NSA Said to Have Used Heartbleed Bug, Exposing Consumers
Source: Bloomberg
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSAs decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the governments top computer experts.
Heartbleed appears to be one of the biggest glitches in the Internets history, a flaw in the basic security of as many as two-thirds of the worlds websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.
Read more: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
When the floodgates open, it must be the weekend ....
ForgoTheConsequence
(4,869 posts)Because Ron Paul and Edward Snowden made a bad, or something.
TDale313
(7,820 posts)With boxes in the garage. I'm pretty sure.
ForgoTheConsequence
(4,869 posts)Therefor there's nothing to see here.
TDale313
(7,820 posts)Cause that's relevant, ya know
villager
(26,001 posts)Get your priorities straight!
uhnope
(6,419 posts)ForgoTheConsequence
(4,869 posts)What a load of shit.
christx30
(6,241 posts)something the NSA says, what can you trust? They'd NEVER lie about something like that, huh?
sendero
(28,552 posts)... they wouldn't stand right in front of Congress and lie their ass off. You can trust these guys, they are the smartest in the room.
ronnie624
(5,764 posts)TDale313
(7,820 posts)Or maybe not. Wouldn't surprise me a bit to learn this was being used by the national security apparatus as a back door. This shit is out of control.
eggplant
(3,919 posts)Anyone can contribute, and if the flaw is subtle enough, and the person submitting the code isn't obviously someone from the NSA, then no one is the wiser.
It would not surprise me in the slightest to find out that the flaw was contributed intentionally.
But my company got the last laugh -- the version of OpenSSL that we use is so old, it predates the flaw, so we're safe.
Pholus
(4,062 posts)Closed source is easily bought off behind closed doors.
PosterChild
(1,307 posts)... so old it has the old version of OpenSSL.
bemildred
(90,061 posts)AtheistCrusader
(33,982 posts)A whole new arms race.
bemildred
(90,061 posts)rhett o rick
(55,981 posts)How do we get back to that bliss? Double martini dry and up plez.
KoKo
(84,711 posts)Is it worth it since they already sucked everything up? What about our online forms like folks filling out forms for the ACA, Social Security, Medicaid, Medicare, Banking, Taxes, Medical forms doctors all want us to fill out and send online.
Which is secure and which isn't. Does it matter at this point? Especially us non-tech people just don't know which is secure SSL and which is Open. Are Firefox and Thunderbird Vulnerable because they are Open Source? Should I switch back to Microsoft instead?
Anyway...this all is good news in a way if it keeps the NSA out of our privacy in the future.
And Thank yYou Edward Snowden..!
Erich Bloodaxe BSN
(14,733 posts)apparently in the server software, not your own machine (unless you serve up websites or other servers from your machine, such as a database, for instance). As such, it doesn't really matter if your machine (the 'client') uses linux, windows, or whatever.
I'd change passwords on major sites first, especially your email password, since most other sites send your change requests to the email address on file. Then I'd change credit card and banking site passwords, then bills you pay online.
But let's face it, bugs like this reveal the flaw in simply having to sign in with accounts at so many different websites - if you're like me, you've got all sorts of passwords on accounts on websites you may have used exactly once in your life, to order something online, including sites you to which you never plan to return, but offered you no ability to delete your account, or to set them to 'disable all logins on account'.
2banon
(7,321 posts)Shemp Howard
(889 posts)Because if it was, the President could put an end to all NSA excesses with a pen and a phone call.
Oh...wait a minute. The NSA is in the executive branch. Bernie S., Dennis K., anybody, please help.
frylock
(34,825 posts)I don't recall Greenwald complaining about heartbleed when Bush was in office. something something libertarian derp.
MindMover
(5,016 posts)""
""
OnyxCollie
(9,958 posts)doesn't show the money they gave to the DLC. I wonder why that is?
Koch Industries gave funding to the DLC and served on its Executive Council
http://americablog.com/2010/08/koch-industries-gave-funding-to-the-dlc-and-served-on-its-executive-council.html
But, heres a key piece of information: the Kochs havent just given to right-wingers. Back in April of 2001, The American Prospects Bob Dreyfuss reported that the Kochs also funded the Democratic Leadership Council (DLC):
And for $25,000, 28 giant companies found their way onto the DLCs executive council, including Aetna, AT&T;, American Airlines, AIG, BellSouth, Chevron, DuPont, Enron, IBM, Merck and Company, Microsoft, Philip Morris, Texaco, and Verizon Communications. Few, if any, of these corporations would be seen as leaning Democratic, of course, but here and there are some real surprises. One member of the DLCs executive council is none other than Koch Industries, the privately held, Kansas-based oil company whose namesake family members are avatars of the far right, having helped to found archconservative institutions like the Cato Institute and Citizens for a Sound Economy. Not only that, but two Koch executives, Richard Fink and Robert P. Hall III, are listed as members of the board of trustees and the event committee, respectivelymeaning that they gave significantly more than $25,000.
The DLC board of trustees is an elite body whose membership is reserved for major donors, and many of the trustees are financial wheeler-dealers who run investment companies and capital management firmsthough senior executives from a handful of corporations, such as Koch, Aetna, and Coca-Cola, are included.
...
Oh, well. Keep up the Greenwald/Snowden/libertarian/Koch guilty by association smear.
frylock
(34,825 posts)That's just a Very Sensible graphic. if the octopus had nine arms there may have been a space to include the Koch bros/DLC relationship.
dreamnightwind
(4,775 posts)Everyone on DU needs to know this.
Response to MindMover (Reply #13)
Name removed Message auto-removed
totodeinhere
(13,059 posts)when Nixon was in office. Nice try though.
frylock
(34,825 posts)TDale313
(7,820 posts)Would need a sarcasm tag. The "something something libertarian derp" kinda made me think the poster was being sarcastic.
frylock
(34,825 posts)joshcryer
(62,287 posts)Also suggested such a vulnerability existed months ago...
arcane1
(38,613 posts)We live in interesting times, that's for certain!
Maedhros
(10,007 posts)then when they found this bug two years ago they would have immediately alerted the affected site owners so that American citizens' data was protected.
They apparently did not, so that tells us a little bit about what the NSA's job isn't.
AtheistCrusader
(33,982 posts)Seems apropos.
MindMover
(5,016 posts)safeinOhio
(32,756 posts)will put a stop to this crap.
PosterChild
(1,307 posts)... a bug in open source code? Seems a bit draconian to me.
joshcryer
(62,287 posts)Pholus
(4,062 posts)Remind them of how the NSA was all "Trust us, defense is our first priority" when it came to computer security.
I guess they worry about my defense pretty just like a Russian cybercriminal. It's an obstacle to overcome.
grasswire
(50,130 posts)The word "critical " is a judgment here. Editorializing. Not objective. Not in quotes. Not attributed.
Pholus
(4,062 posts)I guess critical means something the NSA wants.
grasswire
(50,130 posts)It should have been written with this phrase: "...considered critical intelligence by those familiar with..."
It is not precisely written, if the meaning is what you assume it is.
Pholus
(4,062 posts)But I do figure that the word was chosen because the "off the record sources" chose it, not because it is necessarily and impartially true.
MannyGoldstein
(34,589 posts)Look people, none of this is true. If you believe anything in this post, or in any news media, then you're just a HATER and nobody can ever live up to your purity tests.
Regards,
TWM
MindMover
(5,016 posts)OnyxCollie
(9,958 posts)joshcryer
(62,287 posts)Abolish the NSA and CIA.
Jesus Malverde
(10,274 posts)They build applications around them and have a strong incentive not to fix them or have the vendors fix them. That state of affairs puts us all at risk. Far from protecting the American public they are putting us further at risk.
OKNancy
(41,832 posts)BlindTiresias
(1,563 posts)I would trust the inside sources over the NSA spokesperson. Remember what the NSA was saying about the scope of the surveillance when the Snowden info was just coming out? Not a reputable organization.
Pholus
(4,062 posts)That's the problem when your communications with even our elected representatives can be flat out lies. Nobody can trust a word you say.
Might be time to slash their budgets, so they can remember where their priorities should be.
WillyT
(72,631 posts)pragmatic_dem
(410 posts)our throats if they could do it to maintain their power and control.
You know, it's for our own security, of course.
Goddamn the NSA apologists.
ucrdem
(15,512 posts)From the OP article, which does identify or link to any earlier Bloomberg article:
The NSA said in response to a Bloomberg News article that it wasnt aware of Heartbleed until the vulnerability was made public by a private security report. The agencys reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the governments top computer experts.
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
Articles reporting same found via Google search all point to this same Bloombag whopper as a source.
Epic FUD fail, and no this doesn't mean I heart the NSA.
MindMover
(5,016 posts)If Bloomberg is making it up, I think there could be legal consequences, so your assertion that it is false information is well lets just say, FUD fail, and I do not love anyone except myself first ...
I would look to the reporter for Bloomberg ... and make your claim that he/she is making this up ...
ucrdem
(15,512 posts)grasswire
(50,130 posts)the information is at the bottom of the article.
Or maybe you already did that?
DisgustipatedinCA
(12,530 posts)...at least when considered in conjunction with your longstanding and full-throated defense of those criminal fucks.
blkmusclmachine
(16,149 posts)MindMover
(5,016 posts)L0oniX
(31,493 posts)uhnope
(6,419 posts)MindMover
(5,016 posts)and I do not believe anything until it is officially denied, especially from a spy agency ....
ForgoTheConsequence
(4,869 posts)That means it didn't happen, what more do you need?
I mean, if I burn down a building and then deny that I started the fire, I technically didn't burn it down. It's called the transitive Snowdensian property.