This reminds me of Stuxnet in the sense that, in both cases, the feds chose to pursue their own interests knowing full well that sinister forces would inadvertently benefit. They unleashed Stuxnet for a noble purpose, to derail Iran’s enrichment program, but at a high cost — namely, once Stuxnet was identified and the code made public, malevolent states or even malevolent freelancers could appropriate it for nefarious ends. They chose to open Pandora’s box because they hoped that what flew out might, at least, neutralize an Iranian bomb. It worked, for awhile, but Iran’s program survived. As did Stuxnet’s code.
Same deal with Heartbleed. This security flaw didn’t originate with the NSA the way, say, the exploit of Google’s fiber-optic cables did. If the reports today are true, it originated with an act of negligence on New Year’s Eve(!) 2011 by the small team of coders responsible for OpenSSL, the software used by huge swaths of the Internet for encryption. Anyone who knew of the flaw, be it a national security analyst or a hacker looking for easy money, could exploit it to decrypt virtually any encoded information stored by a site using OpenSSL — passwords, credit card info, you name it.
The NSA knew, and said nothing.
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said…
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers…
Evidence [that criminals exploited the flaw] is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park, California…
“[NSA officials] actually have a process when they find this stuff that goes all the way up to the director” of the agency, Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”
Follow the timeline. If the flaw originated in early 2012 and the NSA has known about it for “at least two years,” that means NSA hackers (of whom there are, per Bloomberg, more than 1,000) discovered it almost immediately while the rest of the world, including the criminal world apparently, found out just last week. Are they that far ahead of the tech curve where even a high-profile, ubiquitous piece of encryption software like OpenSSL can’t be cracked by most hackers for years but it can be cracked by the NSA almost overnight? Or is it that freelance hackers, for whatever reason, just aren’t devoting as much energy to cracking it as NSA is? Given that OpenSSL is a key to most of the Internet, you’d think freelancers would have been after it night and day since it launched.
Read this short but alarming Wired piece on who’s responsible for OpenSSL. It’s a team of four coders, obviously skilled but not so skilled that an error this big couldn’t slip past them. And not so well funded that they could afford a thorough security check before going live. Exit question: If the NSA’s goal is to protect national security, is that goal best served by suppressing info about a security hole that exposes data about millions of Americans and their businesses? Or by keeping quiet and using the flaw to find a certain class of very bad guys?
Update: A firm denial from the NSA. The second paragraph here is interesting:
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.
Plenty of hawks have spent the last few hours defending the NSA for exploiting Heartbleed. Their job is to gather intelligence, not play defense for private websites. They did their job. What’s their story now that the NSA itself says it would have played defense for those websites had it known about OpenSSL?