This story has been heavily reported in the tech press, although I don’t know if there any further verification than these two anonymous sources.
The government has strongly denied this report:
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.”
So which version is correct? I think the tech community no longer sees the government as having much credibility in this area (the Snowden revelations being a big factor) and I wonder how Dopers feel.
I don’t think the NSA is that good at hacking so I said no. Not that someone couldn’t have told them how to do it though, but it’s pretty much a coin toss right now.
I can’t decide. When I first heard Bloomsberg’s report I believed it. The problem now is one can’t decide who to believe. Unless the information turns up in Snowden’s reports, I don’t know who to believe. If it is true, it would be classified at a very high level. I may be gullible, but folks with those clearances don’t leak information to the press without an OK. If one of them is even slightly suspected, their clearance gets suspended and their career is over. The risks far outweigh the benefits. When such information is leaked I believe it is done deliberately. The NSA is in a difficult position. In this case they know people will assume they knew. And they may. What they don’t know is the full extent of the Snowden leaks. If they did have the flaw, the truth might come out any moment. Now they can both admit (via this leak) and deny via the press release. The contradiction causes confusion and gives defenders something to point to. If they knew and the information does come out, the leak gives them some cover. If no proof comes out, they can point to the press release. At this point, it is all about damage control.
If my theory is true, I doubt a bunch of Gov’t bureaucrats came up with this plan. I wonder what the PR agency had to go through when they got hired to advise the NSA. Talk about a difficult customer!
After actually reading the article (heh) it turns out the “two people familiar with the matter” are Ghostery Senior Dir. of Research Andy Kahl & Bloomberg’s Michael Riley – i.e., two journalists presenting their opinions as fact. :smack:
That said, I do agree with their opinion – that is, the NSA probably knew about and utilized this bug for a very long time. After all, it’s an exploit that allows secret access to a computer system and leaves no trace, which is especially handy for a government agency whose mandate is to access computer systems and leave no trace. On the other hand, I don’t think we’ll ever know the entire truth…
Something I’m finding really :dubious: about this whole Heartbleed thing is that it’s supposedly been hidden in there for several years, and all of a sudden almost simultaneously, two people on near-opposite sides of the planet discover it independently.
That’s not necessarily true. If it was widely exploited before the partial disclosure in April, chances are someone will turn up evidence of it. The University of Michigan has checked their logs back to November 2013, and the first sign of scans turned up in April, from Chinese IPs.
That doesn’t eliminate the possibility that the NSA used the exploit on specific targets of course. But it does confirm that any earlier attacks could have left a trace somewhere and might yet be revealed.
There’s no way to know for sure, and there might never be. I think the NSA is fairly likely to be telling the truth here, but I’m not at all certain of that.
It’s safe to assume that the NSA uses numerous tricks to cover their tracks, even when they break into a system via the front door. We ARE talking about the largest and most well-funded intelligence organization on earth, not some enclave of drunken Russian hackers, after all. So any evidence they do leave behind would only trace as far back as “McDermott’s Waffle House” or something.
Since this was a yes-or-no question, I answered Yes, but actually I think it’s entirely possible the NSA conceived and/or used Heartbleed, but I don’t know whether they actually do/did.
I voted yes because if they didn’t know they sure as heck should have. The NSA employs some of the brightest crackers on the planet. This was an open source flaw. It would astound me if the NSA didn’t know about it. They don’t even have to ‘sneak in’ and get the source. It is there to be read. If they don’t run emulators on their servers of all of the common combinations of SSL, then they aren’t who I think they are.
Seriously, this is pretty much a no-brainer to me, but I am (as almost always) willing to be corrected.
AFAIK, OpenSSL was an all-volunteer effort: it had no employees.
If this is the case, heads should roll. The NSA should be combing OpenSSL, looking for exploitable bugs. This bug wasn’t especially profound. There needs to be an investigation of this example of sheer incompetence. Other intelligence agencies apparently knew about this bug: why didn’t the NSA? This concerns me.
(The link in question documents a pattern of cyber-activity last fall that fits an intelligence gathering profile more than a cybercrime profile. And yet we know the NSA didn’t have access to this bug: their official statement proves that, up to a point.)
Given that right now anything we think is basically as credible as going “eenie meenie miny moe” between the two options, I went with “Yes,” because the NSA said “No,” and I’m not exactly confident in their truth telling abilities right now.
It doesn’t have to trace back to the NSA. Any evidence of Heartbleed being exploited earlier than April, from any source, suggests the NSA is probably lying.
Measure for Measure’s EFF link has one very likely positive hit in November. That tips my answer to Yes.