Slashdot Mirror
Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed
An anonymous reader writes "The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered. Unfortunately, this statement was hedged. The NSA should reveal these flaws unless 'a clear national security or law enforcement need' exists. Since that can be construed to apply to virtually any situation, we're left with the same dilemma as before: do we take them at their word or not? The use of such an exploit is certainly not without precedent: 'The NSA made use of four "zero day" vulnerabilities in its attack on Iran's nuclear enrichment sites. That operation, code-named "Olympic Games," managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.' A senior White House official is quoted saying, 'I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.'"
Side note: CloudFlare has named several winners in its challenge to prove it was possible to steal private keys using the Heartbleed exploit.
..."avoid a shooting war", "national security or law enforcement need"....
Why does it always come down to those things?
Because that's their job?
Seriously, upgrading the server or refactoring the software? Why does IT always have such drama, can't they just scale up and down like Sales?
The problem with saying "unless 'a clear national security or law enforcement need' exists" is that it actually compromises national security. What is more important. That you can easily hack in and skill data from the KGB, or some mafia site; or that every last American Citizen can be hacked by the KGB, or mafia? Keeping a bug like heartbleed a secret is something only an idiot or black hat would do. If the NSA knew of heartbleed early, and kept it a secret they are arrogant idiots. They ether wanted criminals to have free rain to steal anything they wanted, or they believed that criminals are too stupid to have found this bug.
Signal interception is only half of the NSA's charter; the other half is "Information assurance", which means keeping The Bad Guys (tm) from doing the same to us.
The NSA has been too focused on the interception part of their job, to the point where they are allowing - or purposefully weakening - US security with weak or backdoored encryption methods. Too many government agencies rely on the Internet for them to have turned a blind eye to things like the OpenSSL vulnerability; the NSA has failed at one of the most important part of its jobs.
While I would be loathe to forbid an intelligence agency from using such a vulnerability against legitmate targets, at the same time I would be quite upset if they didn't make sure that they weren't doing what was necessary to keep its charges (us!) safe from being similarly penetrated, especially if that task was specifically part of their remit.
The NSA's charter as promulgated by President Truman is COMINT. That means 1) spying on foreign governments, and 2) ensuring the integrity of US government communications. They've failed #1 by spying on Americans. They've failed #2 by passively allowing thousands of known software bugs to go unpatched, thereby leaving the US government's sprawling COTS network infrastructure vulnerable.
You don't need lofty non-sense to damn the NSA. They're failed the basic tasks they've actually been given.
Also, because the NSA is so fond of scaring Congressmen with the specter of "cyberwar", they've implicitly taken it upon themselves to defend private industries, including critical power, water, and banking infrastructure. Again, leaving thousands of unpatched bugs to be exploited by criminals and foreign governments (because the NSA isn't the only people spending millions on finding these bugs) is another dereliction of duty.