Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed

An anonymous reader writes "The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered. Unfortunately, this statement was hedged. The NSA should reveal these flaws unless 'a clear national security or law enforcement need' exists. Since that can be construed to apply to virtually any situation, we're left with the same dilemma as before: do we take them at their word or not? The use of such an exploit is certainly not without precedent: 'The NSA made use of four "zero day" vulnerabilities in its attack on Iran's nuclear enrichment sites. That operation, code-named "Olympic Games," managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.' A senior White House official is quoted saying, 'I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.'" Side note: CloudFlare has named several winners in its challenge to prove it was possible to steal private keys using the Heartbleed exploit.

Well, yeah

[LordLucless]

Spy agency's job is to spy. It'd be remiss of them not to use such a security hole.

The question is, would he allow the NSA to exploit a similar vulnerability against Americans. And I think we already know the answer to that one too.

Sounds like

[rmdingler]

He is pretty much admitting the next vulnerability will be exploited until no further military or law enforcement benefit exists.

There are almost certainly ongoing exploits of vulnerable systems.

People will very often tell you their intentions if you listen closely enough.

Re:Well, yeah

[Joce640k]

..."avoid a shooting war", "national security or law enforcement need"....

Why does it always come down to those things?

Does the USA actually have any enemies like that or is it just the (government created) national paranoia?

There's no information here.

[slapjerkt]

The information content of a sentence whose structure is, "I may x or I may not x" is 0.

The President doesn't micro-manage this stuff

[localroger]

Really, anybody who thinks anybody cabinet level or higher even knows about this kind of logistical detail is an idiot. This isn't at all like the torture thing which is a basic human rights violation; nobody is questioning the NSA's right to spy on certain people, and this has nothing to do with any accusation that they're spying on people they shouldn't be spying on. This is about technological implementation, and it's part of NSA's purview as a spy agency to explore technologies that further their ability to do their job. Part of that is discovering weaknesses in cryptographic systems which are trusted by the people you want to spy on. Having discovered such a useful weakness they aren't obliged to report it, although they are obliged not to use it (or any of their other techniques) against our own citizens.

Re:Well, yeah

[Anonymous Coward]

Spy agency's job is to spy.

And murderer's murder. Stating their job doesn't make it anymore moral. A spy's spying can be immoral, and that's exactly what the pieces of trash in the NSA have been doing.

If you trust the word of the NSA

[kruach aum]

you're a moron. Don't trust liars who have been proven to lie and then continue lying. In fact you probably shouldn't trust liars in general.

Re:Well, yeah

[Charliemopps]

No, the NSAs (as well as all government agencies) job is to defend the constitution and protect the citizens of the United States of America. The NSA has abandon the former goal in favor of the latter. They are not mutually exclusive. This country was founded on the principle that we as a people value freedom and liberty over life itself. The NSA, and apparently the president have forgotten this.

Obama could issue an Executive Order

[PeeAitchPee]

The NSA is part of the Executive Branch. Obama could immediately, at the very least, put a temporary halt on all of these types of activities and conduct a review gauging the potential impact on ordinary US citizens as collateral damage. He has done no such thing -- not with mass surveillance, not with HeartBleed, not with any of the other nasty shit disclosed in the Snowden leaks. Don't DARE give him a pass on anything NSA-related -- he doesn't need Congress in this case and can personally shut it all down at any time.

Re:Well, yeah

[Savage-Rabbit]

Spy agency's job is to spy. It'd be remiss of them not to use such a security hole.

The question is, would he allow the NSA to exploit a similar vulnerability against Americans. And I think we already know the answer to that one too.

No, the role of the NSA is not just to gather SIGINT, the NSA iis also tasked with preventing unfriendly entities from gathering SIGINT which is why the NSA initiated and open sourced SE Linux [wikipedia.org] just to cite one example. So the question here is should the NSA put every single American SSL using business at risk for years on end to protect a single source of SIGINT? After all, foreign intelligence services may not have to budget of the NSA but they are not stupid either, they can discover bugs like Heartbleed just as easily as the NSA can and might well use it sufficiently stealthily for the NSA not to notice that they aren't the only ones sitting on this vulnerability. When do the costs of spying outweigh the benefits?

Re:The President doesn't micro-manage this stuff

[PeeAitchPee]

Yet, the NSA is part of the Executive Branch and, as its head, the buck stops with him. James Clapper LIED to a Senate panel -- right to Ron Wyden's face -- and nothing has happened. The Snowden leaks are almost 11 months old now, and Obama obviously knew of a lot of those activities before then. He has chosen to DO NOTHING, or worse, in the case of mass surveillance, kick the ball to *Congress* (yes, the same Congress he's constantly bitched during his two terms about being dysfunctional and blocking his every move), which is completely unnecessary as NSA is part of the Executive Branch. Let's suppose that, as you contend, Obama is sooooo high up that he was in fact completely ignorant of any of the technical details of these activities, or even the existence of some of these programs. If he cared even the tiniest bit about our rights and upholding the Constitution -- especially in the wake of disclosures about leaving all US Citizens completely vulnerable to exploits such as HeartBleed -- he'd at least hit the Pause button on these programs via Executive Order so they could be properly investigated. He hasn't done *anything* close to that -- nothing. Just a bunch of bullshit lip service. This indicates he approves of all of these programs, and is attempting to wait until the noise dies down so they can be continued and expanded. Giving Obama a pass on anything NSA-related is weak and people that do it look like apologists from where a lot of us sit.

Re:Well, yeah

[Anonymous Coward]

The problem here is that you can't do one without doing the other, unless you want to go back to the days where SSL required a special "US" browser and a proprietary web server. Nowadays, information assurance directly harms signal interception because "the bad guys" are running the exact same software as "the good guys". If the NSA finds a vulnerability in OpenSSL, they can't fix it for US companies while using it against the bad guys at the same time. The bad guys will just patch their software, they aren't dumb.

Given this impasse, the NSA chose the path that gives them the most funding - escalating hacking operations and signal interception to find as much scary things as possible. There's a lot more money in making the world dangerous for non-Americans as opposed to making the US safe.

Re:Not it actually isn't...

[Enigma2175]

The job of any government agency to defend the constitution. It's the job of the judicial branch. Furthermore, you actually expect a spy agency to protect the constitution? That's not even close to their job.

The naivete some have on this issue is rather surprising given the demographics of the site.

Employees at the NSA take an oath to defend the constitution. From the NSA's website [nsa.gov]:

NSA/CSS employees are Americans first, last, and always. We treasure the U.S. Constitution and the rights it secures for all the people. Each employee takes a solemn oath to support and defend the Constitution of the United States against all enemies, foreign and domestic.

It's not naivete, it's just expecting them to do what they SWORE TO DO.

Re:Well, yeah

[ganjadude]

Based on the FBI list lets take a look at who they consider terrorists shall we?

People who are concerned about privacy, and shield the screen from view.
Are seen using multiple cell phones, or sim swapping
use of anonymizers or other IP blockers
encryption users
Asking about voice and data encryption
http://www.networkworld.com/community/blog/25-more-ridiculous-fbi-lists-you-might-be-terrorist-if

Tea party? terrorist
occupy group? terrorist
believe in the constitution? terrorist

and not terrorists, but the FBI considers fans of a band to be gang members. It would be like calling dead heads a gang. The band in question is the insane clown posse
http://www.cnn.com/2014/01/08/showbiz/juggalo-gang-lawsuit/

Long story short, anyone on slashdot is a terrorist in the eyes of the FBI