Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed

← Back to Stories (view on slashdot.org)

Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed

Posted by Soulskill on Sunday April 13, 2014 @12:25AM from the thanks-for-providing-zero-clarity dept.

An anonymous reader writes "The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered. Unfortunately, this statement was hedged. The NSA should reveal these flaws unless 'a clear national security or law enforcement need' exists. Since that can be construed to apply to virtually any situation, we're left with the same dilemma as before: do we take them at their word or not? The use of such an exploit is certainly not without precedent: 'The NSA made use of four "zero day" vulnerabilities in its attack on Iran's nuclear enrichment sites. That operation, code-named "Olympic Games," managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.' A senior White House official is quoted saying, 'I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.'" Side note: CloudFlare has named several winners in its challenge to prove it was possible to steal private keys using the Heartbleed exploit.

17 of 134 comments (clear)

Min score:

Reason:

Sort:

Well, yeah by LordLucless · 2014-04-13 00:31 · Score: 5, Insightful

Spy agency's job is to spy. It'd be remiss of them not to use such a security hole.
The question is, would he allow the NSA to exploit a similar vulnerability against Americans. And I think we already know the answer to that one too.

--
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
1. Re:Well, yeah by Joce640k · 2014-04-13 00:43 · Score: 3, Insightful
  
  ..."avoid a shooting war", "national security or law enforcement need"....
  Why does it always come down to those things?
  Does the USA actually have any enemies like that or is it just the (government created) national paranoia?
  
  --
  No sig today...
2. Re:Well, yeah by JoeMerchant · 2014-04-13 00:59 · Score: 4, Interesting
  
  ..."avoid a shooting war", "national security or law enforcement need"....
  Why does it always come down to those things?
  Because that's their job?
  Seriously, upgrading the server or refactoring the software? Why does IT always have such drama, can't they just scale up and down like Sales?
3. Re:Well, yeah by Charliemopps · 2014-04-13 01:01 · Score: 5, Insightful
  
  No, the NSAs (as well as all government agencies) job is to defend the constitution and protect the citizens of the United States of America. The NSA has abandon the former goal in favor of the latter. They are not mutually exclusive. This country was founded on the principle that we as a people value freedom and liberty over life itself. The NSA, and apparently the president have forgotten this.
4. Re:Well, yeah by Somebody+Is+Using+My · 2014-04-13 01:53 · Score: 4, Interesting
  
  Signal interception is only half of the NSA's charter; the other half is "Information assurance", which means keeping The Bad Guys (tm) from doing the same to us.
  The NSA has been too focused on the interception part of their job, to the point where they are allowing - or purposefully weakening - US security with weak or backdoored encryption methods. Too many government agencies rely on the Internet for them to have turned a blind eye to things like the OpenSSL vulnerability; the NSA has failed at one of the most important part of its jobs.
  While I would be loathe to forbid an intelligence agency from using such a vulnerability against legitmate targets, at the same time I would be quite upset if they didn't make sure that they weren't doing what was necessary to keep its charges (us!) safe from being similarly penetrated, especially if that task was specifically part of their remit.
5. Re:Well, yeah by Savage-Rabbit · 2014-04-13 01:57 · Score: 4, Insightful
  
  Spy agency's job is to spy. It'd be remiss of them not to use such a security hole.
  The question is, would he allow the NSA to exploit a similar vulnerability against Americans. And I think we already know the answer to that one too.
  No, the role of the NSA is not just to gather SIGINT, the NSA iis also tasked with preventing unfriendly entities from gathering SIGINT which is why the NSA initiated and open sourced SE Linux just to cite one example. So the question here is should the NSA put every single American SSL using business at risk for years on end to protect a single source of SIGINT? After all, foreign intelligence services may not have to budget of the NSA but they are not stupid either, they can discover bugs like Heartbleed just as easily as the NSA can and might well use it sufficiently stealthily for the NSA not to notice that they aren't the only ones sitting on this vulnerability. When do the costs of spying outweigh the benefits?
  
  --
  Only to idiots, are orders laws.
  -- Henning von Tresckow
6. Re:Well, yeah by rnturn · 2014-04-13 04:32 · Score: 3, Informative
  
  The NSA's job is not to spy on Americans regardless of whether they have a warrant or not. Spying on Americans is the FBI's job.
  
  --
  CUR ALLOC 20195.....5804M
7. Re:Well, yeah by ganjadude · 2014-04-13 06:45 · Score: 3, Insightful
  
  Based on the FBI list lets take a look at who they consider terrorists shall we?
  
  People who are concerned about privacy, and shield the screen from view.
  Are seen using multiple cell phones, or sim swapping
  use of anonymizers or other IP blockers
  encryption users
  Asking about voice and data encryption
  http://www.networkworld.com/community/blog/25-more-ridiculous-fbi-lists-you-might-be-terrorist-if
  
  Tea party? terrorist
  occupy group? terrorist
  believe in the constitution? terrorist
  
  and not terrorists, but the FBI considers fans of a band to be gang members. It would be like calling dead heads a gang. The band in question is the insane clown posse
  http://www.cnn.com/2014/01/08/showbiz/juggalo-gang-lawsuit/
  
  Long story short, anyone on slashdot is a terrorist in the eyes of the FBI
  
  --
  have you seen my sig? there are many others like it but none that are the same
Sounds like by rmdingler · 2014-04-13 00:33 · Score: 5, Insightful

He is pretty much admitting the next vulnerability will be exploited until no further military or law enforcement benefit exists.
There are almost certainly ongoing exploits of vulnerable systems.
People will very often tell you their intentions if you listen closely enough.

--
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
There's no information here. by slapjerkt · 2014-04-13 00:43 · Score: 5, Insightful

The information content of a sentence whose structure is, "I may x or I may not x" is 0.

--
[Signature omitted due to copyright restrictions.]
1. Re:There's no information here. by Iconoc · 2014-04-13 00:57 · Score: 4, Funny
  
  He also forgot to say "let me make one thing perfectly clear."
The President doesn't micro-manage this stuff by localroger · 2014-04-13 00:47 · Score: 4, Insightful

Really, anybody who thinks anybody cabinet level or higher even knows about this kind of logistical detail is an idiot. This isn't at all like the torture thing which is a basic human rights violation; nobody is questioning the NSA's right to spy on certain people, and this has nothing to do with any accusation that they're spying on people they shouldn't be spying on. This is about technological implementation, and it's part of NSA's purview as a spy agency to explore technologies that further their ability to do their job. Part of that is discovering weaknesses in cryptographic systems which are trusted by the people you want to spy on. Having discovered such a useful weakness they aren't obliged to report it, although they are obliged not to use it (or any of their other techniques) against our own citizens.

--
Brackets contain world's first nanosig, highly magnified:[.]
1. Re:The President doesn't micro-manage this stuff by PeeAitchPee · 2014-04-13 02:25 · Score: 4, Insightful
  
  Yet, the NSA is part of the Executive Branch and, as its head, the buck stops with him. James Clapper LIED to a Senate panel -- right to Ron Wyden's face -- and nothing has happened. The Snowden leaks are almost 11 months old now, and Obama obviously knew of a lot of those activities before then. He has chosen to DO NOTHING, or worse, in the case of mass surveillance, kick the ball to *Congress* (yes, the same Congress he's constantly bitched during his two terms about being dysfunctional and blocking his every move), which is completely unnecessary as NSA is part of the Executive Branch. Let's suppose that, as you contend, Obama is sooooo high up that he was in fact completely ignorant of any of the technical details of these activities, or even the existence of some of these programs. If he cared even the tiniest bit about our rights and upholding the Constitution -- especially in the wake of disclosures about leaving all US Citizens completely vulnerable to exploits such as HeartBleed -- he'd at least hit the Pause button on these programs via Executive Order so they could be properly investigated. He hasn't done *anything* close to that -- nothing. Just a bunch of bullshit lip service. This indicates he approves of all of these programs, and is attempting to wait until the noise dies down so they can be continued and expanded. Giving Obama a pass on anything NSA-related is weak and people that do it look like apologists from where a lot of us sit.
If you trust the word of the NSA by kruach+aum · 2014-04-13 00:53 · Score: 5, Insightful

you're a moron. Don't trust liars who have been proven to lie and then continue lying. In fact you probably shouldn't trust liars in general.
Should always be reported by medv4380 · 2014-04-13 01:15 · Score: 3, Interesting

The problem with saying "unless 'a clear national security or law enforcement need' exists" is that it actually compromises national security. What is more important. That you can easily hack in and skill data from the KGB, or some mafia site; or that every last American Citizen can be hacked by the KGB, or mafia? Keeping a bug like heartbleed a secret is something only an idiot or black hat would do. If the NSA knew of heartbleed early, and kept it a secret they are arrogant idiots. They ether wanted criminals to have free rain to steal anything they wanted, or they believed that criminals are too stupid to have found this bug.
Obama could issue an Executive Order by PeeAitchPee · 2014-04-13 01:36 · Score: 5, Insightful

The NSA is part of the Executive Branch. Obama could immediately, at the very least, put a temporary halt on all of these types of activities and conduct a review gauging the potential impact on ordinary US citizens as collateral damage. He has done no such thing -- not with mass surveillance, not with HeartBleed, not with any of the other nasty shit disclosed in the Snowden leaks. Don't DARE give him a pass on anything NSA-related -- he doesn't need Congress in this case and can personally shut it all down at any time.
Re:Not it actually isn't... by Enigma2175 · 2014-04-13 04:10 · Score: 5, Insightful

The job of any government agency to defend the constitution. It's the job of the judicial branch. Furthermore, you actually expect a spy agency to protect the constitution? That's not even close to their job.
The naivete some have on this issue is rather surprising given the demographics of the site.
Employees at the NSA take an oath to defend the constitution. From the NSA's website:
NSA/CSS employees are Americans first, last, and always. We treasure the U.S. Constitution and the rights it secures for all the people. Each employee takes a solemn oath to support and defend the Constitution of the United States against all enemies, foreign and domestic.
It's not naivete, it's just expecting them to do what they SWORE TO DO.

--
Enigma