The NSA Denies Exploiting The Heartbleed Bug, What If It's Telling The Truth?

As Seth covered earlier today, Bloomberg has accused the NSA of benefiting from the Heartbleed OpenSSL bug. The NSA denies this in fairly strong terms. I'd like to draw attention to a different facet of the topic -- first, by discussing the semantics of the NSA's denial and then the wider impact of how that denial is perceived and what it means for the tech community as a whole.

The NSA's Denial is Surprisingly Straightforward

For the past year, the NSA's responses to the Snowden leaks have followed the same strategy: Either the organization claims that its activities are legal or it denies engaging in a similar (but distinct) activity from the one it's actually accused of actually perpetrating. A good example of this is the allegation that the NSA tapped undersea data cables from Google and Yahoo to intercept company data as it moved between server farms.

When asked if these allegations were true, General Alexander responded: "But I can tell you factually we do not have access to Google servers, Yahoo servers. We go through a court order." By refuting a claim that no one actually made, Alexander bet that the majority of readers wouldn't understand the difference between tapping the link between servers and tapping the servers themselves.

With that in mind, what's striking about the Heartbleed denial is that it's unusally straightforward. The NSA's formal response states:
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
This clear, specific statement is exactly what the NSA hasn't been willing to say in its previous remarks. That doesn't mean the organization is being honest, but the scope and severity of this flaw means that it's possible even the NSA would feel obliged to reveal it.

Unfortunately, the fact that we're discussing whether the NSA would actually help patch a bug or deliberately exploit it is, itself, evidence of how perceptions of the organization have changed. A recent (albeit unofficial poll) by Princeton Survey Research Associates found that the NSA was trusted less than Facebook or Google when it came to securing personal information and considered the organization most likely to violate individual privacy.

If corporations and the public no longer trust the NSA to be truthful about what it knows and when it knew it, the organization's role in the wider security ecosystem will be fundamentally compromised. Google and Yahoo responded to the data cable snooping by implementing end-to-end encryption within their data centers. Now, with every major security flaw, the first question is "Did the NSA arrange this or just benefit from it?"

Why No One Trusts The NSA:

It's always been a given that the NSA had to balance the dual mandate of helping to secure the United States while finding ways to spy on targets using exploits and vulnerabilities in software. One of the most damning aspects of the Snowden leaks is the way the organization boasts of finding a legion of unpatched vulnerabilities and using those bugs to further its goals.

But the organization's responses to these leaks has been to alternately hide from the wider implications or to give false rebuttals to questions no one is asking. The general public may be fooled, the technical press and engineers in Silicon Valley are not. It's no accident that this is the third OpenSSL vulnerability to be discovered in a matter of months; it suggests a broad research project aimed at locking down the holes the NSA has used to peer through windows.

In that sense, it doesn't matter if the NSA knew about Heartbleed or not. The agency has established a pattern of refusing to acknowledge a lie (General Alexander has referred to his remarks in front of Congress as the "least untruthful" answer), refusing to acknowledge known truths, and dismissed the concerns of ordinary citizens and Congressman alike. It's not as simple as saying the NSA may or may not have lied -- the NSA is no longer trusted to understand the scope of the problem or care about the concerns of US citizens. The organization is playing by a different rulebook.
Via:  HotHardware
NickModrowski 8 months ago


Joel H 8 months ago

Fixed. Heartland was a different security issue.

GergIlly 8 months ago


JamesEzell 8 months ago

ya sure. It's chief mission is to spy and deny.

GarrenMcgaugh 8 months ago

What if they EVER told the truth?

MapleLeafMachinegun 8 months ago

Basically middle america if you will

KitCargile1 8 months ago

Actually, they are probably firing half their hackers for not discovering it sooner.

CliffVincent 8 months ago

IF its telling the truth im the queen of the moon

GarrySmith 8 months ago

The sad thing is that you can't trust them to say that they're telling the truth even if they are. That's what happens when you tell bald-faced lies repeatedly. Boy who cried wolf-much? It's a very disappointing world where you can't trust the people who are supposed to protect and serve the People.

AaronNobles 8 months ago

stupid NSA.

realneil 8 months ago

The only truth that they tell is what we find out without them, everyone already knows, and they ~~MAY~~ tell the truth then.

But we already knew this about them, so it's no surprise to anyone.

If you think about it, they're supposed to have secrets to function in their environment.

RowenWindsong 8 months ago

If you believe them then you are dumber than I give you credit for lol. xD

MCaddick 8 months ago

Its a pretty definite statement this time, not like the google/yahoo datacenter access weasleword denial. If this turns out to be untrue then any credibility they still have (not that there is a lot left) is dead, buried, cremated.

Why do people put up with this is beyond my comprehension, a government is supposed to work FOR its employers (the people) not against them.

Joel H 8 months ago

In the past, the NSA operated in alliance with businesses, even if the two groups had different goals at times. The NSA was instrumental in implementing DES, it helped test AES and SHA-1. It contributed to SHA-2. These contributions were always scrutinized, but for decades the NSA was at least an occasional ally.

Under General Alexander, the NSA has embarked on a policy of treating Google, Yahoo, Microsoft, and Apple as effective enemies to be penetrated and spied upon -- even when it had full legal recourse to the information it sought. Furthermore, the organization has yet to produce any evidence that the data it gathered has resulted in convictions or stopped plots that could not have been halted through other, less invasive means.

Post a Comment
or Register to comment