Yes, our National Security Agency doesn’t give a damn about your security online. They knew about the infamous Heartbleed bug that exposed users passwords and other sensitive information to hackers at websites around the world, and used it to data mine your information and probably mine, too, rather than shut threat to our private information down.
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. […]
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”
Way to go NSA! Thanks for all your hard work protecting America! NOT. Can we all agree now that the Watchmen need to be disbanded? Or at least get knocked down about 1000 pegs? And how about firing whoever authorized this bulls***? I am just effing flabbergasted. I know I shouldn’t be after all the disclosures that have come to light, but damn, really? Allowing internet criminals and other nations’ security forces to steal our private information (financial and otherwise), passwords, etc, all in the name of what? Certainly not “our” national security, unless that term means something entirely different to the NSA than it does to Joe and Jane Average American citizen.
Oh, fuck.
This is outrageous. Heads will have to roll for this. Lots of heads.
Heads should have rolled for the previous disclosures. Those were damning enough to fire Gen. Alexander. DNI Clapper should have been fired for lying to Congress and the American people.
So… where’s the President?
I think not. Arthur Gilroy is right. These are the people that really run the USA.
Wait to the powers that be figure that out. Those fancy CEOs will not be amused.
‘Outrageous’? Oh well, maybe the more correct description would be CRIMINAL!
Heads will roll because EVERYBODY can understand this, even people like my sister who don’t (normally) pay attention.
How funny that this may be the thing that nails the NSA.
“Heads will have to roll”?
No, they dont. Last week CIA torturers were writing op-eds in the Washington Post. John Yoo does speaking tours and is a law professor. Donald Rumsfeld and Dick Cheney walk free.
Heads don’t have to roll if the elites say they don’t. And if recent history is any guide, they won’t.
I’m as concerned with NSA overreach and lack of accountability as anyone, but it’s not at all clear that what the “anonymous sources” here are asserting is even possible.
It presently doesn’t look like this exploit will leak a private key other than under very limited circumstances, and I’ve not even heard of reports of successful password “theft” with the exploit. Modern hosts tend to randomize memory, so well the exploit will give you something, said something will more than likely be junk.
http://www.theverge.com/2014/4/11/5604300/heartbleed-may-not-leak-private-ssl-keys-after-all
That doesn’t mean that it’s impossible, but a measure of skepticism is likely warranted here unless we have something more than “anonymous sources” to go on.
Read this part of the story:
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.htm
l
Yes, I did, and there are 2 points that suggest that I reserve judgement here:
None of this means that this didn’t happen, but I’d like to see it investigated rather than just taking it as a given that the NSA is evil or some such.
Here Bruce Schneier’s report:
Who has the computer power, manpower, and patience to sort through that sort of mixture and try to make sense of it?
And if NSA has exploited OpenSSL, what other open systems have they exploited?
And don’t think proprietary systems are better. The NSA has the budget and legal power to buy their way into proprietary systems–likely even Huawei systems.
.
I don’t know… I’m reliably informed that we really want the NSA to keep track of everyone. Apparently they can now spot people who might be suicidal… if we just give them total access to all our posts on social media:
“The federal government stopped funding a medical data screening program last year that researchers say might have prevented the Fort Hood shooting. Had Army Spec. Ivan Lopez been enrolled in the Durkheim Program, which uses an algorithm that mines social media posts for indicators of suicidal behavior, it might have picked up clues that a clinician could have missed in time for an intervention.
“Given the highly agitated state of the shooter, we may have been able to get him help before acted, had he been in our system,” said Chris Poulin, one of the founders of the Durkheim Project, which received $1.8 million from the Defense Department’s Defense Advanced Research Project Agency, or DARPA, in 2011 until funding was halted in 2013.
Recent NSA disclosures have a created a public backlash against data surveillance. But the Fort Hood shooting has prompted calls for better invention and raised the question of why couldn’t we have done more?
http://www.defenseone.com/ideas/2014/04/could-big-data-have-prevented-fort-hood-shooting/82249/?oref
=d-topstory
See… we need big brother. Now if they can only find the terrorist having his way with Kansas City.
“Kansas City police have linked 12 recent highway and roadway shootings in the area to each other, Kansas City Police Chief Darryl Forté announced Friday.”
Read more here: http://www.kansascity.com/2014/04/11/4952964/kc-police-chief-12-recent-roadway.html#storylink=cpy
.
○ NSA mass surveillance leaks: Timeline of events to date
Given the fact that the line of code seems to have been added early on a New Year’s morning and was not caught by the usual review mechanisms for OpenSSL, my next question is whether the NSA wrote the exploit and hacked it in or used one of their own contributors to the OpenSSL volunteer effort to implant it. Bruce Schneier reports that it was a simple exploit that could be used as a carrier for a whole variety of offensive payloads.
The Bloomberg artice points out the vulnerability of open source software without pointing out the even greater vulnerability of much more expensive software from corporate software companies that never gets fully deployed because of its expense.
We still building this critical commercial infrastructure as toll roads and volunteer efforts and not adequately covering its costs.
And the US agency that was supposed to be the expert in helping harden the infrastructure has been poking holes in it instead.
This is a momumental scandal that is now going on almost a year and neither the White House nor the Congres nor the courts are acting responsibly in dealing with it.
Anyone remember Danny Casolaro and the PROMIS software?
I saw a comment on twitter earlier about subjecting this to the 24-hour rule. I’m inclined to agree.
The White House, NSA and NSC have all flatly denied the Bloomberg report, which was based on anonymous sourcing.
If the Bloomberg article had claimed that Obama knew in advance about Benghazi, and cited two anonymous sources, we’d be heaping scorn upon it. But hey, the NSA is all evil and stuff, so who needs journalistic standards?
Maybe Steven’s just trying to prove Boo’s point from a few days ago.
.
Man who introduced serious ‘Heartbleed’ security flaw denies he inserted it deliberately
With all the exposure Snowden gave the NSA, wisdom should have guided the NSA to shutdown quietly any program like this. Unless of course we’re seeing another example of a monster so sure it is above the law that it considers exposure irrelevant.
I’m feeling a bit Feinstein ish about this, as in I’m gonna get EMOTIONAL!