What if they have a unique definition of 'vulnerability', much like they had a unique definition of 'collect'?
As a bit of internal jargon, the NSA only considered information 'collected' when an analyst looked at it. So, they could record & store bulk data about all Americans, but still claim (with a secret wink) that they didn't intentionally "collect" data on Americans.
Maybe for them, 'vulnerability' means both "the bug exists" and "bad guys know enough to exploit it". After all, if a tree falls in the woods, and there's no one there to hear it, does it make a sound?
This definition even makes sense, if you have an advanced, economic and strategic understanding of security as something that's a matter of relative priorities and dynamically-changing situations. There are plenty of bugs, known and unknown, in all software. Perhaps they only count as 'vulnerabilities' when they're practically exploitable, and practical exploitation has as an absolute prerequisite, discovery by malicious actors. (On the other hand, when we, "the good guys", discover the bug, it's not a vulnerability: it's an asset! Search for [NOBUS NSA] for more reporting about this style of reasoning.)
Still, using such a fine-grained bit of internal jargon, even if it makes sense among people who share your terms, is deceptive if used to hoodwink the public and Congress, exactly as the 'collect' finesse definition was long used.
NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report
Or perhaps the "private sector cybersecurity report" was a IRC chat two years ago for l33t haxors.
They went on to: "Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong." so there's no weasel-wording going on here.
Perhaps they're using the etymological root of aware, which is "wary", and they mean they were unconcerned with its existence as they were unwary/unaware of any possible dangers with it since it was unknown to hostile forces.
The NSA doesn't need to redefine "Vulnerability" or use any other jargon. When it comes to issues the government considers related to national security, they don't bother to hide behind convoluted language or misleading information, the NSA has already demonstrated it's willing to flat out lie to the public regarding such matters.
Or they just didn't know. Seriously, if you divide the world into the NDA and the non-NSA, then why would the former be much better than the latter at finding vulnerabilities in open source software?
For the money they get, and the supposed "Cyber Command" mission, they should have a team of great auditors, and advanced tools, that's much larger and more competent than the volunteer OpenSSL team itself. This group should go over all similar code multiple times with a magnifying glass.
Otherwise, what's the point of the NSA & Cyber Command, on its own stated terms?
Clapper couldn't divulge the existence of a classified program in an open session hearing. If they really wanted answers vs. trying to grill the NSA in a public forum they could have asked the question in a closed session with only participants who've met the proper clearance level for said program disclosures.
Unfortunately on HN anything NSA related is going to devolve into conspiracy theory groupthink these days vs. actual rational discussion that the NSA is not all knowing (unlike every other government agency which is apparently incompetent).
Only in your books would not accepting an official position qualify as groupthink. It's kind of hilarious. Oh, and Clapper lied because they made him, and thinking otherwise makes you a wacky conspiratard. Real mature..
Edit: Question for you - do you think there isn't a conspiracy here? Do you think the public has all the information about the legality of the executive branches activities? Because it sounds like Clapper was lying to cover his ass - but that's just conspiracy think.
There was nothing pre-approved about the question. Senator Wyden said he sent notice a day in advance that he would be asking the question. The ODNI General Counsel said that Clapper hadn't seen the question prior to the Senate hearing, and tried to correct it after the fact. [1]
Keep in mind that this was a program that everyone on the intelligence committee had already been briefed on. You could make the argument that he misled the American public, but not Congress. Also note that since the intelligence committee knew about the program, any one of the members could have also issued a public statement clarifying the situation, but they didn't.
People liked to harp on Clapper, but Wyden was the one who, instead of just telling his constituents himself (he wouldn't be subject to prosecution, but might have been kicked off the intelligence committee) or putting forth legislation restricting Section 215 collection, decided to put the DNI in the position of either violating the law by disclosing a classified program or telling the American public the "least untruthful" statement.
That's contrary to what I'd heard, but if it's in fact the case then that does change things a little.
Note that there is again a flagrant lie in the GC's writing there - "Mr. Clapper [...] focused his mind on the collection of the content of Americans’ communications. In that context, his answer was and is accurate." We know now that this is only close to true in any sense with the disingenuous and misleading definition of "collect" the NSA uses - which has no place in ordinary English and deserves no place in legal opinions. Of course, lying in a letter to the editor to the NY Times isn't a crime, but if the GC has no compunctions about wilfully misleading the reader I'm highly skeptical of their other claims.
It's more than a little odd that he wouldn't have looked at the questions in advance - he knew this was a public forum, in which providing the most correct information while not leaking anything seems an important part of his job, and is likely to take some care and forethought.
"Keep in mind that this was a program that everyone on the intelligence committee had already been briefed on. You could make the argument that he misled the American public, but not Congress."
Most of Congress is not on either intelligence committee. Whether misleading them is correct is a deeper discussion, but if the answer is "no" then I think it's fair to say he mislead Congress as well as the American public.
In any case, I agree that Wyden's approach here has been a little odd, though I at least appreciate the direction he's been pushing.
I don't think it's necessarily odd that he wouldn't have seen the question if it was sent only a day ahead of time. Was there a list of questions that all of the Senators had compiled, or was this just one question independently sent from Sen Wyden's office? Was it sent in the morning or afternoon? What was Clapper doing that day? Was he in his office? Was he out in meetings/briefings all day? If it sat in his inbox for a week I'd be less likely to give him the benefit of the doubt, but there's probably a whole host of reasons that something sent the day prior could have been overlooked.
Was his answer misleading? I definitely agree with you there. Was it a lie? That would imply that it was deliberate, which is tough to prove. He's gone on the record saying that he misunderstood the question and tried to correct it after the fact[1]. If it was deliberate, why lie directly to people that he knows know the truth?
I don't see a flagrant lie in the GC's writing. That quote goes back into the content/metadata issue. There hasn't been any leak so far showing content collection of Americans' communications. All of the debate in Congress regarding these programs has centered around bulk metadata collection. The issue everyone brings up when they accuse Clapper of perjury is the content/metadata issue, not the definition of collection. I haven't seen any government official denying that the NSA collects American cell phone metadata (besides this one instance with Clapper, which he admitted was erroneous).
"That quote goes back into the content/metadata issue. There hasn't been any leak so far showing content collection of Americans' communications. All of the debate in Congress regarding these programs has centered around bulk metadata collection."
First, the metadata distinction is absurd in this context. The question asked was "Does the NSA collect any kind of data at all on millions or hundreds of millions of Americans." Data on whether I call my mother every Friday is clearly data about me.
Second, even granting the metadata distinction, it's still false using any reasonable definition of "collect". Garbage men collect my trash by putting it into trucks and dumping it in a big pile. Numerous programs have been revealed under which the NSA is reading content of the communications of Americans and storing it in a database. Using "collects", precisely defined, in a way different than the rest of the world uses it in legal opinions and internal memos is possibly iffy but I don't think clearly unacceptable; using it that way with no clarification or definition in a communication directed at people predominately unfamiliar with the distinction you're drawing is nothing but a lie. "Honey, I wasn't lying when I said I didn't cheat on you. I know I slept with my secretary, but the way I use the word 'cheat' it only applies if I cook her breakfast afterwards." The testimony at the congressional hearing may have been such a communication; the opinion letter in the NYT was clearly so.
Pretty sure the laws / etc in place right now make sure no individuals can be held responsible for that kinda thing; do (former) presidents get charged with mass murder for wars in Iraq / Afghanistan, for example? Government is different from common sense of law and right and wrong.
Either way Clapper would be breaking the law. In this case was placed between the choice of breaking his SF-182 NDA (which actually does have criminal implications... just ask Snowden) or lying to Congress in response to a question that the Congressman asking knew the answer to, but didn't want to take the risk of putting into the record himself.
That's immaterial though. The questioner knew the answer was classified, so it's not as if that was a surprise, because the questioner was a member of the Select Committee on Intelligence. In other words, he wasn't asking for his own edification, he was asking in order to force Clapper to either lie or break his oath by divulging the secret. Even saying "I can't answer that" would be an admission for the same exact reason hacktivists give a shit about warrant canaries.
But whether Clapper objected or not, Sen. Feinstein apparently got an inkling the question would be asked, as she made clear at the start of the session that there would be a closed hearing immediately afterward for questions that couldn't be discussed in an open forum.
And since Wyden and Udall both knew the actual answer, if they were so convinced the answer should be made public then either could have simply put it in the Senate record thanks to their Constitutional privilege and taken the risk that would come with that. Instead the risk was shifted entirely onto the public servant who didn't have Constitutional immunity from prosecution.
It's entirely material as to whether it was forced. Clapper knowingly permitted himself to be in a situation where his only options were to break one of two laws. He can't then use that as an excuse. He chose to break one of those laws when he chose (when reviewing the questions) that he was going to permit the question, and he's plainly guilty of breaking the law.
"And since Wyden and Udall both knew the actual answer, if they were so convinced the answer should be made public then either could have simply put it in the Senate record thanks to their Constitutional privilege and taken the risk that would come with that."
Agreed, and I would think more highly of them if they had. I'm not sure what the game was. That still does not change the fact that Clapper is guilty, though.
> Clapper knowingly permitted himself to be in a situation where his only options were to break one of two laws.
That makes no sense whatsoever. One does not simply refuse to show up to testify to Congress! I mean, if you want to talk about things which are disastrous for a democracy, having the Executive routinely ignore their responsibility to testify on their actions to the Legislature would be right up near the top of the list!
> That still does not change the fact that Clapper is guilty, though.
Of course not, that was the whole idea. If he had told the truth you'd be able to rightly say "That still does not change the fact that Clapper violated his oath, though". There's a reason that he isn't being charged with anything, unlike Helms before him.
"That makes no sense whatsoever. One does not simply refuse to show up to testify to Congress! I mean, if you want to talk about things which are disastrous for a democracy, having the Executive routinely ignore their responsibility to testify on their actions to the Legislature would be right up near the top of the list!"
Of course it makes sense. If the questions were pre-approved as I stated, he would not have had to refuse to show up in order to avoid being put in this situation. He would simply have had to not approve the question - which would have been the most in line with his obligations and least misleading to the rest of congress and the American people.
There is apparently some dispute as to whether the questions were, in fact, pre-approved. But as you hadn't contested it, I think it's fair that it remain the assumption for this sub-thread.
Last sentence reads: "Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities."
So, should the NSA decide that there is a national security interest or law enforcement need, they will not disclose such vulnerabilities. Given their past behavior and explanations for what was considered acceptable compromise for national security, I am not particularly reassured by this statement.
Yes, it's good that they weren't hoarding this particular exploit. But, they have clearly not denied being in possession of other exploits; they've only said that the ones they might hold would be because of national security or law enforcement need.
It's unfortunate that they have chosen an interpretation base on any current or future need. That wildcard approach means that pretty much everything qualifies.
The law should restrict things to "any current specific known need". Need should be singular and said need must be related to a specific issue or case already under investigation or surveillance. Any language more loose than that leaves open far too much room for interpretation.
They should literally maintain a list of targets they want to infiltrate and that list of targets needs to be open to being audited at some point in the future shortly after the related mission for a target is complete. They should not be allow to apply the vulnerability to any new target identified after the date upon which vulnerability was discovered. These countermeasures would go a long way to prevent abuse since they can't now look at it as a weapon in their arsenal to exploit as they see fit for any future mission.
The cool part is that you can actually measure how weasely are those weasel words: As other security experts have pointed out here, the NSA's hoard of zero-days is numbers in the thousands. How many times have they practiced "responsible disclosure?"
"The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services."
This is my big point from the other thread. If NSA knew then not disclosing this type of serious bug should get someone's head to roll as it could imperil the security of other important USG communications.
That still leaves open the question of why NSA wasn't able to find this bug themselves though -- you'd think they'd be looking for bugs related to the introduction of new features into OpenSSL.
That's such a weak argument from them at this point. "Hey, we're the NSA - we're entrusted to protect US infrastructure. We'd never do something like that!"
Has this actually verified? It was only newish versions of OpenSSL that were vulnerable. Websites that ran on IIS and other platforms were not vulnerable.
Does anyone have a historical list of critical government websites and their web server versions? An old nmap list would suffice to show that high-priority sites were vulnerable or not.
Many parts of government run Linux, including NSA themselves, other military platforms, and advanced research/development labs. Certainly there's tons of MS, but govvy is just so big that even OpenSSL being rare would still be highly concerning for USG security.
In other news, NSA thinks responsible disclosure is the way to go but apparently has no 0days to responsibly disclose. I didn't know TAO sucked so hard. Can't see how any one will buy this.
I was actually inclined to give them the benefit of the doubt, but your point actually sort of makes sense. I don't like this feeling of not knowing where the boundary between wacko conspiracy theory and ... y'know ... real life ... begins and ends.
Is it possible that they've quietly disclosed to affected organizations/teams, but that those organizations don't want to publicly credit the NSA as their source?
If this is true, and the NSA knew about the Heartbleed vulnerability, then how come the EFF hasn't been getting more log data showing the vulnerability being exploited against sites?
How come, so far, only one person has thus far come forward with ANY evidence that might demonstrate a knowledge of this bug before it was discovered?
I just find it depressing how ready the media is to jump on the NSA for things they may not have done. There's plenty to work with in the realm of things they did do, why draw conclusions before there's evidence? So far I've yet to see a static analysis tool that would have caught this, and I don't have any reason to believe the NSA is hand-searching code for vulnerabilities.
> If this is true, and the NSA knew about the Heartbleed vulnerability, then how come the EFF hasn't been getting more log data showing the vulnerability being exploited against sites?
I don't know how common the "extensive TLS-layer traffic logs" the EFF is soliciting are. I know I don't collect these.
I'd imagine the NSA would use such things fairly sparingly so as to not blunt their swords. Using it willy-nilly increases the chances of someone going "huh, that's odd traffic" and discovering it.
> I just find it depressing how ready the media is to jump on the NSA for things they may not have done.
I don't like journalism and such, but I think it's OK in this case and I don't find it a bit depressing, maybe even otherwise. Why? Because we should be aware. Always. There's no sense in blaming NSA for something. It's stupid to blame spies for spying. There's no sense in saying something they do is immoral, because it couldn't stop them from doing it. So if you care about them doing something wrong the only way to stop it is to make it impossible. If you don't want NSA to know some data that belong to you — you are enemies, because NSA wants to know anything. And it's OK. It's what they are for.
You obviously cannot prevent what already happened, you can only try to fix the consequences and be more careful in the future. So it's always sensible to assume NSA knew about any single security bug discovered for a long time. And nobody can possibly know if something is true about NSA's knowledge (maybe even not NSA themselves). So even if it's not true — spreading rumors about it is completely fine I guess.
>>If this is true, and the NSA knew about the Heartbleed vulnerability, then how come the EFF hasn't been getting more log data showing the vulnerability being exploited against sites?
So, I have no idea if the NSA knew about this before or not but your typically configured webserver won't store these in access.log. Also, all the network stuff in between typically won't log SSL traffic(since it's just binary blobs without the private key)
Now who do we believe... an anonymous source or an official press release (from an agency with both motivation to lie and a history of misleading statements). Both seem fairly unsubstantiated to me.
"Any 0day has an obvious national security interest in being responsibly disclosed and fixed".
That's not a very direct affirmation though, merely an "interest"... the caveats show up at the end, but even that is at least honest.
You'd be crazy if you thought NSA would disclose a server 0day that e.g. affects only websites running under a Russian locale, when those websites are known to be used by the Russian armed forces bordering Ukraine. That's the type of thing which could be useful to NSA while having practically nil effect on U.S. infrastructure.
I would agree with you except that they added the "rather than". It is a debate between the 0days value as a weapon through holding secret vs value of release to everyone else. If there was any merit to them holding any bias toward the latter we would see at least ONE public disclosure of a vulnerability by them.
No doubt this is part of their PR strategy. "Look, we use Tumblr just like you. We don't have any fancy blogging platform. In fact, we don't have any fancy tool at all. All we do is boring administrative work."
I find it a stretch to believe that some part of the NSA didn't know about, and/or have a hand in introducing, Heartbleed. There has to be an NSA team dedicated to both causing and exploiting issues with very popular open source software. If there isn't, the NSA isn't living up to its reputation.
The reality is that we'll never get the truth out of them, and it doesn't matter anyway because nothing they say can be believed. They might as well never say anything. Assume that they have intercepted all of your traffic and have dumps of your RAM, and act accordingly.
"The reality is that we'll never get the truth out of them, and it doesn't matter anyway because nothing they say can be believed."
This is clearly now true for many of us.
I wonder how true it's becoming for the people to whom the NSA provide their information? When Clapper happily uses phrases like "the least possible untruthful answer" when explaining to congress why he said "No" when the answer was "Yes", I can't help but wonder if the FBI/CIA/Pentagon/President/B-613 are starting to question/disbelieve every word that comes out of the NSA?
Sincere question: is the NSA on record for having responsibly disclosed any previous security holes? Is there some track record of them having actively help close security holes in software?
The most famous example is the DES S-boxes, where the NSA made a change that nobody else understood - until years later, when it was discovered that they had made the algorithm more secure against cryptanalysis techniques that had just been "discovered", but which had evidently been known to NSA long before.
To expand on the DES example, the S-boxes are essentially large 'random' lookup tables. The NSA took the S-boxes, and replaced them with their own tables. At the time, it was not clear if this was to protect against an unknown attack, or to introduce an unknown attack (which may involve knowing some secret key used to generate the S-boxes).
The -1 in SHA-1 isn't because it was first. It was meant to be just "SHA", but NSA discovered a flaw in their own standardized hash algorithm soon after they published it and issued SHA-1 as a fixed version.
"When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose."
This is demonstrably false. That's not even a point of debate, by their own admission.
That was my first reaction too. I'm probably late to the party on this, but when I saw the tumblr domain I thought it was some kind of satire at first.
"If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."
I see numerous disclosures from technology companies, security researchers in industry and academia... but for the life of me, I can't recount an instance in which a disclosure came from intelligence-community researchers. Is there any historical evidence of disclosures from the NSA to the open-source community?
The press is all over this topic, but as usual doesn't do its research well enough. Some insight: the bug was submitted in December 2011 and was only present in OpenSSL 1.0.1 - not in previous releases. 1.0.1 was released on 14th of March 2012. It usually takes a long time until this new versions get largely adopted into other software. Even today 1.0.1 isn't used everywhere. That leads me to doubt that the agencies could have used this vulnerability for a very long time. A year seams reasonable, years rather not. It's very sad thou, that they choose not to contribute to secure software and rather exploit the vulnerability.
The NSA has already proven that its willing to lie to the public, not just omit information or mislead, when its talking about something the agency considers related to National security. Of course it's still possible they could be telling the truth in this instance, and Bloomberg could have failed to properly vet its sources. However, taking the recent past into account I think most people would agree it is far more likely that Bloomberg is providing accurate information and the NSA is not.
It does seem like a judgement call is unavoidable. If they discover exploits that are extremely difficult to use, and extremely unlikely to have been discovered by others, it might make sense to use them. But it also seems clear that they should have an obligation to find and make public exploits similar in nature to Heartbleed. Sitting on a bug like this should be a criminal offense.
As a top-notch surveillance organization in a top-notch surveillance state, I've come to expect more from the NSA. If their job is to protect my wimpy life from those rowdy terrorists, they should be at the forefront of all hacking activities and it's really disconcerting that they didn't introduce the bug into the code in the first place. A vulnerability that big deserves a big brother to protect it.
On a more serious note, the NSA is segmented and unaccountable ... I doubt anyone including the director can make a blanket statement guaranteeing that it has or has not done something. In the next installment of the NSA saga, a reporter with access to the Snowden documents will find proof that this is a lie.
That the Bloomberg report resulted in a denial so quickly demonstrates the defensive position of US intelligence services today.
Strong suspicion that the a federal agency would withhold vital info about Heartbleed is a direct result of the shocking revelations of mass-surveillance.
I believe the sentiment expressed around this issue is not entirely contained to Heartbleed.
This is about distrust of the federal government to make good administrative decisions around highly technical issues that affect the public. Keep in mind Kathleen Sebelius just resigned largely due to optics around IT management failures.
Widespread distrust of federal organizations ability to manage technology appropriately will only erode faith in federal government as a whole. That's not a good problem to have.
Aren't the utilization of the 0-day exploits in Stuxnet proof that DoD and the intelligence community generally don't care about responsible disclosure? I'm sure Microsoft would've liked to know about those. I'm also pretty sure many US government systems were vulnerable to many of the exploits, including the MOF file one.
I suppose the NSA counts that as "a clear national security or law enforcement need."
Why is there a scarcity of comments here questioning the Bloomberg article? For that matter, why was there a scarcity of discussion questioning Reuters' December '13 article about RSA and Dual EC? Neither provided any evidence for their claims, and I presume that, in both cases, the information was obtained from anonymous sources who could not provide documentation a' la Snowden.
Practically treasonous. As they say, lots of important things protected by OpenSSL, and if the NSA did know about it two years ago, when did similar organizations in other governments spot it?
Or "Notification and Federal Employee Antidiscrimination and Retaliation Act".
Does legislation that can't be summarized in a clumsy acronym ever get passed? I can just imagine cabinet meetings: "Sure, world peace is a nice idea, but we can't think of terrible enough acronym for it, so we've decided against it."
I haven't seen this mentined in this thread yet, so I just want to remind everyone of the Suxnet virus that contained four 0day vulnerabilities and was in active deployment from anywhere between two to five years. If you believe that they were the originators of this virus then this directly contradicts the claim that 0days are responsibly disclosed in a timely manner.
I don't think I have ever upvoted so many comments in one HN thread. The NSA earned every ounce of distrust that is currently being pointed at them. I just wish people were investing as much time in OpenSSL as they are in discounting NSA statements.
As a bit of internal jargon, the NSA only considered information 'collected' when an analyst looked at it. So, they could record & store bulk data about all Americans, but still claim (with a secret wink) that they didn't intentionally "collect" data on Americans.
Maybe for them, 'vulnerability' means both "the bug exists" and "bad guys know enough to exploit it". After all, if a tree falls in the woods, and there's no one there to hear it, does it make a sound?
This definition even makes sense, if you have an advanced, economic and strategic understanding of security as something that's a matter of relative priorities and dynamically-changing situations. There are plenty of bugs, known and unknown, in all software. Perhaps they only count as 'vulnerabilities' when they're practically exploitable, and practical exploitation has as an absolute prerequisite, discovery by malicious actors. (On the other hand, when we, "the good guys", discover the bug, it's not a vulnerability: it's an asset! Search for [NOBUS NSA] for more reporting about this style of reasoning.)
Still, using such a fine-grained bit of internal jargon, even if it makes sense among people who share your terms, is deceptive if used to hoodwink the public and Congress, exactly as the 'collect' finesse definition was long used.