How the NSA Shot Itself In the Foot By Denying Prior Knowledge Of Heartbleed Vulnerability

Written by on April 13, 2014 in Government, Internet Control with 0 Comments

Zack Whittaker | Zdnet | April 12th 2014

nsaIn 2012, during a classified but widely-known operation at Fort Meade, MD, government crypotographers and developers downloaded the OpenSSL source code, as it does with dozens of other software published on the Web. The operation's objective was to find weaknesses in the library and exploit those vulnerabilities as part of wider efforts by the intelligence agency to conduct mass-scale surveillance.

fter the code was downloaded and compiled, the developers were soon able to pinpoint a programming flaw in the code, which would have allowed the agency to collect usernames and passwords far quicker, more efficiently, and at a lower cost than its bulk data collection programs, notably its fiber cable tapping operation named Upstream.

Executives and senior officials heralded it as one of the biggest vulnerability discoveries in the intelligence agency's recent history. A single programming flaw that it could exploit and use to tap directly into the communications of hundreds of millions of users, and gain system administrative privileges to vacuum up every shred of data it could find. Not just once, but at will, and it was untraceable.

It was the NSA's golden goose.

Except, none of that happened, according to a statement by the U.S.' director of national intelligence, James Clapper, who said on Friday following the Bloomberg report citing two people familiar with the situation. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report.”

“Reports that say otherwise are wrong,” he added, noting that the U.S. government “relies” on OpenSSL to protect its users on government websites. “If the… government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”

Either one of two things happened: Bloomberg got screwed over by its sources, or the U.S. government is outright lying and clambering to save face with the already disgruntled public.

Clapper's response instead disclosed a seismic vulnerability in the intelligence agency's own mission, to “protect U.S. national security systems and to produce foreign signals intelligence information.”

Clapper has, either intentionally (though more likely inadvertently) revealed the agency's own core internal weaknesses and deficiencies probably more so than any other revelation leaked by whistleblower Edward Snowden, who remains responsible for the biggest global intelligence leak in post-World War II history.

The NSA's job, first and foremost, has been blown up by the Snowden leaks in a specific and precise way than the agency's simplistic “protect America” rhetoric — from tapping fiber cables, demanding data from Silicon Valley servers, intercepting wireless transmissions, and exploiting vulnerabilities and flaws in common encryption standards in order to vacuum up all the data things.

[read full post here]

Tags: , , ,


If you enjoyed this article, subscribe now to receive more just like it.

Subscribe via RSS Feed Connect on YouTube

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

FAIR USE NOTICE. Many of the articles on this site contain copyrighted material whose use has not been specifically authorized by the copyright owner. We are making this material available in an effort to advance the understanding of environmental issues, human rights, economic and political democracy, and issues of social justice. We believe this constitutes a 'fair use' of the copyrighted material as provided for in Section 107 of the US Copyright Law which contains a list of the various purposes for which the reproduction of a particular work may be considered fair, such as criticism, comment, news reporting, teaching, scholarship, and research. If you wish to use such copyrighted material for purposes of your own that go beyond 'fair use' must obtain permission from the copyright owner. And, if you are a copyright owner who wishes to have your content removed, let us know via the "Contact Us" link at the top of the site, and we will promptly remove it.

The information on this site is provided for educational and entertainment purposes only. It is not intended as a substitute for professional advice of any kind. Conscious Life News assumes no responsibility for the use or misuse of this material. Your use of this website indicates your agreement to these terms.

Paid advertising on Conscious Life News may not represent the views and opinions of this website and its contributors. No endorsement of products and services advertised is either expressed or implied.
Send this to a friend