nanog mailing list archives
Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
From: Matt Palmer <mpalmer () hezmatt org>
Date: Sat, 12 Apr 2014 07:56:01 +1000
On Fri, Apr 11, 2014 at 04:03:36PM -0400, William Herrin wrote:
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government's top computer experts.I call B.S. Do you have any idea how many thousands of impacted NSA servers run by contractors hung out on the Internet with sensitive NSA data? If you told me they used it against the targets of the day while putting out the word to patch I could buy it, but intentionally leaving a certain bodily extension hanging in the breeze in the hopes of gaining more valuable data than they lose would have been an unusually gutsy move.
You're assuming that the NSA is a single monolithic entity. IIRC, the
offense team and the defense team don't really talk much, and they
*certainly* have very different motivations. It wouldn't surprise me at all
if the offense got hold of a juicy bug, and since they're paid to capture
data, and knowing that they wouldn't get in trouble if the defense lost
data, their motivations to keep their little bug to themselves are entirely
understandable.
The interesting thing to me is that the article claims the NSA have been
using this for "over two years", but 1.0.1 (the first vulnerable version)
was only released on 14 Mar 2012. That means that either:
* The NSA put it in there (still a bridge too far for me to believe without
further evidence, although I can certainly understand why people could
believe it) and hence were using it from day 1;
* The NSA found it *amazingly* quickly (they're very good at what they do,
but I don't believe them have superhuman talents); or
* The article has got at least one fact wrong, in which case it's entirely
plausible they've got other things wrong, too.
- Matt
--
That's why I love VoIP. You don't get people phoning up to complain that the
network is down.
-- Peter Corlett, in the Monastery
Current thread:
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years], (continued)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Niels Bakker (Apr 11)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Niels Bakker (Apr 11)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Stephen Frost (Apr 11)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Chris Adams (Apr 11)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] William Herrin (Apr 11)
- RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Matthew Black (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Donald Eastlake (Apr 14)
- RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Matthew Black (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Mike A (Apr 18)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Niels Bakker (Apr 11)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] William Herrin (Apr 11)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Valdis . Kletnieks (Apr 11)
- RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Frank Bulk (Apr 11)
- RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Warren Bailey (Apr 11)