Slashdot Mirror
Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed
An anonymous reader writes "The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered. Unfortunately, this statement was hedged. The NSA should reveal these flaws unless 'a clear national security or law enforcement need' exists. Since that can be construed to apply to virtually any situation, we're left with the same dilemma as before: do we take them at their word or not? The use of such an exploit is certainly not without precedent: 'The NSA made use of four "zero day" vulnerabilities in its attack on Iran's nuclear enrichment sites. That operation, code-named "Olympic Games," managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.' A senior White House official is quoted saying, 'I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.'"
Side note: CloudFlare has named several winners in its challenge to prove it was possible to steal private keys using the Heartbleed exploit.
Spy agency's job is to spy. It'd be remiss of them not to use such a security hole.
The question is, would he allow the NSA to exploit a similar vulnerability against Americans. And I think we already know the answer to that one too.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
There are almost certainly ongoing exploits of vulnerable systems.
People will very often tell you their intentions if you listen closely enough.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
If you have the exploit, you can exploit the exploit.
Tat Tvam Asi
even tough I think that the NSA is pretty much pure evil.
I understand the issue between national security and security
The big question is how much are you willing to compromise your own country's security to provide national security.
I think in the case of the the heartbleed exploit it vastly outweighs national security.
Note: I'm not a Us national
We just don't trust you and wouldn't if you said, " you'd close gitmo", "not spy on us", "or not pay for back doors." You've won the war of attrition. pre 2001 of-age people know what we've lost and you can say and do whatever you like. ehh.... it must a pre-coffee morning.
The information content of a sentence whose structure is, "I may x or I may not x" is 0.
[Signature omitted due to copyright restrictions.]
Really, anybody who thinks anybody cabinet level or higher even knows about this kind of logistical detail is an idiot. This isn't at all like the torture thing which is a basic human rights violation; nobody is questioning the NSA's right to spy on certain people, and this has nothing to do with any accusation that they're spying on people they shouldn't be spying on. This is about technological implementation, and it's part of NSA's purview as a spy agency to explore technologies that further their ability to do their job. Part of that is discovering weaknesses in cryptographic systems which are trusted by the people you want to spy on. Having discovered such a useful weakness they aren't obliged to report it, although they are obliged not to use it (or any of their other techniques) against our own citizens.
Brackets contain world's first nanosig, highly magnified:[.]
That statement may or may not contain any useful information whatsoever.
you're a moron. Don't trust liars who have been proven to lie and then continue lying. In fact you probably shouldn't trust liars in general.
Does the NSA really ask the President's permission to exploit any given loopholes in their work? If the President had to authorize all their auctions than this would seem to be both rather damning for the president and a bit of a waste of his time.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
There are a lot of lessons to be learned by all the toy sysyadmins out there.
most of them won't be learned.
In fact, several thousand machines will never be patched - for the next year or two.
All your keys are belong to us beotches.
The problem with the open source model is that it requires a high level of competency at too many levels.
You had better get used to tiles - that's all you nimrods can handle.
and no file manager either. See? Pure genius.
Part of their job is also to get shot dead sometimes. Maybe we should be cold and pragmatic about that too and start eliminating them. You selfless Dumb-ass.
This is a clear indication that the government's and therefore NSA's security concerns are absolutely misaligned with the interest of the population. They seem to serve imperialist ambitions. An indicator of concern for citizen's security would be to report such a vulnerability immediately and helping prevent the exploitation of such bugs by cyber criminals. That would be in the interest of national and international security.
The problem with saying "unless 'a clear national security or law enforcement need' exists" is that it actually compromises national security. What is more important. That you can easily hack in and skill data from the KGB, or some mafia site; or that every last American Citizen can be hacked by the KGB, or mafia? Keeping a bug like heartbleed a secret is something only an idiot or black hat would do. If the NSA knew of heartbleed early, and kept it a secret they are arrogant idiots. They ether wanted criminals to have free rain to steal anything they wanted, or they believed that criminals are too stupid to have found this bug.
As if anyone cares about his opinion. Silly Mr. Obama LOL
The enemies will exploit it, so they can't afford being not competitive. Surely they will exploit everything they can and let the bullshit art masters cover up. That's how they're trained to think and old habits die hard.
Why would you want to tell the opposition what your plans are, that would be really stupid
The NSA is part of the Executive Branch. Obama could immediately, at the very least, put a temporary halt on all of these types of activities and conduct a review gauging the potential impact on ordinary US citizens as collateral damage. He has done no such thing -- not with mass surveillance, not with HeartBleed, not with any of the other nasty shit disclosed in the Snowden leaks. Don't DARE give him a pass on anything NSA-related -- he doesn't need Congress in this case and can personally shut it all down at any time.
who knew or even cares about our imaginary secrets
"We knew about this since day one, heck we ordered, executed and implement.. I mean... we may or may not exploit the next one we produ.. I mean the next one."
Am I the only one that thinks the government should have to follow the same laws the rest of us are expected to?
They go after and prosecute people for doing the very same things as this talks about. Exploiting a bug in software is one of the primary infractions under the CFAA, yes the government uses them as tools, claiming Law Enforcement need, where anyone else would be prosecuted to the full extent of the law, and thrown in jail for 1/2 their lives.
Isn't it time we hold those in power to the same standards that we ourselves are held to? Isn't it time that the law pertains to everyone, instead of excluding those who write and enforce the laws? No one is above the law, we as citizens shouldn't stand for this. Isn't it time yet?
Nothing new in communist regimes USA or North Korea. There is always "national security need" Just look at streets of US cities. No other country has so many security forces present working for the regime. Those commies countries are disgusting.
Like he really has any control over what they do anymore...
The problem with our world is that a high level of competency is actually required for an awful lot of things, and nobody wants to be competent anymore.
You Americans are so lucky. Of course they will do this! to defend your freedom!!! :-)
Not completely true. Many want to be competent, however nobody wants to pay what this competency worth. You have to invest a lot of time to become competent and at the end, it must pay otherwise you are better to do something else. There is a lot of well paid jobs which don't require the efforts you need to put on something to become competent.
Achille Talon
Hop!
This is a clear indication that the government's and NSA's security concerns are absolutely misaligned with the interest of the population. They seem to serve imperialist ambitions. An indicator of concern for citizen's security would be to report such a vulnerability immediately and helping prevent the exploitation of the bugs by cyber criminals. That would be in the interest of national and international security.
He MIGHT let the NSA do it, OR he MIGHT NOT. That's a credible a statement as anyone could make.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
The problem with the open source model is that it requires a high level of competency at too many levels.
Yeah. Sure. I'm not sure if you know what "open source" means and instead seem to be using it as a stand-in for "things I cannot understand."
You, and many others, use open source software every day without even noticing it. Chances are the very browser you are using to spew irrational hate is open source.
and no file manager either. See? Pure genius.
Really? Linux has no file manager? That's funny, I seem to recall there being about a dozen of them...
Perhaps before calling others stupid, you should first learn what the fuck you're even talking about.
There is no naivete. I expect nothing but thuggery from the government, so it isn't a surprise when we see the NSA being evil pieces of trash. It is, however, something that must be stopped.
[End Of Line]
What a useless president. Spineless, cowardly, completely incompetent. Has he ever disciplined anyone? Either that or he's degenerated into a true puppet. How can he live with himself?
I have to wonder exactly what the NSA has on President Obama that they can get him to dance to their tune so well... This has been going on since as US Senator for Illinois he switched his support against the FISA act to pro-FISA... It really pissed me off! It was obvious to me at the time that he had been compromised, and I said as much! :-(
Obama isn't in a position to "let" or "prohibit" SHIT (even his own).
He's a fucking douchebag, Chicago Machine politician.
He has no opinions or even feelings outside of what his little cabal of "advisors" tell him he does.
He's also in NO position to dictate to the NSA what they will or will not do with an undiscovered bug in a security device/program.
The NSA damn well WILL use it, and so long as nobody leaks it to THE PUBLIC, it's "See No Evil, Hear No Evil, Speak No Evil" from the rest of the government.
Even if Obama were to, God forbid, try something PROACTIVE, they'd still just ignore it and sacrifice yet another desk jockey stooge once caught.
Chas - The one, the only.
THANK GOD!!!
He doesn't lead. He waits for some one else to do something then either points fingers of blame or takes credit.
the national security agencies JOB is national security, non security is insecurity
and as a hacker im going to start exploiting you all then they are saying that there govt people can break federal law with impunity then why can't i
Why? Simple: If they let this type of vulnerability exits unpatched, they are collaborating with criminals, foreign (and often hostile) intelligence services and terrorists by standing idle buy. That puts them straight in the "bad guys" class and, by any sane account, represents high treason. It is a bit like leaving the border open in order to see who brings anthrax, nuclear material or bombs over it.
In addition, they are increasing the level of uncertainty and trust for everybody, thereby aiding terrorists of all sorts that have exactly this same goal, namely destabilizing society.
It really does not get more evil than that, except actively creating vulnerabilities that everybody can find and exploit. Oh, wait, they may be doing that as well...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
So terrorists = bad but knowing about a exploit and staying quiet about it even though the results of staying quiet could be pretty damaging to not just our economy but the global economy as well is acceptable? I feel so much safer!
the answer will always be YES.
For a long time now I've thought that religion will cause the next Dark Age of Man, through promoting willful ignorance, superstition, and blind "faith", instead of promoting knowledge, understanding, and the search for actual truth. Apparently I was wrong, or at least not completely correct: Politicians and politics will bring about the next Dark Age, by driving people away from the Internet through mass surveillance, and runaway corporate interests destroying Net Neutrality. Once the Internet is no longer a viable source of sharing information for the common citizen, it won't be much farther to go to drive people, en masse, back into the welcoming arms of organized religion and it's rejection of critical thought.
I'm embarassed to have voted for this party-line politician we elected as President, but frankly the other choice would have been at least as bad. Why don't you just declare the Constitution invalid and the U.S. officially a Police State already and get it over with?
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
The job of any government agency to defend the constitution. It's the job of the judicial branch. Furthermore, you actually expect a spy agency to protect the constitution? That's not even close to their job.
The naivete some have on this issue is rather surprising given the demographics of the site.
Employees at the NSA take an oath to defend the constitution. From the NSA's website:
NSA/CSS employees are Americans first, last, and always. We treasure the U.S. Constitution and the rights it secures for all the people. Each employee takes a solemn oath to support and defend the Constitution of the United States against all enemies, foreign and domestic.
It's not naivete, it's just expecting them to do what they SWORE TO DO.
Enigma
That's a degree of honesty we aren't used to from President Obama. His usual response would be to say that he will do the right thing, then secretly do the wrong thing, and when found out, claim that he learned about everything on TV the night before.
I guess Obama must be getting slightly more honest about how he's going to screw people because he doesn't have to give a f*ck anymore about getting reelected and because this admission doesn't hurt his billionaire financial backers.
Are you saying there is no circumstance - none whatsoever - worth considering where a security flaw in software would be better for society to not reveal (at least temporarily) than to reveal immediately? That's a rather dogmatic position.
So why has the President forgotten this if he just found out about it?
You want them to come out with a statement immediately, yet you want them to understand everything immediately. This is not possible
If the "primary directive" of the NSA were actually National Security (rather than spying) what they should do would be obvious.
In the interest of national security, should the NSA discover such an exploit, they should quietly work with public and private organizations to get as much of the infrastructure fixed before the exploit becomes generally known.
Instead, though, what we have is that the NSA has likely had free access. Along with the rest of the world's spy agencies. And hackers and crime networks. That doesn't foster national security, IMO.
The national security interest would be to patch the hole, not to leave it open. This hole was to easy to exploit, and supposedly enabled identity theft on a massive scale, even to vastly infereior intelligence services.
The comparison with the centrifuges in Iran is misleading. for that combination of attacks it is very hard even to find suitable experts to generate the code.
Is Obama actually capable of making a decision? There will ALWAYS be a "justifiable" national security "need" to spy on the entire country. Why can't he just be honest and state it as it is?
The US government has the ability to spy on every electronic communication you make, it has been exploiting that ability to the fullest for many years now, and it will continue to do so forevermore. It will do so for the sole purpose of increasing its own power. If put to the inconvenience, it will lie to your face about it. This state of affairs will prevail regardless of which branch of the Money Party is in power. And there isn't thing one you can do about it.
It is very unlikely that the guys who discovered Heartbleed as a SIGINT opportunity had any channels at all to warn other arms of the agency that it might be a vulnerability on our side; consider how such channels could and would be misused in so many other situations. The spooks would never implement such a thing. From the SIGINT side Heartbleed is a low-level technical detail, hardly worth the attention of a Civil Service level adminstrator except for the ops that it makes possible.
Brackets contain world's first nanosig, highly magnified:[.]
Rules with broad sweeping generalized caveats basically means, no rules. It means WE (as in the people who made the rules) are going to decide on in a subjective way whether we broke the rules or not... and anyone who even knows the most basic aspects of human nature, knows that we as people in general don't like incriminating ourselves, and a government is just a group of people.
So this is basically just lip service from the government, to calm public anger while at the same time giving us the finger.
the NSA most certainly knew about openSSL's malloc issues.
For something as widely used as openSSL and how integral it is to obfuscating communications, you bet your ass that they have a team auditing every commit.
We can win this fight against the NSA. It's just hard to coordinate a faceless community to have better practices of security.
How would he stop them? Short of ordering everyone in the country to upgrade from the OS that Microsoft said a decade ago it would stop doing security updates on, something he doesn't have the power to do, there is no way to stop anyone with the know-how from exploiting the flaw.
Might be bit hard to check after the fact, but if their servers were leaking data on unpatched version of heartbleed it would suggest innocence. If their servers (important ones) were somehow immune to this attack before it went public... they knew something.
The only decision 0bama can make is on his next vacation site.
What amazes me is the (shall I say) ignorance on the part of citizens who can confuse "duties" or job responsibilities with "purpose". Regardless of what anyone has been told by a government agency or even the media, their duty is ultimately to defend the U.S. Constitution. I used to work for a government agency. Had to pledge to defend the Constitution. There were many times in the course of my job when orders to me or department policies (I felt) conflicted with the Constitution ands I refused to act on those orders. Push come to shove in every instance I was upheld in my convictions. The problem in every instance was the fact that some overzealous ignoramus above me failed to appreciate the difference between duty and the law. And that's exactly the disease that is rotting our government from the inside out. People who don't have the intelligence or guts to stand up for what's right (or lawful).
"Those who can make you believe absurdities can make you commit atrocities." - Voltaire
that domestic part is where it gets kinda muddy methinks.