Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed

An anonymous reader writes "The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered. Unfortunately, this statement was hedged. The NSA should reveal these flaws unless 'a clear national security or law enforcement need' exists. Since that can be construed to apply to virtually any situation, we're left with the same dilemma as before: do we take them at their word or not? The use of such an exploit is certainly not without precedent: 'The NSA made use of four "zero day" vulnerabilities in its attack on Iran's nuclear enrichment sites. That operation, code-named "Olympic Games," managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.' A senior White House official is quoted saying, 'I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.'" Side note: CloudFlare has named several winners in its challenge to prove it was possible to steal private keys using the Heartbleed exploit.

Well, yeah

[LordLucless]

Spy agency's job is to spy. It'd be remiss of them not to use such a security hole.

The question is, would he allow the NSA to exploit a similar vulnerability against Americans. And I think we already know the answer to that one too.

Re:Well, yeah

[Joce640k]

..."avoid a shooting war", "national security or law enforcement need"....

Why does it always come down to those things?

Does the USA actually have any enemies like that or is it just the (government created) national paranoia?

Re:Well, yeah

Spy agency's job is to spy.

And murderer's murder. Stating their job doesn't make it anymore moral. A spy's spying can be immoral, and that's exactly what the pieces of trash in the NSA have been doing.

Re:Well, yeah

[JoeMerchant]

..."avoid a shooting war", "national security or law enforcement need"....

Why does it always come down to those things?

Because that's their job?

Seriously, upgrading the server or refactoring the software? Why does IT always have such drama, can't they just scale up and down like Sales?

Re:Well, yeah

[Charliemopps]

No, the NSAs (as well as all government agencies) job is to defend the constitution and protect the citizens of the United States of America. The NSA has abandon the former goal in favor of the latter. They are not mutually exclusive. This country was founded on the principle that we as a people value freedom and liberty over life itself. The NSA, and apparently the president have forgotten this.

Re:Well, yeah

[rmdingler]

..."avoid a shooting war", "national security or law enforcement need"....

Why does it always come down to those things?

Does the USA actually have any enemies like that or is it just the (government created) national paranoia?

It makes for a better sound bite than We hate to put your bank account's password at risk, but it's for some plausibly useful future reason that we do so.

Re:Well, yeah

They're also in charge of defending USA networks against intrusion from foreign powers. Leaving security holes in software used by US citizens, that others, like the FSB, can exploit run counter to that part of their job.

Re:Well, yeah

[ganjadude]

exactly, He answered the wrong question, The correct question should have been
" will you allow the use of these tools against americans without disclosure" I dont mind if they are spying on others as that is their job, but it is not their job to spy on us in america. (we can argue the merits of spying on other countries another day)

Re:Well, yeah

[Somebody+Is+Using+My]

Signal interception is only half of the NSA's charter; the other half is "Information assurance", which means keeping The Bad Guys (tm) from doing the same to us.

The NSA has been too focused on the interception part of their job, to the point where they are allowing - or purposefully weakening - US security with weak or backdoored encryption methods. Too many government agencies rely on the Internet for them to have turned a blind eye to things like the OpenSSL vulnerability; the NSA has failed at one of the most important part of its jobs.

While I would be loathe to forbid an intelligence agency from using such a vulnerability against legitmate targets, at the same time I would be quite upset if they didn't make sure that they weren't doing what was necessary to keep its charges (us!) safe from being similarly penetrated, especially if that task was specifically part of their remit.

Re:Well, yeah

[Savage-Rabbit]

Spy agency's job is to spy. It'd be remiss of them not to use such a security hole.

The question is, would he allow the NSA to exploit a similar vulnerability against Americans. And I think we already know the answer to that one too.

No, the role of the NSA is not just to gather SIGINT, the NSA iis also tasked with preventing unfriendly entities from gathering SIGINT which is why the NSA initiated and open sourced SE Linux just to cite one example. So the question here is should the NSA put every single American SSL using business at risk for years on end to protect a single source of SIGINT? After all, foreign intelligence services may not have to budget of the NSA but they are not stupid either, they can discover bugs like Heartbleed just as easily as the NSA can and might well use it sufficiently stealthily for the NSA not to notice that they aren't the only ones sitting on this vulnerability. When do the costs of spying outweigh the benefits?

Re:Well, yeah

The NSA's charter as promulgated by President Truman is COMINT. That means 1) spying on foreign governments, and 2) ensuring the integrity of US government communications. They've failed #1 by spying on Americans. They've failed #2 by passively allowing thousands of known software bugs to go unpatched, thereby leaving the US government's sprawling COTS network infrastructure vulnerable.

You don't need lofty non-sense to damn the NSA. They're failed the basic tasks they've actually been given.

Also, because the NSA is so fond of scaring Congressmen with the specter of "cyberwar", they've implicitly taken it upon themselves to defend private industries, including critical power, water, and banking infrastructure. Again, leaving thousands of unpatched bugs to be exploited by criminals and foreign governments (because the NSA isn't the only people spending millions on finding these bugs) is another dereliction of duty.

Re:Well, yeah

The problem here is that you can't do one without doing the other, unless you want to go back to the days where SSL required a special "US" browser and a proprietary web server. Nowadays, information assurance directly harms signal interception because "the bad guys" are running the exact same software as "the good guys". If the NSA finds a vulnerability in OpenSSL, they can't fix it for US companies while using it against the bad guys at the same time. The bad guys will just patch their software, they aren't dumb.

Given this impasse, the NSA chose the path that gives them the most funding - escalating hacking operations and signal interception to find as much scary things as possible. There's a lot more money in making the world dangerous for non-Americans as opposed to making the US safe.

Re:Well, yeah

They abandoned the latter when they abandoned the former.

Re:Well, yeah

[Bartles]

No, not without disclosure. Without a warrant. That is what the constitution requires. A warrant, or privacy. There is no middle ground, don't let this government create one.

Re:Well, yeah

[rnturn]

The NSA's job is not to spy on Americans regardless of whether they have a warrant or not. Spying on Americans is the FBI's job.

Re:Well, yeah

[davester666]

yes, once this whole 'spying' thing gets outlaws, the FBI will simply open an investigation into everybody's involvement with terrorism. And no, there is no way to prove you are NOT a terrorist, so at best it will always be an open investigation..

Re:Well, yeah

[ganjadude]

Based on the FBI list lets take a look at who they consider terrorists shall we?

People who are concerned about privacy, and shield the screen from view.
Are seen using multiple cell phones, or sim swapping
use of anonymizers or other IP blockers
encryption users
Asking about voice and data encryption
http://www.networkworld.com/community/blog/25-more-ridiculous-fbi-lists-you-might-be-terrorist-if

Tea party? terrorist
occupy group? terrorist
believe in the constitution? terrorist

and not terrorists, but the FBI considers fans of a band to be gang members. It would be like calling dead heads a gang. The band in question is the insane clown posse
http://www.cnn.com/2014/01/08/showbiz/juggalo-gang-lawsuit/

Long story short, anyone on slashdot is a terrorist in the eyes of the FBI

Re:Well, yeah

[hairyfeet]

I personally think we should thank Obama as he has shown us that voting is without a doubt POINTLESS and that all you can do is grab as much as you can from "big mommy" government and wait for the inevitable collapse. The ones I feel sorry for are the ones that believed in Obama and in the voting process, the ones that held voter drives and went door to door and busted ass to get Obama elected only to find they might as well have given Bush a third term for all the good it did.

Re:Well, yeah

[K.+S.+Kyosuke]

Why does it always come down to those things?

Well, after you piss off half of the world with your covert ops, pulling strings in the background, supporting criminal organizations etc., you're pretty much committed to a path of "how to deal with people who're smiling at me if I don't know whether the thing they're holding behind their back is a knife".

Re:Well, yeah

[jonwil]

IMO the NSA should be split into 2 agencies.
One would be tasked with protecting the security of data, information, communications and networks of the United States government, its agencies and any entity deemed to be vital to national security. And this does include finding and fixing (or giving to vendors to fix) bugs in software being used by those entities it is tasked with protecting. And developing new protocols and algorithms and systems and hardware and software to protect the stuff it is tasked with protecting. And certifying software, hardware, algorithms, protocols and systems (developed in-house or externally) as being safe (or unsafe) for use in storing, manipulating, handling, transmitting or receiving the stuff it is tasked with protecting.

The other would be tasked with spying on threats to national security. Including monitoring communications, email, data, computers and software belonging to those threats. Yes that includes hacking into the computer of a bad guy who stole classified secrets or launched malware that compromised government systems.

This agency would have constraints placed on it so that it was only monitoring threats and not anyone else and so that it was not compromising global security in the course of carrying out its mission (e.g. it would be prohibited from trying to weaken the security of software/hardware/protocols/algorithms/etc in order to be able to spy on entities using those things)

Remember that when Truman created the NSA, a computer was a device that took up several rooms, there were only a handful in the entire world and only a small number of of people even knew what one was, let alone were able to use one. And the closest thing to digital communications networks were teleprinters. And the biggest threat to national security was a Soviet Tupolev Tu-95 bomber with a nuclear bomb underneath.

These days, computers are everywhere and being used for all sorts of things never imagined in the 50s. And the biggest threat to US national security is not a Russian bomber or missile but a terrorist with a suitcase bomb or hijacked airliner. Or a hacker from a foreign intelligence agency.

Re:Well, yeah

[jafac]

"spy agency's job to spy" sounds like a convenient excuse to ignore ethics. All is permissible due to expediency, and because if we don't do it, our enemies will. Guess I thought that we were better than that. If we're going to accept that we're not, then I'm wondering why exactly we came down from the trees in the first place.

Re:Well, yeah

[jafac]

So the question here is should the NSA put every single American SSL using business at risk for years on end to protect a single source of SIGINT?

The big question, for real, is; is there a backdoor in SE Linux?

If they were irresponsible enough to leave Heartbleed alone for 2 years, then how can we believe they haven't discovered (or inserted) compromises in other software?

Re:Well, yeah

[rtb61]

However the NSA's job is not criminal negligence. The NSA's http://en.wikipedia.org/wiki/N..., primary job is adherence to the constitution. When it finds a security flaw in systems which will affect it's fellow citizens it is required by law to either correct the flaw or make the public aware of that flaw so that they can correct it, it is criminally negilgent of them to find flaws and keep them secret so that they and any 'other' criminal agency both foreign and domestic may exploit them. Especially damning if they have evidence of the flaw being exploited and still fail to notify or protect it's victims. Basically the US government and all of it's agencies are now suspect and should not be involved in any security conferences, round tables et al as their contributions can no longer be trusted.

Re:Well, yeah

[CrimsonAvenger]

Why does it always come down to those things?

Well, after you piss off half of the world with your covert ops, pulling strings in the background, supporting criminal organizations etc., you're pretty much committed to a path of "how to deal with people who're smiling at me if I don't know whether the thing they're holding behind their back is a knife".

And then there was 1941, when we didn't do any of those things, and still found ourselves in a shooting war.

Personally, I'm wondering when we're going to find ourselves in Yet Another European War, what with Putin doing his Sudetenland thing with Ukraine and all....

Re:Well, yeah

I think the NSA can spy on Americans if they are deemed to be an extremist and/or a threat to national security. Here are the currently defined extremist groups and threats identified by the White House:
    Christians
    Muslims
    Conservatives
    Republicans
    White people
    People with jobs
    Any news media reporter that wants answers about Benghazi
    Any news media reporter who questions Obama's probe into IRS targetting

Re:Well, yeah

[MooseMiester]

I agree with you, and would add that Obama proved that the folks who spin the "We care about you" story are the one's that care the least about anybody except themselves.

The real problem is how did so much of society become so gullible that they are happy reciting "The Narrative", and attacking anyone who doesn't parrot it exactly the same way they do as an ignorant hayseed, clinging to guns and religion, extremist, homophobic, xenophobic, racist woman hater that is evil beyond evil and therefore there will be NO understanding, NO compromise, and NO listening just shouting at each other. Thereby causing your opponent to behave exactly the same way...

Re:Well, yeah

Personally, I'm wondering when we're going to find ourselves in Yet Another European War, what with Putin doing his Sudetenland thing with Ukraine and all....

Well, maybe we shouldn't at that point. If "half the world" is pissed off at us, maybe we should just stay here and let them deal with Putin all by their lonesomes. In fact, maybe we should just tell Putin now that we aren't going to do anything about Russia's actions at all; let him know that we are just going to stay the hell out and away, as long as he leaves the US out of it. Quit selling arms to any part of the world, keep 'em all to ourselves. Bring our troops and ships back home, patrol the fuck out of our own borders and seaways, make damn sure who is and is not getting in to and out of the US. If Putin decides that the Ukraine isn't enough and Europe and/or Asia is looking mighty tasty, they can deal with it on their own. Fuck 'em. They hate us, we'll stay the hell out of their businesses once and for all. If they all get into a bruha with Putin, so be it. We'll just stay cozy and warm here on the other side of the pond. If and when they ask for help (as in 1941 when half of Europe came crawling on their hands and knees), slam the door on their faces and say, "That bridge was burned. Too bad." Someone fucks with us like Japan did, we'll be all ready to go after them with no other distractions.

So sick and damn tired of the "Pissed off at the US and proud of it!" BS. If it wasn't for the US, Europe would be speaking a combination of German and Russian. They'd all be Comrades now. Probably wouldn't be any jews left in the world. The NSA sucks for what they are doing, and the US gov't seems to be getting out of hand, but it's our NSA and our gov't. Let us deal with it and fuck off. You're nuts if you think all other government security agencies aren't doing the exact same thing as the NSA is (or, wish they were smart enough to be able to).

Welcome to the 21st century.

Re:Well, yeah

[Sciath]

You forgot ... anyone who disagrees with the intelligence agencies including... liberals.

Re:Well, yeah

[Sciath]

Let's not forget which President started us down this path... King George II.

Re:Well, yeah

[Ceriel+Nosforit]

Your former allies question your sanity.

Sounds like

[rmdingler]

He is pretty much admitting the next vulnerability will be exploited until no further military or law enforcement benefit exists.

There are almost certainly ongoing exploits of vulnerable systems.

People will very often tell you their intentions if you listen closely enough.

Re:Sounds like

[ganjadude]

or is he admitting the next one is already in the wild, and they are already exploiting it?

only one Comment needed.

We just don't trust you and wouldn't if you said, " you'd close gitmo", "not spy on us", "or not pay for back doors." You've won the war of attrition. pre 2001 of-age people know what we've lost and you can say and do whatever you like. ehh.... it must a pre-coffee morning.

There's no information here.

[slapjerkt]

The information content of a sentence whose structure is, "I may x or I may not x" is 0.

Re:There's no information here.

[Iconoc]

He also forgot to say "let me make one thing perfectly clear."

Re:There's no information here.

[QuantumPion]

On the contrary there is a lot of information there. When a government official says "I may or may not respect the constitution" that mean he has already decided that he will do whatever he wants regardless of constitutional authority and obeys the law only when it is convenient to do so.

Re:There's no information here.

[Kasar]

Given that this administration (and the previous) called music piracy a national security issue, equating copying an MP3 file with counterfeiting, the bar for what is a threat to the nation is pretty low with these people.

Re:There's no information here.

[squiggleslash]

I don't know about that. His supporters probably go with a default assumption of "He won't", his opponents probably go with a default assumption of "He will", this is pretty much a statement making it clear both should quit it with their knee jerk assumptions.

...which ironically makes it a relatively honest statement. I guess you can be honest if you're saying nothing!

The President doesn't micro-manage this stuff

[localroger]

Really, anybody who thinks anybody cabinet level or higher even knows about this kind of logistical detail is an idiot. This isn't at all like the torture thing which is a basic human rights violation; nobody is questioning the NSA's right to spy on certain people, and this has nothing to do with any accusation that they're spying on people they shouldn't be spying on. This is about technological implementation, and it's part of NSA's purview as a spy agency to explore technologies that further their ability to do their job. Part of that is discovering weaknesses in cryptographic systems which are trusted by the people you want to spy on. Having discovered such a useful weakness they aren't obliged to report it, although they are obliged not to use it (or any of their other techniques) against our own citizens.

Re:The President doesn't micro-manage this stuff

[Dachannien]

This is about technological implementation, and it's part of NSA's purview as a spy agency to explore technologies that further their ability to do their job. Part of that is discovering weaknesses in cryptographic systems which are trusted by the people you want to spy on.

The NSA also plays a counterintelligence role, and they're falling short of that if they don't take action to notify developers of a widely used Internet infrastructure utility that their software contains a critical exploit. If they can exploit it, so can the spy agencies of any other government with the skills to do so.

Re:The President doesn't micro-manage this stuff

[PeeAitchPee]

Yet, the NSA is part of the Executive Branch and, as its head, the buck stops with him. James Clapper LIED to a Senate panel -- right to Ron Wyden's face -- and nothing has happened. The Snowden leaks are almost 11 months old now, and Obama obviously knew of a lot of those activities before then. He has chosen to DO NOTHING, or worse, in the case of mass surveillance, kick the ball to *Congress* (yes, the same Congress he's constantly bitched during his two terms about being dysfunctional and blocking his every move), which is completely unnecessary as NSA is part of the Executive Branch. Let's suppose that, as you contend, Obama is sooooo high up that he was in fact completely ignorant of any of the technical details of these activities, or even the existence of some of these programs. If he cared even the tiniest bit about our rights and upholding the Constitution -- especially in the wake of disclosures about leaving all US Citizens completely vulnerable to exploits such as HeartBleed -- he'd at least hit the Pause button on these programs via Executive Order so they could be properly investigated. He hasn't done *anything* close to that -- nothing. Just a bunch of bullshit lip service. This indicates he approves of all of these programs, and is attempting to wait until the noise dies down so they can be continued and expanded. Giving Obama a pass on anything NSA-related is weak and people that do it look like apologists from where a lot of us sit.

Re:The President doesn't micro-manage this stuff

[AchilleTalon]

Well, did NSA actually knew or not about Heartbleed? Anyone can prove NSA was aware of the bug and did nothing to protect USA from a third party's threat?

Re:The President doesn't micro-manage this stuff

[joe_frisch]

If a military organization discovers a weakness in an enemy country's defenses, it is perfectly reasonable for them to keep this weakness secret and use it in future conflicts. Cyber security is different. Since we are all using roughly the same technology, by discovering a weakness in the defenses of another country, they have discovered a weakness in OUR defenses.

At the moment the US has a strong advantage in conventional warfare, but not so much in cyber warfare. In looking at overall national defense, patching holes in everyone's cyber defenses reduces the effectiveness of cyber war (where we are not clearly dominant), and moves the focus to conventional war where we are dominant.

Re:The President doesn't micro-manage this stuff

[tragedy]

That depends heavily on what you mean by an advantage in cyber war. If you're after mutually assured destruction, then maybe patching holes in everyone's defenses doesn't help. If you don't want your own side to be completely destroyed, it's aterrible idea.

Re:The President doesn't micro-manage this stuff

[MooseMiester]

Obama had two years of a majority in both houses to overturn the civil rights horrors he howled and wailed about during the Bush years... and did not.

Instead, they have used the full power of these organizations to go after political enemies.

Sure does explain where their allegiance is. To themselves, and to greed.

If you trust the word of the NSA

[kruach+aum]

you're a moron. Don't trust liars who have been proven to lie and then continue lying. In fact you probably shouldn't trust liars in general.

Re:If you trust the word of the NSA

Since 9/11, everyone is a target of the NSA. If there is any information the NSA can collect on you, they will collect it and store it away forever on the off chance they may have to use it against you someday. Why, because they can. As far as they are concerned we all are equally likely to become future terrorists and threats to corporate interests and the government, so omnipresent mass surveillance on every human being on the planet is perfectly justifiable.

Does Obama really have anything to do with it?

[damn_registrars]

Does the NSA really ask the President's permission to exploit any given loopholes in their work? If the President had to authorize all their auctions than this would seem to be both rather damning for the president and a bit of a waste of his time.

Should always be reported

[medv4380]

The problem with saying "unless 'a clear national security or law enforcement need' exists" is that it actually compromises national security. What is more important. That you can easily hack in and skill data from the KGB, or some mafia site; or that every last American Citizen can be hacked by the KGB, or mafia? Keeping a bug like heartbleed a secret is something only an idiot or black hat would do. If the NSA knew of heartbleed early, and kept it a secret they are arrogant idiots. They ether wanted criminals to have free rain to steal anything they wanted, or they believed that criminals are too stupid to have found this bug.

Re:Should always be reported

[CrimsonAvenger]

hack in and skill data

Okay, I have to ask...

It is fairly obvious from the remainder of the post that the author is American. It looks like he/she/it was trying to say "hack in and steal data", but generally when words are mispelled, they're mispelled based on similar sounds. So what dialect has "steal" and "skill" sounding alike?

Seriously curious, since I thought that I knew most major dialects, and don't recall one that would pronounce the "ea" in "steal" like the "i" in "skill".

Re:Should always be reported

[medv4380]

Typo from a lack of coffee first thing on a Sunday Morning. With a pretty stressful weekend too.

Re:Should always be reported

[CrimsonAvenger]

okay, coffee, or lack of it, has left me pretty messed up a time or three in my life. Was hoping to find out there was yet another way of speaking in the country, but alas, it was just lack of caffeine....;-)

Old habits die hard

[Begemot]

The enemies will exploit it, so they can't afford being not competitive. Surely they will exploit everything they can and let the bullshit art masters cover up. That's how they're trained to think and old habits die hard.

Makes sense

[Pop69]

Why would you want to tell the opposition what your plans are, that would be really stupid

Obama could issue an Executive Order

[PeeAitchPee]

The NSA is part of the Executive Branch. Obama could immediately, at the very least, put a temporary halt on all of these types of activities and conduct a review gauging the potential impact on ordinary US citizens as collateral damage. He has done no such thing -- not with mass surveillance, not with HeartBleed, not with any of the other nasty shit disclosed in the Snowden leaks. Don't DARE give him a pass on anything NSA-related -- he doesn't need Congress in this case and can personally shut it all down at any time.

Re:Obama could issue an Executive Order

[grep+-v+'.*'+*]

?? Confused here ... so are you saying that you HOPE he CHANGES?

That being said, he's "at the mercy" of what his managers tell him. I'm sure news is filtered every which way but loose and that he's told "ignore the TV", as those guys only reflect some public opinion, and they don't have all of the facts anyway.

After all, we know he's proficient in technically matters, so I'm sure that him deep understanding the NSA technical functions is just obvious.

Re:Obama could issue an Executive Order

[flyingfsck]

No, Ohbumma can't do squat, due to the large file the NSA has on him.

Cool story bro

[mansie]

"We knew about this since day one, heck we ordered, executed and implement.. I mean... we may or may not exploit the next one we produ.. I mean the next one."

yeah right

[sribe]

Like he really has any control over what they do anymore...

Re:Well, yeah, debian squeeze wins again.

[Kremmy]

The problem with our world is that a high level of competency is actually required for an awful lot of things, and nobody wants to be competent anymore.

Murica! Freedom!!

[ze_jua]

You Americans are so lucky. Of course they will do this! to defend your freedom!!! :-)

Re:Well, yeah, debian squeeze wins again.

[AchilleTalon]

Not completely true. Many want to be competent, however nobody wants to pay what this competency worth. You have to invest a lot of time to become competent and at the end, it must pay otherwise you are better to do something else. There is a lot of well paid jobs which don't require the efforts you need to put on something to become competent.

misaligned goals

[amerello]

This is a clear indication that the government's and NSA's security concerns are absolutely misaligned with the interest of the population. They seem to serve imperialist ambitions. An indicator of concern for citizen's security would be to report such a vulnerability immediately and helping prevent the exploitation of the bugs by cyber criminals. That would be in the interest of national and international security.

At last a politician who speaks the truth.

[hey!]

He MIGHT let the NSA do it, OR he MIGHT NOT. That's a credible a statement as anyone could make.

Re:Well, yeah, debian squeeze wins again.

The problem with the open source model is that it requires a high level of competency at too many levels.

Yeah. Sure. I'm not sure if you know what "open source" means and instead seem to be using it as a stand-in for "things I cannot understand."

You, and many others, use open source software every day without even noticing it. Chances are the very browser you are using to spew irrational hate is open source.

and no file manager either. See? Pure genius.

Really? Linux has no file manager? That's funny, I seem to recall there being about a dozen of them...

Perhaps before calling others stupid, you should first learn what the fuck you're even talking about.

Re:Not it actually isn't...

[lonOtter]

There is no naivete. I expect nothing but thuggery from the government, so it isn't a surprise when we see the NSA being evil pieces of trash. It is, however, something that must be stopped.

pure garbage

What a useless president. Spineless, cowardly, completely incompetent. Has he ever disciplined anyone? Either that or he's degenerated into a true puppet. How can he live with himself?

What "let"?

[Chas]

Obama isn't in a position to "let" or "prohibit" SHIT (even his own).

He's a fucking douchebag, Chicago Machine politician.

He has no opinions or even feelings outside of what his little cabal of "advisors" tell him he does.

He's also in NO position to dictate to the NSA what they will or will not do with an undiscovered bug in a security device/program.

The NSA damn well WILL use it, and so long as nobody leaks it to THE PUBLIC, it's "See No Evil, Hear No Evil, Speak No Evil" from the rest of the government.

Even if Obama were to, God forbid, try something PROACTIVE, they'd still just ignore it and sacrifice yet another desk jockey stooge once caught.

Re:What "let"?

[bytesex]

They will also be held accountable, at least internally, if, when it becomes known, and subsequently there is damage to the interests of the US. So in spite of your rhetoric, it's always a gamble. And I think in this particular case, we have reason to believe the man: the damage would have been potentially too great. And there is, in this particular case, seemingly no real reason to lie.

Re:What "let"?

[Chas]

Accountable?

The US Government?

Pfft!

I'll believe that shit when I start seeing it.

I hesitate to label them crooks, because crooks couldn't get away with the shit our government does.

Not to mention that crooks are more careful with money than the US government EVER was.

So they are collaborating with the bad guys...

[gweihir]

Why? Simple: If they let this type of vulnerability exits unpatched, they are collaborating with criminals, foreign (and often hostile) intelligence services and terrorists by standing idle buy. That puts them straight in the "bad guys" class and, by any sane account, represents high treason. It is a bit like leaving the border open in order to see who brings anthrax, nuclear material or bombs over it.

In addition, they are increasing the level of uncertainty and trust for everybody, thereby aiding terrorists of all sorts that have exactly this same goal, namely destabilizing society.

It really does not get more evil than that, except actively creating vulnerabilities that everybody can find and exploit. Oh, wait, they may be doing that as well...

POLITICS will cause the next dark age

[kheldan]

For a long time now I've thought that religion will cause the next Dark Age of Man, through promoting willful ignorance, superstition, and blind "faith", instead of promoting knowledge, understanding, and the search for actual truth. Apparently I was wrong, or at least not completely correct: Politicians and politics will bring about the next Dark Age, by driving people away from the Internet through mass surveillance, and runaway corporate interests destroying Net Neutrality. Once the Internet is no longer a viable source of sharing information for the common citizen, it won't be much farther to go to drive people, en masse, back into the welcoming arms of organized religion and it's rejection of critical thought.

I'm embarassed to have voted for this party-line politician we elected as President, but frankly the other choice would have been at least as bad. Why don't you just declare the Constitution invalid and the U.S. officially a Police State already and get it over with?

Re:POLITICS will cause the next dark age

[ewieling]

Nobody will "boycott the internet". I tried living without a personal e-mail address for a couple of months, it was much more difficult than expected. I continue to use the internet, but far less than before. Seldom purchase anything online anymore, seldom use debit/credit cards anymore. I've reduced my personal web usage to only a few web sites (slashdot being one of them), Cell phone usage drastically reduced. You know what would stop the NSA? If everyone stopped buying stuff online, stop using credit / debit cards, reduce or eliminate cell phone use, etc then business will start to realize the NSA is causing them to lose money and might try to do something about it. That will never happen. I can't stop NSA spying but I can reduce my online footprint. Paying with cash is one of the best counter surveillance methods available.

Re:Not it actually isn't...

[Enigma2175]

The job of any government agency to defend the constitution. It's the job of the judicial branch. Furthermore, you actually expect a spy agency to protect the constitution? That's not even close to their job.

The naivete some have on this issue is rather surprising given the demographics of the site.

Employees at the NSA take an oath to defend the constitution. From the NSA's website:

NSA/CSS employees are Americans first, last, and always. We treasure the U.S. Constitution and the rights it secures for all the people. Each employee takes a solemn oath to support and defend the Constitution of the United States against all enemies, foreign and domestic.

It's not naivete, it's just expecting them to do what they SWORE TO DO.

If the NSA were actually about National Security..

[jtara]

If the "primary directive" of the NSA were actually National Security (rather than spying) what they should do would be obvious.

In the interest of national security, should the NSA discover such an exploit, they should quietly work with public and private organizations to get as much of the infrastructure fixed before the exploit becomes generally known.

Instead, though, what we have is that the NSA has likely had free access. Along with the rest of the world's spy agencies. And hackers and crime networks. That doesn't foster national security, IMO.

national security

[drolli]

The national security interest would be to patch the hole, not to leave it open. This hole was to easy to exploit, and supposedly enabled identity theft on a massive scale, even to vastly infereior intelligence services.

The comparison with the centrifuges in Iran is misleading. for that combination of attacks it is very hard even to find suitable experts to generate the code.

Let's keep it simple

[Trashcan+Romeo]

The US government has the ability to spy on every electronic communication you make, it has been exploiting that ability to the fullest for many years now, and it will continue to do so forevermore. It will do so for the sole purpose of increasing its own power. If put to the inconvenience, it will lie to your face about it. This state of affairs will prevail regardless of which branch of the Money Party is in power. And there isn't thing one you can do about it.

Re:Let's keep it simple

[Dutchmaan]

And there isn't thing one you can do about it.

That's the only thing I disagree with... so I fixed it..

"And there isn't thing one you WILL do about it."

Re:Gotta wonder

[Ron+Goodman]

I doubt they have anything on him. He's just frightened of something happening and his political opponents claiming that he "weakened" us somehow, which they would in a heartbeat.

This has nothing to do with Snowden etc.

[localroger]

I'm fully with the "buck stops here" theory of governance. The problem is that this isn't even a buck. How, exactly, do you think that the information that an exploit like Heartbleed exists migrates in a compartmentalized agency like the NSA from the group that identifies it to use in spying to the group that perhaps looks to protect us from foreign spies? How does it migrate to top administration? The answer is that it doesn't. It can't. Maybe it should, but as the NSA (and probably any practially workable version of it) exists there simply is no channel for that information to move from those who are using it to others who might have a need, on wholly different merits, to know it.

It is very unlikely that the guys who discovered Heartbleed as a SIGINT opportunity had any channels at all to warn other arms of the agency that it might be a vulnerability on our side; consider how such channels could and would be misused in so many other situations. The spooks would never implement such a thing. From the SIGINT side Heartbleed is a low-level technical detail, hardly worth the attention of a Civil Service level adminstrator except for the ops that it makes possible.

No Rules, Just Right

[Dutchmaan]

Rules with broad sweeping generalized caveats basically means, no rules. It means WE (as in the people who made the rules) are going to decide on in a subjective way whether we broke the rules or not... and anyone who even knows the most basic aspects of human nature, knows that we as people in general don't like incriminating ourselves, and a government is just a group of people.

So this is basically just lip service from the government, to calm public anger while at the same time giving us the finger.

Were NSA servers vulnerable?

[abies]

Might be bit hard to check after the fact, but if their servers were leaking data on unpatched version of heartbleed it would suggest innocence. If their servers (important ones) were somehow immune to this attack before it went public... they knew something.

Decision

[brunnegd]

The only decision 0bama can make is on his next vacation site.

Re:Not it actually isn't...

[Sciath]

What amazes me is the (shall I say) ignorance on the part of citizens who can confuse "duties" or job responsibilities with "purpose". Regardless of what anyone has been told by a government agency or even the media, their duty is ultimately to defend the U.S. Constitution. I used to work for a government agency. Had to pledge to defend the Constitution. There were many times in the course of my job when orders to me or department policies (I felt) conflicted with the Constitution ands I refused to act on those orders. Push come to shove in every instance I was upheld in my convictions. The problem in every instance was the fact that some overzealous ignoramus above me failed to appreciate the difference between duty and the law. And that's exactly the disease that is rotting our government from the inside out. People who don't have the intelligence or guts to stand up for what's right (or lawful).

Re:Not it actually isn't...

[Triklyn]

that domestic part is where it gets kinda muddy methinks.