Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Allegedly Exploited Heartbleed

Posted by Soulskill on from the according-to-somebody-who-may-or-may-not-be-a-person dept.

squiggleslash writes: "One question arose almost immediately upon the exposure of Heartbleed, the now-infamous OpenSSL exploit that can leak confidential information and even private keys to the Internet: Did the NSA know about it, and did they exploit if so? The answer, according to Bloomberg, is 'Yes.' 'The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency's toolkit for stealing account passwords and other common tasks.'" The NSA has denied this report. Nobody will believe them, but it's still a good idea to take it with a grain of salt until actual evidence is provided. CloudFlare did some testing and found it extremely difficult to extract private SSL keys. In fact, they weren't able to do it, though they stop short of claiming it's impossible. Dan Kaminsky has a post explaining the circumstances that led to Heartbleed, and today's xkcd has the "for dummies" depiction of how it works. Reader Goonie argues that the whole situation was a failure of risk analysis by the OpenSSL developers.

6 of 149 comments (clear)

  1. Conflict of interest by benjfowler · · Score: 5, Insightful

    Why even have the same agency responsible for foreign electronic intelligence and put them in charge of "cyberdefence" (how I hate that term..).

    It's a massive conflict of interest. You're virtually begging them to find and then sit on dangerous exploits.

  2. Obligatory xk..... by Anonymous Coward · · Score: 5, Funny

    YOU SON OF A BITCH

  3. Re:It's not a bug by NoKaOi · · Score: 5, Insightful

    it's a (NSA) feature...

    Even if it's not an NSA feature...of course the knew about it! They would have to be even more incompetent than we think not to. They are HUGE, with something like 40,000 employees. At least of few of those employees must be dedicated to code review of OSS looking for vulnerabilities, and more in general looking for vulnerabilities in any widely used software. And if that's the case, then you'd think OpenSSL would be one of the first things they'd look at. The fact that they didn't tell anyone though shows that the S is NSA is bullshit. They cared more about being able to exploit the vulnerability themselves than making their country's computers more secure. If they cared one shit about their country's security then they'd have big teams dedicated to finding software vulnerabilities and working with vendors to fix them.

  4. You don't understand, yep! by rjh · · Score: 5, Informative

    One cannot simply sue a branch of the government without asking permission from the government to allow it to be sued - guess how often THAT happens?

    Glad you asked: it happens all the time, ever since the Tort Claims Act of 1948 substantially waived the sovereign immunity doctrine. You can read more about it at Wikipedia.

    People sue the government all the time. It's literally an everyday occurrence.

  5. Re:It's time we own up to this one by Anonymous Coward · · Score: 5, Insightful

    The problem with open source when it comes to things like this is that there are so few people who are even qualified to implement protocols like this, and even fewer of them who are willing to work for nothing. The community needs to pony up some cash to have important projects audited like what they are trying to do with TrueCrypt right now.

  6. Heartbleed Challenge Over by xvx · · Score: 5, Interesting

    Welp, that didn't take long. Looks like someone solved CloudFlare's Heartbleed Challenge and got their private server key...