Keeping it secret was in the pursuit of national security? What is their function again?


The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

RAND SHOULD BE ON THIS.

Put em all in HandCuffs.

This exposed every part of America to intrusion, surveillance and theft by foreign governments. Straight up Treason.

This is way beyond privacy, this exposed all of Americas defenses. We have no idea if Russia now has the ability to shut down America's defenses or infrastructure at the flick of a switch.

Its REALLY BLOODY SIMPLE TO BE ANTI-NSA and PRO-DEFENSE at the same time.

They are such nice e people looking out for us. Hey NSA. You are a POS.

Bump.

Agreed. NSA knew about it and sat on it exposing the entire country to risk and in fact exploited it for their own sick pleasure.

Rand should knock it out of the park.

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The agency’s reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. The NSA, after declining to comment on the report, subsequently denied that it was aware of Heartbleed until the vulnerability was made public by a private security report earlier this month.

“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” according to an e-mailed statement from the Office of the Director of National Intelligence.

Heartbleed appears to be one of the biggest flaws in the Internet’s history, affecting the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. (CSCO) to Juniper Networks Inc. to provide patches for their systems.

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.


Controversial Practice

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

Experts say the search for flaws is central to NSA’s mission, though the practice is controversial. A presidential board reviewing the NSA’s activities after Edward Snowden’s leaks recommended the agency halt the stockpiling of software vulnerabilities.

When new vulnerabilities of the Heartbleed type are discovered, they are disclosed, the Office of the Director of National Intelligence said in response to the Bloomberg report. A clear process exists among agencies for deciding when to share vulnerabilities, the office said in a statement.
Photographer: Brooks Kraft/Corbis

The National Security Agency in Fort Meade, Maryland.

“This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet,” Shawn Turner, director of public affairs for the office, said in the statement. “Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.”

Hunting Flaws

The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.

The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found Heartbleed shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

Exploiting Flaw

Questions remain about whether anyone other than the U.S. government might have exploited the flaw before the public disclosure. Sophisticated intelligence agencies in other countries are one possibility.

If criminals found the flaw before a fix was published this week, they could have scooped up troves of passwords for bank accounts, e-commerce sites and e-mail accounts worldwide.

Evidence of that is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park, California.

The fact that the vulnerability existed in the transmission of ordinary data -- even if it’s the kind of data the vast majority of users are concerned about -- may have been a factor in the decision by NSA officials to keep it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies.


more: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

The NSA 'found' this bug *very* quickly after it was released.... suspiciously so.

Rand should be demanding an investigation to see if the greatest security breach in America since 9/11 was deliberately caused by the NSA.

http://imgs.xkcd.com/comics/heartbleed_explanation.png

And what it means:

http://imgs.xkcd.com/comics/heartbleed.png

I fear that if the truth comes out we will learn that this was first created, or at least discovered by the NSA for its purposes.

When will there be people FIRED, not let to resign and collect from the Government teat the rest fo thier lives. Jailed!!

Hypothetical: Does thugish behavior trickle down to policing institutions from the top (http://www.ronpaulforums.com/showthread.php?434839-Hypothetical-Does-thugish-behavior-trickle-down-to-policing-institutions-from-the-top&)

RAND SHOULD BE ON THIS.

Put em all in HandCuffs.

This exposed every part of America to intrusion, surveillance and theft by foreign governments. Straight up Treason.

This is way beyond privacy, this exposed all of Americas defenses. We have no idea if Russia now has the ability to shut down America's defenses or infrastructure at the flick of a switch.

Its REALLY BLOODY SIMPLE TO BE ANTI-NSA and PRO-DEFENSE at the same time.

I'm sure they probably let their buddies in the defense industry in on the secret.

Hypothetical: Does thugish behavior trickle down to policing institutions from the top (http://www.ronpaulforums.com/showthread.php?434839-Hypothetical-Does-thugish-behavior-trickle-down-to-policing-institutions-from-the-top&)

Close, but there is a word and theory for it...
http://ponerology.com/evil_2b.html

Tyrants with tools... and then, there's the rest of us.

Close, but there is a word and theory for it...
http://ponerology.com/evil_2b.html

That is historic info mostly and current info is gradually becoming more relevant.

Obama Lets NSA Exploit Some Internet Flaws, Officials Say (http://www.nytimes.com/2014/04/13/us/politics/after-heartbleed-bug-obama-decides-us-should-reveal-internet-security-flaws.html)


New York Times
- ‎38 minutes ago‎












Edward J. Snowden, the National Security Agency leaker, speaking to European officials via videoconference last week. Credit Frederick Florin/Agence France-Presse - Getty Images.

The man who says he gave the Internet ‘Heartbleed’ talks about his mistake
BY GAIL SULLIVAN
April 11 at 3:30 am
On New Year’s Eve in 2011, software developer Robin Seggelmann was in front of his computer trying to work out some kinks in the security software most of the Internet uses.
That’s when he made a mistake, which led to one of the worst bugs ever in the Internet known as “Heartbleed,” a flaw in the security infrastructure (OpenSSL) for a large swath of the Web.
Nowadays, it’s unusual for someone to step up and take responsibility, But Seggelmann, a German developer, did just that.
He told his story to Ben Grubb of The Sydney Morning Herald:
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features…In one of the new features, unfortunately, I missed validating a variable containing a length.”
After he submitted the code, a reviewer “apparently also didn’t notice the missing validation,” Seggelmann said, “so the error made its way from the development branch into the released version.”
Dr Seggelmann said the error he introduced was “quite trivial,” but acknowledged that its impact was “severe.”
Seggelmann, who lives in Münster, Germany, told the Herald he didn’t insert the error on purpose, as some conspiracy theorists have suggested.
“It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. ”It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”
http://www.washingtonpost.com/news/morning-mix/wp/2014/04/11/the-man-who-says-he-gave-the-internet-heartbleed-talks-about-his-mistake/?tid=pm_national_pop


Oops.