Announcement

**Greenday** · 04-11-2014, 11:26 PM

Originally posted by EricKei View Post

Turns out the NSA has not only known about Heartbleed (a very serious SSL security issue), but has been exploiting it for at least two years.

Two random, unnamed sources claim the NSA knew about it. Pardon my skepticism at everyone blaming the NSA for being behind every bad act possible.

**otakuneko** · 04-11-2014, 11:40 PM

And yet, it's entirely plausible, and I'd be more surprised if it weren't true.

**s_stabeler** · 04-11-2014, 11:46 PM

I don't know for sure, but I DO know that the vulnerability was " in the wild" for 2 years. WHOEVER. Was responsible for that delay in fixing it needs firing. ( either they are incompetent, and need firing for sheer incompetence, or they were malicious, and need firing for malpractice.

**otakuneko** · 04-12-2014, 12:56 AM

The bug was missed in QA and code review. It's been present in the code for two years. This does not mean it was actively exploited for two years, but the potential was there.

It's possible, but unlikely, that it was found by some very astute hacker who actually managed to keep it to themselves. It's also possible, but unlikely, that a contributor to OpenSSL maliciously inserted the bug. The OpenSSL team is rather small actually.

I think if it really was discovered long ago, it was discovered by someone working for an intelligence agency. Someone with something to lose. For a bug this epic, the rewards of capitalizing on it in various ways would be astronomical, irresistible. Word would spread and the bug would be found. An intelligence agency on the other hand--and their employees--would keep it quiet. The risk of letting out would far outweigh the reward in their case.

That's why I find it plausible that if anyone has been exploiting this bug before this week, it would have been the NSA. We already know, thanks to Snowden, that they could tap SSL comms. Perhaps this was just one of their methods.

**EricKei** · 04-12-2014, 06:22 PM

Greenday: Fair enough. I just don't think that their doing something like that -- if it is true -- is all that unlikely.

**otakuneko** · 04-12-2014, 11:01 PM

Developer: "I'm responsible for Heartbleed." http://www.theguardian.com/technolog...rets-oversight

Developers I know have said a coding error like this one is "exceptionally easy to make" and missing it in code review is just as easy.

So, no malicious intent. Hanlon's Razor strikes again.

**Andara Bledin** · 04-12-2014, 11:05 PM

Originally posted by s_stabeler View Post

I don't know for sure, but I DO know that the vulnerability was " in the wild" for 2 years. WHOEVER. Was responsible for that delay in fixing it needs firing.

You do know that the "Open" part of OpenSSL means that it's all open source, and there is nobody to be fired, right? That bit of code wasn't even written by a foundation member, though it was approved.

According to the article at Ars, for the NSA to have known for 2 years, they'd have had to have been actively watching OpenSSL and discovered the flaw fairly quickly, as it was only introduced in January of 2012.

Considering the type of vulnerability it was, the idea that the NSA would know and leave it open without having some of the notable users of OpenSSL either change to a different SSL system or add other safeguards to make it useless to Heartbleed them, I find the idea that they knew and kept mum to be highly unlikely. There's just too much chance of someone they don't like using it for them to leave it vulnerable.

**Greenday** · 04-13-2014, 06:44 AM

Originally posted by EricKei View Post

Greenday: Fair enough. I just don't think that their doing something like that -- if it is true -- is all that unlikely.

I don't think they'd hesitate to exploit a bug like that, but it seems to lack any proof at all.

**s_stabeler** · 04-13-2014, 10:15 PM

Originally posted by Andara Bledin View Post

You do know that the "Open" part of OpenSSL means that it's all open source, and there is nobody to be fired, right? That bit of code wasn't even written by a foundation member, though it was approved.

According to the article at Ars, for the NSA to have known for 2 years, they'd have had to have been actively watching OpenSSL and discovered the flaw fairly quickly, as it was only introduced in January of 2012.

Considering the type of vulnerability it was, the idea that the NSA would know and leave it open without having some of the notable users of OpenSSL either change to a different SSL system or add other safeguards to make it useless to Heartbleed them, I find the idea that they knew and kept mum to be highly unlikely. There's just too much chance of someone they don't like using it for them to leave it vulnerable.

a) I was talking about the delay in fixing it, not the vulnerability's introduction.
b) I was under the impression that somebody had known about the vulnerability for 2 years, and had deliberately not got it fixed. If the vulnerability is newly discovered, that's different.

**Hyena Dandy** · 04-14-2014, 03:04 AM

While I'm no big fan of the NSA, this just seems like wild speculation to me. Yes, there is a thing that maybe they could have used (and I think would be wrong for them to do) if they knew about it, but I don't see any reason to think they DID know about it beyond that they could possibly have.

**Andara Bledin** · 04-15-2014, 01:47 AM

Originally posted by s_stabeler View Post

a) I was talking about the delay in fixing it, not the vulnerability's introduction.
b) I was under the impression that somebody had known about the vulnerability for 2 years, and had deliberately not got it fixed. If the vulnerability is newly discovered, that's different.

It's unlikely that anybody knew about the vulnerability until this month. If they did, they kept their mouths shut, heads down, and have been invisibly mining for data since they found it.

That is actually a pretty improbable scenario. Not only are most people incapable of keeping a secret of that magnitude under wraps, but it would have been more valuable to a hacker to sell it as part of a script and make a boatload of money in the short term as opposed to trying to make more money and risk the vulnerability getting spotted and patched out before any significant profit had been made. Last I read, no exploit code has been found in the wild, so it's likely that nobody else was looking at that particular section of code until now, either.

**s_stabeler** · 04-15-2014, 04:35 PM

again, it's a case of me having bad information- and at the time, I had recently read, from a reliable source, recommending that people change all their passwords, because they could have been stolen at any time in the last 2 years.

**D_Yeti_Esquire** · 04-16-2014, 10:21 PM

Consider this:

For the NSA to say nothing that means potential for critical passwords to be compromised in:
-The Power Grid
-Major ISP's
-Major Banks
-DoD Contractors
-Major transportation systems (Subways, Airlines, etc.)
-Major US Based corporations competing with Major Chinese/Russian/European based corporations

etc. If you think about what the NSA's actual mandate is (which is ostensibly intelligence and counter-intelligence) that still comes under the heading of Defense, the risk/reward is way way too high. They do not want to find themselves fighting Chinese hackers with two years worth of ripped off passwords.

Announcement

Heartbleed a new problem?...Not exactly.

Heartbleed a new problem?...Not exactly.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment