What if they have a unique definition of 'vulnerability', much like they had a unique definition of 'collect'?
As a bit of internal jargon, the NSA only considered information 'collected' when an analyst looked at it. So, they could record & store bulk data about all Americans, but still claim (with a secret wink) that they didn't intentionally "collect" data on Americans.
Maybe for them, 'vulnerability' means both "the bug exists" and "bad guys know enough to exploit it". After all, if a tree falls in the woods, and there's no one there to hear it, does it make a sound?
This definition even makes sense, if you have an advanced, economic and strategic understanding of security as something that's a matter of relative priorities and dynamically-changing situations. There are plenty of bugs, known and unknown, in all software. Perhaps they only count as 'vulnerabilities' when they're practically exploitable, and practical exploitation has as an absolute prerequisite, discovery by malicious actors. (On the other hand, when we, "the good guys", discover the bug, it's not a vulnerability: it's an asset! Search for [NOBUS NSA] for more reporting about this style of reasoning.)
Still, using such a fine-grained bit of internal jargon, even if it makes sense among people who share your terms, is deceptive if used to hoodwink the public and Congress, exactly as the 'collect' finesse definition was long used.
NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report
Or perhaps the "private sector cybersecurity report" was a IRC chat two years ago for l33t haxors.
The NSA doesn't need to redefine "Vulnerability" or use any other jargon. When it comes to issues the government considers related to national security, they don't bother to hide behind convoluted language or misleading information, the NSA has already demonstrated it's willing to flat out lie to the public regarding such matters.
Either way Clapper would be breaking the law. In this case was placed between the choice of breaking his SF-182 NDA (which actually does have criminal implications... just ask Snowden) or lying to Congress in response to a question that the Congressman asking knew the answer to, but didn't want to take the risk of putting into the record himself.
Last sentence reads: "Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities."
So, should the NSA decide that there is a national security interest or law enforcement need, they will not disclose such vulnerabilities. Given their past behavior and explanations for what was considered acceptable compromise for national security, I am not particularly reassured by this statement.
Yes, it's good that they weren't hoarding this particular exploit. But, they have clearly not denied being in possession of other exploits; they've only said that the ones they might hold would be because of national security or law enforcement need.
It's unfortunate that they have chosen an interpretation base on any current or future need. That wildcard approach means that pretty much everything qualifies.
The law should restrict things to "any current specific known need". Need should be singular and said need must be related to a specific issue or case already under investigation or surveillance. Any language more loose than that leaves open far too much room for interpretation.
They should literally maintain a list of targets they want to infiltrate and that list of targets needs to be open to being audited at some point in the future shortly after the related mission for a target is complete. They should not be allow to apply the vulnerability to any new target identified after the date upon which vulnerability was discovered. These countermeasures would go a long way to prevent abuse since they can't now look at it as a weapon in their arsenal to exploit as they see fit for any future mission.
"The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services."
This is my big point from the other thread. If NSA knew then not disclosing this type of serious bug should get someone's head to roll as it could imperil the security of other important USG communications.
That still leaves open the question of why NSA wasn't able to find this bug themselves though -- you'd think they'd be looking for bugs related to the introduction of new features into OpenSSL.
That's such a weak argument from them at this point. "Hey, we're the NSA - we're entrusted to protect US infrastructure. We'd never do something like that!"
Has this actually verified? It was only newish versions of OpenSSL that were vulnerable. Websites that ran on IIS and other platforms were not vulnerable.
Does anyone have a historical list of critical government websites and their web server versions? An old nmap list would suffice to show that high-priority sites were vulnerable or not.
In other news, NSA thinks responsible disclosure is the way to go but apparently has no 0days to responsibly disclose. I didn't know TAO sucked so hard. Can't see how any one will buy this.
I was actually inclined to give them the benefit of the doubt, but your point actually sort of makes sense. I don't like this feeling of not knowing where the boundary between wacko conspiracy theory and ... y'know ... real life ... begins and ends.
Is it possible that they've quietly disclosed to affected organizations/teams, but that those organizations don't want to publicly credit the NSA as their source?
If this is true, and the NSA knew about the Heartbleed vulnerability, then how come the EFF hasn't been getting more log data showing the vulnerability being exploited against sites?
How come, so far, only one person has thus far come forward with ANY evidence that might demonstrate a knowledge of this bug before it was discovered?
I just find it depressing how ready the media is to jump on the NSA for things they may not have done. There's plenty to work with in the realm of things they did do, why draw conclusions before there's evidence? So far I've yet to see a static analysis tool that would have caught this, and I don't have any reason to believe the NSA is hand-searching code for vulnerabilities.
> I just find it depressing how ready the media is to jump on the NSA for things they may not have done.
I don't like journalism and such, but I think it's OK in this case and I don't find it a bit depressing, maybe even otherwise. Why? Because we should be aware. Always. There's no sense in blaming NSA for something. It's stupid to blame spies for spying. There's no sense in saying something they do is immoral, because it couldn't stop them from doing it. So if you care about them doing something wrong the only way to stop it is to make it impossible. If you don't want NSA to know some data that belong to you — you are enemies, because NSA wants to know anything. And it's OK. It's what they are for.
You obviously cannot prevent what already happened, you can only try to fix the consequences and be more careful in the future. So it's always sensible to assume NSA knew about any single security bug discovered for a long time. And nobody can possibly know if something is true about NSA's knowledge (maybe even not NSA themselves). So even if it's not true — spreading rumors about it is completely fine I guess.
> If this is true, and the NSA knew about the Heartbleed vulnerability, then how come the EFF hasn't been getting more log data showing the vulnerability being exploited against sites?
I don't know how common the "extensive TLS-layer traffic logs" the EFF is soliciting are. I know I don't collect these.
I'd imagine the NSA would use such things fairly sparingly so as to not blunt their swords. Using it willy-nilly increases the chances of someone going "huh, that's odd traffic" and discovering it.
>>If this is true, and the NSA knew about the Heartbleed vulnerability, then how come the EFF hasn't been getting more log data showing the vulnerability being exploited against sites?
So, I have no idea if the NSA knew about this before or not but your typically configured webserver won't store these in access.log. Also, all the network stuff in between typically won't log SSL traffic(since it's just binary blobs without the private key)
Now who do we believe... an anonymous source or an official press release (from an agency with both motivation to lie and a history of misleading statements). Both seem fairly unsubstantiated to me.
"Any 0day has an obvious national security interest in being responsibly disclosed and fixed".
That's not a very direct affirmation though, merely an "interest"... the caveats show up at the end, but even that is at least honest.
You'd be crazy if you thought NSA would disclose a server 0day that e.g. affects only websites running under a Russian locale, when those websites are known to be used by the Russian armed forces bordering Ukraine. That's the type of thing which could be useful to NSA while having practically nil effect on U.S. infrastructure.
No doubt this is part of their PR strategy. "Look, we use Tumblr just like you. We don't have any fancy blogging platform. In fact, we don't have any fancy tool at all. All we do is boring administrative work."
I find it a stretch to believe that some part of the NSA didn't know about, and/or have a hand in introducing, Heartbleed. There has to be an NSA team dedicated to both causing and exploiting issues with very popular open source software. If there isn't, the NSA isn't living up to its reputation.
The reality is that we'll never get the truth out of them, and it doesn't matter anyway because nothing they say can be believed. They might as well never say anything. Assume that they have intercepted all of your traffic and have dumps of your RAM, and act accordingly.
Sincere question: is the NSA on record for having responsibly disclosed any previous security holes? Is there some track record of them having actively help close security holes in software?
The most famous example is the DES S-boxes, where the NSA made a change that nobody else understood - until years later, when it was discovered that they had made the algorithm more secure against cryptanalysis techniques that had just been "discovered", but which had evidently been known to NSA long before.
The -1 in SHA-1 isn't because it was first. It was meant to be just "SHA", but NSA discovered a flaw in their own standardized hash algorithm soon after they published it and issued SHA-1 as a fixed version.
"When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose."
This is demonstrably false. That's not even a point of debate, by their own admission.
That was my first reaction too. I'm probably late to the party on this, but when I saw the tumblr domain I thought it was some kind of satire at first.
"If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."
I see numerous disclosures from technology companies, security researchers in industry and academia... but for the life of me, I can't recount an instance in which a disclosure came from intelligence-community researchers. Is there any historical evidence of disclosures from the NSA to the open-source community?
The press is all over this topic, but as usual doesn't do its research well enough. Some insight: the bug was submitted in December 2011 and was only present in OpenSSL 1.0.1 - not in previous releases. 1.0.1 was released on 14th of March 2012. It usually takes a long time until this new versions get largely adopted into other software. Even today 1.0.1 isn't used everywhere. That leads me to doubt that the agencies could have used this vulnerability for a very long time. A year seams reasonable, years rather not. It's very sad thou, that they choose not to contribute to secure software and rather exploit the vulnerability.
The NSA has already proven that its willing to lie to the public, not just omit information or mislead, when its talking about something the agency considers related to National security. Of course it's still possible they could be telling the truth in this instance, and Bloomberg could have failed to properly vet its sources. However, taking the recent past into account I think most people would agree it is far more likely that Bloomberg is providing accurate information and the NSA is not.
It does seem like a judgement call is unavoidable. If they discover exploits that are extremely difficult to use, and extremely unlikely to have been discovered by others, it might make sense to use them. But it also seems clear that they should have an obligation to find and make public exploits similar in nature to Heartbleed. Sitting on a bug like this should be a criminal offense.
As a top-notch surveillance organization in a top-notch surveillance state, I've come to expect more from the NSA. If their job is to protect my wimpy life from those rowdy terrorists, they should be at the forefront of all hacking activities and it's really disconcerting that they didn't introduce the bug into the code in the first place. A vulnerability that big deserves a big brother to protect it.
On a more serious note, the NSA is segmented and unaccountable ... I doubt anyone including the director can make a blanket statement guaranteeing that it has or has not done something. In the next installment of the NSA saga, a reporter with access to the Snowden documents will find proof that this is a lie.
[+] [-] gojomo|12 years ago|reply
As a bit of internal jargon, the NSA only considered information 'collected' when an analyst looked at it. So, they could record & store bulk data about all Americans, but still claim (with a secret wink) that they didn't intentionally "collect" data on Americans.
Maybe for them, 'vulnerability' means both "the bug exists" and "bad guys know enough to exploit it". After all, if a tree falls in the woods, and there's no one there to hear it, does it make a sound?
This definition even makes sense, if you have an advanced, economic and strategic understanding of security as something that's a matter of relative priorities and dynamically-changing situations. There are plenty of bugs, known and unknown, in all software. Perhaps they only count as 'vulnerabilities' when they're practically exploitable, and practical exploitation has as an absolute prerequisite, discovery by malicious actors. (On the other hand, when we, "the good guys", discover the bug, it's not a vulnerability: it's an asset! Search for [NOBUS NSA] for more reporting about this style of reasoning.)
Still, using such a fine-grained bit of internal jargon, even if it makes sense among people who share your terms, is deceptive if used to hoodwink the public and Congress, exactly as the 'collect' finesse definition was long used.
[+] [-] logn|12 years ago|reply
Or perhaps the "private sector cybersecurity report" was a IRC chat two years ago for l33t haxors.
[+] [-] higherpurpose|12 years ago|reply
[+] [-] homulilly|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] lkd|12 years ago|reply
Wouldn't be the first time.
[+] [-] patrickg_zill|12 years ago|reply
http://www.slate.com/articles/news_and_politics/war_stories/...
[+] [-] malloreon|12 years ago|reply
[+] [-] mpyne|12 years ago|reply
An interesting take on the matter is at http://joelbrenner.com/clapper-and-wyden-scenes-from-a-sandb...
[+] [-] SwellJoe|12 years ago|reply
So, should the NSA decide that there is a national security interest or law enforcement need, they will not disclose such vulnerabilities. Given their past behavior and explanations for what was considered acceptable compromise for national security, I am not particularly reassured by this statement.
Yes, it's good that they weren't hoarding this particular exploit. But, they have clearly not denied being in possession of other exploits; they've only said that the ones they might hold would be because of national security or law enforcement need.
[+] [-] ipsin|12 years ago|reply
I don't particularly trust the NSA, but this example probably exists.
[+] [-] fredgrott|12 years ago|reply
[+] [-] malandrew|12 years ago|reply
The law should restrict things to "any current specific known need". Need should be singular and said need must be related to a specific issue or case already under investigation or surveillance. Any language more loose than that leaves open far too much room for interpretation.
They should literally maintain a list of targets they want to infiltrate and that list of targets needs to be open to being audited at some point in the future shortly after the related mission for a target is complete. They should not be allow to apply the vulnerability to any new target identified after the date upon which vulnerability was discovered. These countermeasures would go a long way to prevent abuse since they can't now look at it as a weapon in their arsenal to exploit as they see fit for any future mission.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] ntaylor|12 years ago|reply
[+] [-] anonbanker|12 years ago|reply
wow, those two caveats are broad enough to remove any real meaning from the process.
[+] [-] mpyne|12 years ago|reply
This is my big point from the other thread. If NSA knew then not disclosing this type of serious bug should get someone's head to roll as it could imperil the security of other important USG communications.
That still leaves open the question of why NSA wasn't able to find this bug themselves though -- you'd think they'd be looking for bugs related to the introduction of new features into OpenSSL.
[+] [-] higherpurpose|12 years ago|reply
Yeah, right.
"Oh, and we're under strict oversight, too!".
[+] [-] hadoukenio|12 years ago|reply
Does anyone have a historical list of critical government websites and their web server versions? An old nmap list would suffice to show that high-priority sites were vulnerable or not.
[+] [-] cyphunk|12 years ago|reply
[+] [-] hadoukenio|12 years ago|reply
Very nice! In just one sentence you have completely discredited the ODNI release.
[+] [-] w_t_payne|12 years ago|reply
[+] [-] ForHackernews|12 years ago|reply
[+] [-] wrs|12 years ago|reply
The fourth paragraph says there is a "reinvigorated" process for deciding whether it is or not.
Obviously the fourth paragraph is more correct -- is the third paragraph just there for an easy inaccurate quote?
[+] [-] diminoten|12 years ago|reply
How come, so far, only one person has thus far come forward with ANY evidence that might demonstrate a knowledge of this bug before it was discovered?
I just find it depressing how ready the media is to jump on the NSA for things they may not have done. There's plenty to work with in the realm of things they did do, why draw conclusions before there's evidence? So far I've yet to see a static analysis tool that would have caught this, and I don't have any reason to believe the NSA is hand-searching code for vulnerabilities.
[+] [-] krick|12 years ago|reply
I don't like journalism and such, but I think it's OK in this case and I don't find it a bit depressing, maybe even otherwise. Why? Because we should be aware. Always. There's no sense in blaming NSA for something. It's stupid to blame spies for spying. There's no sense in saying something they do is immoral, because it couldn't stop them from doing it. So if you care about them doing something wrong the only way to stop it is to make it impossible. If you don't want NSA to know some data that belong to you — you are enemies, because NSA wants to know anything. And it's OK. It's what they are for.
You obviously cannot prevent what already happened, you can only try to fix the consequences and be more careful in the future. So it's always sensible to assume NSA knew about any single security bug discovered for a long time. And nobody can possibly know if something is true about NSA's knowledge (maybe even not NSA themselves). So even if it's not true — spreading rumors about it is completely fine I guess.
[+] [-] ceejayoz|12 years ago|reply
I don't know how common the "extensive TLS-layer traffic logs" the EFF is soliciting are. I know I don't collect these.
I'd imagine the NSA would use such things fairly sparingly so as to not blunt their swords. Using it willy-nilly increases the chances of someone going "huh, that's odd traffic" and discovering it.
[+] [-] smtddr|12 years ago|reply
So, I have no idea if the NSA knew about this before or not but your typically configured webserver won't store these in access.log. Also, all the network stuff in between typically won't log SSL traffic(since it's just binary blobs without the private key)
[+] [-] rinon|12 years ago|reply
[+] [-] cyphunk|12 years ago|reply
[+] [-] mpyne|12 years ago|reply
"Any 0day has an obvious national security interest in being responsibly disclosed and fixed".
That's not a very direct affirmation though, merely an "interest"... the caveats show up at the end, but even that is at least honest.
You'd be crazy if you thought NSA would disclose a server 0day that e.g. affects only websites running under a Russian locale, when those websites are known to be used by the Russian armed forces bordering Ukraine. That's the type of thing which could be useful to NSA while having practically nil effect on U.S. infrastructure.
[+] [-] disbelief|12 years ago|reply
[+] [-] gregschlom|12 years ago|reply
[+] [-] a3n|12 years ago|reply
[+] [-] downandout|12 years ago|reply
The reality is that we'll never get the truth out of them, and it doesn't matter anyway because nothing they say can be believed. They might as well never say anything. Assume that they have intercepted all of your traffic and have dumps of your RAM, and act accordingly.
[+] [-] kaffeinecoma|12 years ago|reply
[+] [-] lxwang|12 years ago|reply
[+] [-] sukuriant|12 years ago|reply
http://arstechnica.com/security/2013/09/the-nsas-work-to-mak...
[+] [-] mpyne|12 years ago|reply
[+] [-] lawnchair_larry|12 years ago|reply
Second:
"When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose."
This is demonstrably false. That's not even a point of debate, by their own admission.
The whole statement is worthless.
[+] [-] georgemcbay|12 years ago|reply
That was my first reaction too. I'm probably late to the party on this, but when I saw the tumblr domain I thought it was some kind of satire at first.
[+] [-] btown|12 years ago|reply
I see numerous disclosures from technology companies, security researchers in industry and academia... but for the life of me, I can't recount an instance in which a disclosure came from intelligence-community researchers. Is there any historical evidence of disclosures from the NSA to the open-source community?
[+] [-] ctrl_freak|12 years ago|reply
I would suspect that NSA would want to conceal the fact that the disclosure came from them.
[+] [-] mpyne|12 years ago|reply
I don't know of better examples though.
[+] [-] tbolse|12 years ago|reply
[+] [-] homulilly|12 years ago|reply
[+] [-] staunch|12 years ago|reply
[+] [-] geophile|12 years ago|reply
[+] [-] mikeash|12 years ago|reply
[+] [-] smoyer|12 years ago|reply
As a top-notch surveillance organization in a top-notch surveillance state, I've come to expect more from the NSA. If their job is to protect my wimpy life from those rowdy terrorists, they should be at the forefront of all hacking activities and it's really disconcerting that they didn't introduce the bug into the code in the first place. A vulnerability that big deserves a big brother to protect it.
On a more serious note, the NSA is segmented and unaccountable ... I doubt anyone including the director can make a blanket statement guaranteeing that it has or has not done something. In the next installment of the NSA saga, a reporter with access to the Snowden documents will find proof that this is a lie.