I would wager that the
NSA would have loved knowing about this hole for a few
years before anyone else. Let's see if anyone is fired for “bogus
reporting.”
Michael Riley reports:
The
U.S. National Security Agency knew for at least two years about a
flaw in the way that many websites send sensitive information, now
dubbed the Heartbleed bug, and regularly used it to gather critical
intelligence, two people familiar with the matter said.
The
NSA’s decision to keep the bug secret in pursuit of national
security interests threatens to renew the rancorous debate over the
role of the government’s top computer experts.
Read more on Bloomberg
News, who really really need to be more specific about the two
sources “familiar with the matter.”
NSA has denied the
Bloomberg report in a tweet this afternoon:
Statement:
NSA was not aware of the recently identified Heartbleed vulnerability
until it was made public.
—
NSA/CSS (@NSA_PAO) April
11, 2014
Now will Bloomberg be
forthcoming about their sources for their reporting?
Update 2:
The ODNI has posted this statement on their website:
Statement
on Bloomberg News story that NSA knew about the “Heartbleed bug”
flaw and regularly used it to gather critical intelligence
April
11, 2014
NSA
was not aware of the recently identified vulnerability in OpenSSL,
the so-called Heartbleed vulnerability, until it was made public in a
private sector cybersecurity report. Reports that say otherwise are
wrong.
Reports
that NSA or any other part of the government were aware of the
so-called Heartbleed vulnerability before April 2014 are wrong. The
Federal government was not aware of the recently identified
vulnerability in OpenSSL until it was made public in a private sector
cybersecurity report. The Federal government relies on OpenSSL to
protect the privacy of users of government websites and other online
services. This Administration takes seriously its responsibility to
help maintain an open, interoperable, secure and reliable Internet.
If the Federal government, including the intelligence community, had
discovered this vulnerability prior to last week, it would have been
disclosed to the community responsible for OpenSSL.
When
Federal agencies discover a new vulnerability in commercial and open
source software – a so-called “Zero day” vulnerability because
the developers of the vulnerable software have had zero days to fix
it – it is in the national interest to responsibly disclose the
vulnerability rather than to hold it for an investigative or
intelligence purpose.
In
response to the recommendations of the President’s Review Group on
Intelligence and Communications Technologies, the White House has
reviewed its policies in this area and reinvigorated an interagency
process for deciding when to share vulnerabilities. This process is
called the Vulnerabilities Equities Process. Unless there is a clear
national security or law enforcement need, this process is biased
toward responsibly disclosing such vulnerabilities.
ODNI
Public Affairs Office
Interesting legal
opinion. (Would anyone else agree?) That's quite different from
having any use for that data – or even a budget large enough to
search through it in any meaningful way.
Mike Masnick writes:
During
a recent House Judiciary Committee hearing concerning oversight, Rep.
Zoe Lofgren decided to quiz Attorney General Eric Holder about the
federal government’s surveillance efforts, starting off with a
rather simple question. She notes that the bulk phone record
collection program is considered to be legal by its supporters, based
on Section 215 of the Patriot Act, which allows for the collection of
“business records.” So, she wonders, is
there any legal distinction between phone records and, say, internet
searches or emails? In other words, does the DOJ believe that it
would be perfectly legal for the US government to scoop up all your
search records and emails without a warrant? Holder clearly does not
want to answer the question, and first tries to answer a different
question, concerning the bulk phone records program, and how the
administration is supposedly committed to ending it. But eventually
he’s forced to admit that there’s no legal distinction:
Read more on TechDirt.
(Related)
As we covered
in yesterday’s Early
Edition, Sir Anthony May, the UK’s Interception
of Communications Commissioner (the UK’s surveillance
watchdog), has
concluded in his 2013 Annual Report (full
text) to the Prime Minister that the UK’s spy agencies do not
carry out “random mass intrusion into the private affairs of law
abiding UK citizens.” In the 87-page annual report released
yesterday, Sir Anthony states that the UK government “does not
misuse [its] powers under the Regulation
of Investigatory Powers Act (RIPA).” This is undoubtedly an
important and compelling report, and in this post, we aim to outline
some of its highlights, analyze a few of its important findings, and
discuss shortcomings in the report.
Interesting idea for
getting a larger Security budget?
When
Your Insurer Says "Um, No" to Cyber Protection
Maybe it’s my
actuarial background, but I’ve always seen IT security as an
activity that should work hand-in-glove with insurance. After all,
both domains are about planning for, and if possible preventing,
disaster. Both have trouble showing they are “working” until
something really bad happens. Both therefore have to go to special
efforts to make the case to a CFO for the expenses involved. And of
course, insurance has a few centuries of experience that can teach us
IT secfolks plenty.
… You
can’t just walk in off the street and buy a cyber insurance policy;
wisely, the insurers want to review your security practices first, to
see if your defensive strategy amounts to anything more than hope or
a tin foil hat.
Don’t
forget – the insurance companies want to take your money if they
possibly can. For them to decide you’re just not insurable means
you represent an existential threat to them.
… So
in effect, if you go to Lloyd’s of London, and they look you up and
down and send you on your way, you have to take that as a serious
message – you’re just not doing what needs to be done to pass a
basic inspection. Indeed, the good folks who make up the Lloyd’s
exchange are very smart at what they do, but nobody takes them to be
world experts on APT and the like – they don’t
even work in IT security, and they can tell that our defenses aren’t
good. It’s a sobering thought.
Interesting
cheap or free I-phone Apps... (Android is another day)
Ever wanted to use your
iPhone, iPad or iPod Touch as a wireless trackpad for your Mac or PC?
That’s exactly what Remote Mouse does, though users need to
install the free
server before everything will work. Once installed the app
provides full use of multi-touch gestures, media remote, an
application launcher and slideshow presentation functionality.
Something for my Excel
students?
Do
Visionary Web Research Studies Using Deep Web Data & Excel Web
Queries
What would you say if I
told you that you have the tools at your disposal to do
ground-breaking, Earth-shattering research? Well, you do, and I’ll
show you how.
Governments, academic
institutions and non-profit research organizations publish tables
full of data to the public domain. Without anyone using this
information, its true value will never be known. Unfortunately, few
people have the insight, the skills or the tools to take the data and
make interesting correlations between seemingly unconnected
information.
A lot of the research
that I do for my own blog involves digging through what’s known as
the invisible
web, to uncover data that has been released to the public, but
hidden from search
engines inside an online database. This is the deep
web, and it’s rife with valuable data. Very often, I come
across webpages just chock-filled with some of the most valuable data
on topics that run the gamut from census data to epidemiological
studies on rare diseases. I constantly have new ideas on how to try
and correlate those disparate data sources using various tools –
and one of the most valuable tools that I’ve found is the Web Query
inside of Microsoft Excel.
