Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed 134
An anonymous reader writes "The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered. Unfortunately, this statement was hedged. The NSA should reveal these flaws unless 'a clear national security or law enforcement need' exists. Since that can be construed to apply to virtually any situation, we're left with the same dilemma as before: do we take them at their word or not? The use of such an exploit is certainly not without precedent: 'The NSA made use of four "zero day" vulnerabilities in its attack on Iran's nuclear enrichment sites. That operation, code-named "Olympic Games," managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.' A senior White House official is quoted saying, 'I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.'"
Side note: CloudFlare has named several winners in its challenge to prove it was possible to steal private keys using the Heartbleed exploit.
Well, yeah (Score:5, Insightful)
Spy agency's job is to spy. It'd be remiss of them not to use such a security hole.
The question is, would he allow the NSA to exploit a similar vulnerability against Americans. And I think we already know the answer to that one too.
Sounds like (Score:5, Insightful)
There are almost certainly ongoing exploits of vulnerable systems.
People will very often tell you their intentions if you listen closely enough.
Re:Well, yeah (Score:4, Insightful)
..."avoid a shooting war", "national security or law enforcement need"....
Why does it always come down to those things?
Does the USA actually have any enemies like that or is it just the (government created) national paranoia?
There's no information here. (Score:5, Insightful)
The President doesn't micro-manage this stuff (Score:5, Insightful)
Re:Well, yeah (Score:2, Insightful)
Spy agency's job is to spy.
And murderer's murder. Stating their job doesn't make it anymore moral. A spy's spying can be immoral, and that's exactly what the pieces of trash in the NSA have been doing.
If you trust the word of the NSA (Score:5, Insightful)
you're a moron. Don't trust liars who have been proven to lie and then continue lying. In fact you probably shouldn't trust liars in general.
Re:Well, yeah (Score:5, Insightful)
No, the NSAs (as well as all government agencies) job is to defend the constitution and protect the citizens of the United States of America. The NSA has abandon the former goal in favor of the latter. They are not mutually exclusive. This country was founded on the principle that we as a people value freedom and liberty over life itself. The NSA, and apparently the president have forgotten this.
Obama could issue an Executive Order (Score:5, Insightful)
Re:Well, yeah (Score:5, Insightful)
Spy agency's job is to spy. It'd be remiss of them not to use such a security hole.
The question is, would he allow the NSA to exploit a similar vulnerability against Americans. And I think we already know the answer to that one too.
No, the role of the NSA is not just to gather SIGINT, the NSA iis also tasked with preventing unfriendly entities from gathering SIGINT which is why the NSA initiated and open sourced SE Linux [wikipedia.org] just to cite one example. So the question here is should the NSA put every single American SSL using business at risk for years on end to protect a single source of SIGINT? After all, foreign intelligence services may not have to budget of the NSA but they are not stupid either, they can discover bugs like Heartbleed just as easily as the NSA can and might well use it sufficiently stealthily for the NSA not to notice that they aren't the only ones sitting on this vulnerability. When do the costs of spying outweigh the benefits?
Re:The President doesn't micro-manage this stuff (Score:5, Insightful)
Re:Well, yeah (Score:2, Insightful)
The problem here is that you can't do one without doing the other, unless you want to go back to the days where SSL required a special "US" browser and a proprietary web server. Nowadays, information assurance directly harms signal interception because "the bad guys" are running the exact same software as "the good guys". If the NSA finds a vulnerability in OpenSSL, they can't fix it for US companies while using it against the bad guys at the same time. The bad guys will just patch their software, they aren't dumb.
Given this impasse, the NSA chose the path that gives them the most funding - escalating hacking operations and signal interception to find as much scary things as possible. There's a lot more money in making the world dangerous for non-Americans as opposed to making the US safe.
Re:Not it actually isn't... (Score:5, Insightful)
The job of any government agency to defend the constitution. It's the job of the judicial branch. Furthermore, you actually expect a spy agency to protect the constitution? That's not even close to their job.
The naivete some have on this issue is rather surprising given the demographics of the site.
Employees at the NSA take an oath to defend the constitution. From the NSA's website [nsa.gov]:
NSA/CSS employees are Americans first, last, and always. We treasure the U.S. Constitution and the rights it secures for all the people. Each employee takes a solemn oath to support and defend the Constitution of the United States against all enemies, foreign and domestic.
It's not naivete, it's just expecting them to do what they SWORE TO DO.
Re:Well, yeah (Score:3, Insightful)
People who are concerned about privacy, and shield the screen from view.
Are seen using multiple cell phones, or sim swapping
use of anonymizers or other IP blockers
encryption users
Asking about voice and data encryption
http://www.networkworld.com/community/blog/25-more-ridiculous-fbi-lists-you-might-be-terrorist-if
Tea party? terrorist
occupy group? terrorist
believe in the constitution? terrorist
and not terrorists, but the FBI considers fans of a band to be gang members. It would be like calling dead heads a gang. The band in question is the insane clown posse
http://www.cnn.com/2014/01/08/showbiz/juggalo-gang-lawsuit/
Long story short, anyone on slashdot is a terrorist in the eyes of the FBI