Slashdot Mirror

← Back to Stories (view on slashdot.org)

Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed

Posted by Soulskill on from the thanks-for-providing-zero-clarity dept.

An anonymous reader writes "The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered. Unfortunately, this statement was hedged. The NSA should reveal these flaws unless 'a clear national security or law enforcement need' exists. Since that can be construed to apply to virtually any situation, we're left with the same dilemma as before: do we take them at their word or not? The use of such an exploit is certainly not without precedent: 'The NSA made use of four "zero day" vulnerabilities in its attack on Iran's nuclear enrichment sites. That operation, code-named "Olympic Games," managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.' A senior White House official is quoted saying, 'I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.'" Side note: CloudFlare has named several winners in its challenge to prove it was possible to steal private keys using the Heartbleed exploit.

31 of 134 comments (clear)

  1. Well, yeah by LordLucless · · Score: 5, Insightful

    Spy agency's job is to spy. It'd be remiss of them not to use such a security hole.

    The question is, would he allow the NSA to exploit a similar vulnerability against Americans. And I think we already know the answer to that one too.

    --
    Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
    1. Re:Well, yeah by Joce640k · · Score: 3, Insightful

      ..."avoid a shooting war", "national security or law enforcement need"....

      Why does it always come down to those things?

      Does the USA actually have any enemies like that or is it just the (government created) national paranoia?

      --
      No sig today...
    2. Re:Well, yeah by Anonymous Coward · · Score: 2, Insightful

      Spy agency's job is to spy.

      And murderer's murder. Stating their job doesn't make it anymore moral. A spy's spying can be immoral, and that's exactly what the pieces of trash in the NSA have been doing.

    3. Re:Well, yeah by JoeMerchant · · Score: 4, Interesting

      ..."avoid a shooting war", "national security or law enforcement need"....

      Why does it always come down to those things?

      Because that's their job?

      Seriously, upgrading the server or refactoring the software? Why does IT always have such drama, can't they just scale up and down like Sales?

    4. Re:Well, yeah by Charliemopps · · Score: 5, Insightful

      No, the NSAs (as well as all government agencies) job is to defend the constitution and protect the citizens of the United States of America. The NSA has abandon the former goal in favor of the latter. They are not mutually exclusive. This country was founded on the principle that we as a people value freedom and liberty over life itself. The NSA, and apparently the president have forgotten this.

    5. Re:Well, yeah by ganjadude · · Score: 2

      exactly, He answered the wrong question, The correct question should have been
      " will you allow the use of these tools against americans without disclosure" I dont mind if they are spying on others as that is their job, but it is not their job to spy on us in america. (we can argue the merits of spying on other countries another day)

      --
      have you seen my sig? there are many others like it but none that are the same
    6. Re:Well, yeah by Somebody+Is+Using+My · · Score: 4, Interesting

      Signal interception is only half of the NSA's charter; the other half is "Information assurance", which means keeping The Bad Guys (tm) from doing the same to us.

      The NSA has been too focused on the interception part of their job, to the point where they are allowing - or purposefully weakening - US security with weak or backdoored encryption methods. Too many government agencies rely on the Internet for them to have turned a blind eye to things like the OpenSSL vulnerability; the NSA has failed at one of the most important part of its jobs.

      While I would be loathe to forbid an intelligence agency from using such a vulnerability against legitmate targets, at the same time I would be quite upset if they didn't make sure that they weren't doing what was necessary to keep its charges (us!) safe from being similarly penetrated, especially if that task was specifically part of their remit.

    7. Re:Well, yeah by Savage-Rabbit · · Score: 4, Insightful

      Spy agency's job is to spy. It'd be remiss of them not to use such a security hole.

      The question is, would he allow the NSA to exploit a similar vulnerability against Americans. And I think we already know the answer to that one too.

      No, the role of the NSA is not just to gather SIGINT, the NSA iis also tasked with preventing unfriendly entities from gathering SIGINT which is why the NSA initiated and open sourced SE Linux just to cite one example. So the question here is should the NSA put every single American SSL using business at risk for years on end to protect a single source of SIGINT? After all, foreign intelligence services may not have to budget of the NSA but they are not stupid either, they can discover bugs like Heartbleed just as easily as the NSA can and might well use it sufficiently stealthily for the NSA not to notice that they aren't the only ones sitting on this vulnerability. When do the costs of spying outweigh the benefits?

      --
      Only to idiots, are orders laws.
      -- Henning von Tresckow
    8. Re:Well, yeah by Anonymous Coward · · Score: 2, Interesting

      The NSA's charter as promulgated by President Truman is COMINT. That means 1) spying on foreign governments, and 2) ensuring the integrity of US government communications. They've failed #1 by spying on Americans. They've failed #2 by passively allowing thousands of known software bugs to go unpatched, thereby leaving the US government's sprawling COTS network infrastructure vulnerable.

      You don't need lofty non-sense to damn the NSA. They're failed the basic tasks they've actually been given.

      Also, because the NSA is so fond of scaring Congressmen with the specter of "cyberwar", they've implicitly taken it upon themselves to defend private industries, including critical power, water, and banking infrastructure. Again, leaving thousands of unpatched bugs to be exploited by criminals and foreign governments (because the NSA isn't the only people spending millions on finding these bugs) is another dereliction of duty.

    9. Re:Well, yeah by Anonymous Coward · · Score: 2, Insightful

      The problem here is that you can't do one without doing the other, unless you want to go back to the days where SSL required a special "US" browser and a proprietary web server. Nowadays, information assurance directly harms signal interception because "the bad guys" are running the exact same software as "the good guys". If the NSA finds a vulnerability in OpenSSL, they can't fix it for US companies while using it against the bad guys at the same time. The bad guys will just patch their software, they aren't dumb.

      Given this impasse, the NSA chose the path that gives them the most funding - escalating hacking operations and signal interception to find as much scary things as possible. There's a lot more money in making the world dangerous for non-Americans as opposed to making the US safe.

    10. Re:Well, yeah by rnturn · · Score: 3, Informative

      The NSA's job is not to spy on Americans regardless of whether they have a warrant or not. Spying on Americans is the FBI's job.

      --
      CUR ALLOC 20195.....5804M
    11. Re:Well, yeah by davester666 · · Score: 2

      yes, once this whole 'spying' thing gets outlaws, the FBI will simply open an investigation into everybody's involvement with terrorism. And no, there is no way to prove you are NOT a terrorist, so at best it will always be an open investigation..

      --
      Sleep your way to a whiter smile...date a dentist!
    12. Re:Well, yeah by ganjadude · · Score: 3, Insightful

      Based on the FBI list lets take a look at who they consider terrorists shall we?

      People who are concerned about privacy, and shield the screen from view.
      Are seen using multiple cell phones, or sim swapping
      use of anonymizers or other IP blockers
      encryption users
      Asking about voice and data encryption
      http://www.networkworld.com/community/blog/25-more-ridiculous-fbi-lists-you-might-be-terrorist-if

      Tea party? terrorist
      occupy group? terrorist
      believe in the constitution? terrorist

      and not terrorists, but the FBI considers fans of a band to be gang members. It would be like calling dead heads a gang. The band in question is the insane clown posse
      http://www.cnn.com/2014/01/08/showbiz/juggalo-gang-lawsuit/

      Long story short, anyone on slashdot is a terrorist in the eyes of the FBI

      --
      have you seen my sig? there are many others like it but none that are the same
    13. Re:Well, yeah by Sciath · · Score: 2

      You forgot ... anyone who disagrees with the intelligence agencies including... liberals.

      --
      "Those who can make you believe absurdities can make you commit atrocities." - Voltaire
  2. Sounds like by rmdingler · · Score: 5, Insightful
    He is pretty much admitting the next vulnerability will be exploited until no further military or law enforcement benefit exists.

    There are almost certainly ongoing exploits of vulnerable systems.

    People will very often tell you their intentions if you listen closely enough.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  3. There's no information here. by slapjerkt · · Score: 5, Insightful

    The information content of a sentence whose structure is, "I may x or I may not x" is 0.

    --
    [Signature omitted due to copyright restrictions.]
    1. Re:There's no information here. by Iconoc · · Score: 4, Funny

      He also forgot to say "let me make one thing perfectly clear."

    2. Re:There's no information here. by QuantumPion · · Score: 2

      On the contrary there is a lot of information there. When a government official says "I may or may not respect the constitution" that mean he has already decided that he will do whatever he wants regardless of constitutional authority and obeys the law only when it is convenient to do so.

  4. The President doesn't micro-manage this stuff by localroger · · Score: 4, Insightful

    Really, anybody who thinks anybody cabinet level or higher even knows about this kind of logistical detail is an idiot. This isn't at all like the torture thing which is a basic human rights violation; nobody is questioning the NSA's right to spy on certain people, and this has nothing to do with any accusation that they're spying on people they shouldn't be spying on. This is about technological implementation, and it's part of NSA's purview as a spy agency to explore technologies that further their ability to do their job. Part of that is discovering weaknesses in cryptographic systems which are trusted by the people you want to spy on. Having discovered such a useful weakness they aren't obliged to report it, although they are obliged not to use it (or any of their other techniques) against our own citizens.

    --
    Brackets contain world's first nanosig, highly magnified:[.]
    1. Re:The President doesn't micro-manage this stuff by PeeAitchPee · · Score: 4, Insightful

      Yet, the NSA is part of the Executive Branch and, as its head, the buck stops with him. James Clapper LIED to a Senate panel -- right to Ron Wyden's face -- and nothing has happened. The Snowden leaks are almost 11 months old now, and Obama obviously knew of a lot of those activities before then. He has chosen to DO NOTHING, or worse, in the case of mass surveillance, kick the ball to *Congress* (yes, the same Congress he's constantly bitched during his two terms about being dysfunctional and blocking his every move), which is completely unnecessary as NSA is part of the Executive Branch. Let's suppose that, as you contend, Obama is sooooo high up that he was in fact completely ignorant of any of the technical details of these activities, or even the existence of some of these programs. If he cared even the tiniest bit about our rights and upholding the Constitution -- especially in the wake of disclosures about leaving all US Citizens completely vulnerable to exploits such as HeartBleed -- he'd at least hit the Pause button on these programs via Executive Order so they could be properly investigated. He hasn't done *anything* close to that -- nothing. Just a bunch of bullshit lip service. This indicates he approves of all of these programs, and is attempting to wait until the noise dies down so they can be continued and expanded. Giving Obama a pass on anything NSA-related is weak and people that do it look like apologists from where a lot of us sit.

  5. If you trust the word of the NSA by kruach+aum · · Score: 5, Insightful

    you're a moron. Don't trust liars who have been proven to lie and then continue lying. In fact you probably shouldn't trust liars in general.

  6. Should always be reported by medv4380 · · Score: 3, Interesting

    The problem with saying "unless 'a clear national security or law enforcement need' exists" is that it actually compromises national security. What is more important. That you can easily hack in and skill data from the KGB, or some mafia site; or that every last American Citizen can be hacked by the KGB, or mafia? Keeping a bug like heartbleed a secret is something only an idiot or black hat would do. If the NSA knew of heartbleed early, and kept it a secret they are arrogant idiots. They ether wanted criminals to have free rain to steal anything they wanted, or they believed that criminals are too stupid to have found this bug.

  7. Obama could issue an Executive Order by PeeAitchPee · · Score: 5, Insightful

    The NSA is part of the Executive Branch. Obama could immediately, at the very least, put a temporary halt on all of these types of activities and conduct a review gauging the potential impact on ordinary US citizens as collateral damage. He has done no such thing -- not with mass surveillance, not with HeartBleed, not with any of the other nasty shit disclosed in the Snowden leaks. Don't DARE give him a pass on anything NSA-related -- he doesn't need Congress in this case and can personally shut it all down at any time.

  8. Re:Well, yeah, debian squeeze wins again. by Kremmy · · Score: 2

    The problem with our world is that a high level of competency is actually required for an awful lot of things, and nobody wants to be competent anymore.

  9. Re:Well, yeah, debian squeeze wins again. by AchilleTalon · · Score: 2

    Not completely true. Many want to be competent, however nobody wants to pay what this competency worth. You have to invest a lot of time to become competent and at the end, it must pay otherwise you are better to do something else. There is a lot of well paid jobs which don't require the efforts you need to put on something to become competent.

    --
    Achille Talon
    Hop!
  10. Re:Not it actually isn't... by lonOtter · · Score: 2

    There is no naivete. I expect nothing but thuggery from the government, so it isn't a surprise when we see the NSA being evil pieces of trash. It is, however, something that must be stopped.

    --
    [End Of Line]
  11. Re:Not it actually isn't... by Enigma2175 · · Score: 5, Insightful

    The job of any government agency to defend the constitution. It's the job of the judicial branch. Furthermore, you actually expect a spy agency to protect the constitution? That's not even close to their job.

    The naivete some have on this issue is rather surprising given the demographics of the site.

    Employees at the NSA take an oath to defend the constitution. From the NSA's website:

    NSA/CSS employees are Americans first, last, and always. We treasure the U.S. Constitution and the rights it secures for all the people. Each employee takes a solemn oath to support and defend the Constitution of the United States against all enemies, foreign and domestic.

    It's not naivete, it's just expecting them to do what they SWORE TO DO.

    --

    Enigma

  12. If the NSA were actually about National Security.. by jtara · · Score: 2

    If the "primary directive" of the NSA were actually National Security (rather than spying) what they should do would be obvious.

    In the interest of national security, should the NSA discover such an exploit, they should quietly work with public and private organizations to get as much of the infrastructure fixed before the exploit becomes generally known.

    Instead, though, what we have is that the NSA has likely had free access. Along with the rest of the world's spy agencies. And hackers and crime networks. That doesn't foster national security, IMO.

  13. Let's keep it simple by Trashcan+Romeo · · Score: 2

    The US government has the ability to spy on every electronic communication you make, it has been exploiting that ability to the fullest for many years now, and it will continue to do so forevermore. It will do so for the sole purpose of increasing its own power. If put to the inconvenience, it will lie to your face about it. This state of affairs will prevail regardless of which branch of the Money Party is in power. And there isn't thing one you can do about it.

  14. No Rules, Just Right by Dutchmaan · · Score: 2

    Rules with broad sweeping generalized caveats basically means, no rules. It means WE (as in the people who made the rules) are going to decide on in a subjective way whether we broke the rules or not... and anyone who even knows the most basic aspects of human nature, knows that we as people in general don't like incriminating ourselves, and a government is just a group of people.

    So this is basically just lip service from the government, to calm public anger while at the same time giving us the finger.

  15. Were NSA servers vulnerable? by abies · · Score: 2

    Might be bit hard to check after the fact, but if their servers were leaking data on unpatched version of heartbleed it would suggest innocence. If their servers (important ones) were somehow immune to this attack before it went public... they knew something.