens all the time, ever since the Tort Claims Act of 1948 substantially waived the sovereign immunity doctrine. You can read more about it at Wikipedia.

    People sue the government all the time. It's literally an everyday occurrence.

  7. It's time we own up to this one by Bruce+Perens · · Score: 4, Insightful

    OK guys. We've promoted Open Source for decades. We have to own up to our own problems.

    This was a failure in the Open Source process. It is just as likely to happen to closed source software, and more likely to go unrevealed if it does, which is why we aren't already having our heads handed to us.

    But we need to look at whether Open Source projects should be providing the world's security without any significant funding to do so.

    --
    Bruce Perens.
    1. Re:It's time we own up to this one by Anonymous Coward · · Score: 5, Insightful

      The problem with open source when it comes to things like this is that there are so few people who are even qualified to implement protocols like this, and even fewer of them who are willing to work for nothing. The community needs to pony up some cash to have important projects audited like what they are trying to do with TrueCrypt right now.

    2. Re:It's time we own up to this one by Bruce+Perens · · Score: 4, Interesting

      I have to say I'm even less confident in the plan to couple it to DNSSEC.

      --
      Bruce Perens.
    3. Re:It's time we own up to this one by bill_mcgonigle · · Score: 4, Insightful

      This was a failure in the Open Source process.

      Indeed. People have been saying for years that the OpenSSL code leaves much to be desired but nobody dares fix it because it might break something (needed: comprehensive unit tests).

      There's been a bug filed for years saying that the code won't build with the system malloc, which in turn prevents code analysis tools from finding use-after-free conditions. The need here is less clear - leadership of the project has not made such a thing a priority. It's not clear that funding was the sole gating factor - commit by commit the code stopped working with the system malloc and nobody knew or cared.

      Sure, a pile of money would help pick up the pieces, but lack of testing, continuous integration, blame culture, etc. might well have prevented it in the first place.

      We still have sites like Sourceforge that are solving 1997 problems, like offering download space and mailing lists when what we need today is to be able to have continuous integration systems, the ability to deploy a vm with a complex project already configured and running for somebody to hack on, etc.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    4. Re:It's time we own up to this one by l0n3s0m3phr34k · · Score: 4, Insightful

      Exactly! Everyone can get to the source, the whole point of OSS is that the companies themselves can (and should, from a risk-analysis point) be reviewing all the code too before implementation...it's along the lines "you get what you pay for" yet at least here everyone is given the chance to see exactly what's being run (as opposed to pre-compiled apps). IMHO, this really isn't an OpenSSL issue as much as a failing of due diligence by all the companies using it. The admin's excuse of "well, we don't actually know what the code says" fails here, and anyone over the past two years could have reviewed it themselves and fixed this! Maybe this will spur corps to actually review code of critical infrastructure when it's avalible as part of corp policy from now on, perhaps the insurance companies who do "Errors and Omissions" policies will start forcing corps to do that; kinda surprised that this isn't already a standard policy, as code review of OSS is one of it's main strengths and if your company doesn't do it then their missing out on one of the biggest assets of using OSS.

  8. Fork it. by grub · · Score: 4, Funny


    Theo de Raadt should fork OpenSSL. He could call it OpenOpenSSL.

    .

    --
    Trolling is a art,
  9. Heartbleed Challenge Over by xvx · · Score: 5, Interesting

    Welp, that didn't take long. Looks like someone solved CloudFlare's Heartbleed Challenge and got their private server key...

  10. Failure of risk analysis by more than OpenSSL devs by Goonie · · Score: 4, Informative

    Just a minor correction - my piece does indeed suggest that the OpenSSL developers have some strange priorities. However, it lays the larger blame at the companies that used OpenSSL, when all the information necessary to suggest that this kind of thing could happen was already available, and the potential consequences for larger companies of a breach are easily enough to justify throwing a little money at the problem (which could have been used any number of ways to help prevent this).

    --

    Any sufficiently advanced technology is indistinguishable from a rigged demo
    --Andy Finkel (J. Klass?)
  11. Private key compromise is indeed possible by pop+ebp · · Score: 4, Informative

    CloudFlare has retracted their statement that private key compromise is very hard. They started a challenge and at least 2 people successfully got private keys from their Heartbleed-enabled server with as few as 100K requests. (I am sure that with some optimization, the number could be even lower.)