This page has been archived and commenting is disabled.
Did the Department of Homeland Security Just Admit that the Government Knew about the Heartbleed Bug?
Bloomberg reported that the NSA knew about – and exploited – the Heartbleed bug for years.
The NSA has denied it knew about the bug.
And the White House spokesman claims:
This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet.
***
If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
(OpenSSL is the library infected by Heartbleed.)
But the Department of Homeland Security says:
The Federal government’s core citizen-facing websites are not exposed to risks from this cybersecurity threat.
Matt Stoller tweets:
DHS says #Heartbleed didn’t affect government websites. That is… peculiar.
Perhaps there is an innocent explanation … The government doesn’t use OpenSSL on its websites?
Nope … Security firm Codenomicon – which discovered the Heartbleed virus – reports:
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL.
Did DHS just unintentionally admit that the government knew about Heartbleed years ago and patched its own websites … without telling the tech community about it?
Mother Jones points out that – whether or not the NSA knew about the bug – the Heartbleed episode makes it look bad:
I’m honestly not sure which would be worse. That the NSA knew about this massive bug that threatened havoc for millions of Americans and did nothing about it for two years. Or that the NSA’s vaunted—and lavishly funded—cybersecurity team was completely in the dark about a gaping and highly-exploitable hole in the operational security of the internet for two years. It’s frankly hard to see any way the NSA comes out of this episode looking good.
»
- advertisements -
Only OpenSSL version 1.0.1 through 1.0.1f have the bug, maybe US government is not using any of these versions and rightfully said they support open system and at the same time not affected by the bug.
That's the problem.........the US is truly the boy that cried wolf.
The electronic gestapo strikes again.
A very interesting report from Mike Adams of Natural News on the Gary Franchi news channel.
http://www.youtube.com/watch?v=YHzQu3jxP1A
And here Fabian is on the head of the Wagon Train. The sellout of America is a huge issue.
http://www.youtube.com/watch?v=aP_rfKVFgAY&list=UULoNQH9RCndfUGOb2f7E1Ew
Just moar of the criminality and corruption aimed at destroying the USA by pitting Americans against Americans in the same old Cesarian divide, conquer, and control methodology. Sad that the people still actually fall for it. And who will benifit at the end of the day if they raid and kill the Bundy family people?
Why the trolls are covering up the Bundy Ranch heist and cattle rustling: http://www.youtube.com/watch?v=HFiosLqjoQQ#t=41
And not to be out done, here is some moar from Paul Craig Roberts on the other distraction in the Ukraine.
http://www.paulcraigroberts.org/2014/04/14/washington-drives-world-war-p...
You might want to look at a simpler explanation first, such as the sites in question running on outdated (yet safe) software or software that was never affected, such as Microsoft IIS.
Considering that the IRS still has a bunch of workstations running Windows XP, how shocking is it that various agencies web server software is a version from before the faulty version of OpenSSL was in distribution?
This is one of those cases where I'd give incompetence the lead over malice.
This is all past sad it is pathetic. It recently came out thanks to information leaked by Edward Snowden that the "black budget" last year was a massive 52 billion dollars. this amount of money used in "secret" spy operations should send shivers down the back of all Americans
This is similar to the totalitarian society of Oceania described in George Orwell's novel Nineteen Eighty-Four. In Orwell's novel, all citizens of Oceania are monitored by cameras and are fed fabricated news stories by the government. More on this subject in the article below.
http://brucewilds.blogspot.com/2013/09/are-we-creating-orwellian-society...
"completely in the dark about a gaping and highly-exploitable hole " Smile.
"Or that the NSA’s vaunted—and lavishly funded—cybersecurity team was completely in the dark about a gaping and highly-exploitable hole in the operational security of the internet for two years. It’s frankly hard to see any way the NSA comes out of this episode looking good."
---
I guess it doesn't make the open source community look very good either if it was indeed "a gaping and highly-exploitable hole in the operational security of the internet for two years."
I was kind of hoping the open source community would pick up on something like that a little quicker than 2 years in.
open source = open sores
Fall into the waiting arms of Redmond. They have slayed all, except this open source stuff. No one in gov likes the surfs usurping stuff, or doing stuff not approved. Since they own windows, if they can't keep the exploit, maybe they want to make a spectacle to steer the herd back into the fold.
Let me guess - c# developer?
Plenty of intentional back doors in proprietary software too.
Nobody claimed otherwise. But it cannot be dened that one of the most heavily touted aspects of open source is the claim that bugs are quickly identified and corrected. This was out there for years with the source code available for anyone to srutinize.
"At this moment, forward secrecy is more crucial than ever."
www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy
More agents and equipment arriving at the Bundy Ranch It’s NOT over.
Get the word out folks.
http://www.brotherjohnf.com/archives/288541
I wouldn't be surprised if gov't networks weren't vulnerable.
They are probably still using Windows '95.
Come on, GW, you need to do better research.
This bug was introduced in OpenSSL version 1.0.1 on March 14, 2012. Any OpenSSL version older than that would not have the bug, and I guarantee that many, many devices running code older than that exist.
I'm not saying they didn't know, but you can't infer it from this.
Yep. The most likely reason so many FedGov systems weren't affected is that they were/are running OpenSSL 0.98.
Very possible that the government used an outdated OpenSLL which did not contain the bug.
Though I have a custom-fitted tinfoil hat nearby, I'll point out that Heartbeat was a relatively new SSL feature, and optional.
If they used an unaffected version, or compiled without the feature, they wouldn't be susceptible.
So it's concievable they just got lucky.
It's not a virus. It's a software defect that exposes a vulnerability.
Only specific versions of OpenSSL have the defect. Older websites probably do not have the defect.
You guys are like a flock of chickens watching a rocket launch. Jeez. Get a hold of yourselves.
None of my servers were affected either. It was newer versions of OpenSSL 1.0.1 that contained the Heartbeat feature that were affected.
great image of chickens watching a rocket launch, now let's get back to the chicks! woo hoo!
What are the chances a private party is capable of engineering and deploying heartbleed? Practically nil.
What are the chances the USG would tolerate Heartbleed if it was created by a hostile soverign? Practically nil.
So what's left? A very high probability that the USG created Heartbleed.
The code was written by a private organization, like most open source software. NASA and NIST have released open source too, but it tends to be more specialized.
Excellent analysis sir. This is really the only way to deal with the deep webs of bullshit. I use two filters before even reading any conjecture. Qui bono, and follow the money. Both will keep you on the path to the truth. What lies at the end of that path, I've often wondered. Nothing is as it seems is my new mantra.
The government lies. The government has also shown itself to be incompetent. Is there a third option which includes both?
How about the gov't pertuates incompetence so their lies are believable. When things slip through them it's called human error or they let it happen.
I put nothing past our treasonous (to the people) government. Government serves the people, not corporations, or itself. At least that's what the founding national documents say. Like those matter anymore.
Zero Hedge and Mother Jones. The pursuit of liberty makes strange bed fellows.
Just like there's bad guys of every philosophy, there's good guys too
I would expect the government to patch their own sites against their own back-door, wouldn't you?
Actually, the developer who introduced the bug fessed up to it:
http://www.theguardian.com/technology/2014/apr/11/heartbleed-developer-e...
Take it for what it's worth...
From the link:
""I am responsible for the error," he continued, "because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.""
Bullshit. This has NSA's fingerprints all over it - a backdoor made to look like a coding error. And the validation of security software used globally just happens to get subverted. Because that happens every day in the world of security software, right? Because nothing is at risk, right?
Swmnguy - Yes I would expect government to patch there own systems. However, don't misdirect the failure sir. Governments job boils down to the protection of trade between parties. Not to steer it, not to own it, etc.
This reminds me of how I view 911. While I cannot prove or disprove government intentionally did this (I believe it was not a purposeful plot against Americans) I ask WHAT THE FUCK ARE YOU DOING WITH MY TAX DOLLARS IF YOU CANNOT DO YOUR ONLY JOB AS A PROTECTION RACKET? See, I actually know the answer to this question. The Senate of Rome 2.0 are too busy protecting there investments over seas using MY TAX DOLLARS. I got to fund Chinese investments and bankrupt my own country so now the Chinese companies can come into America and tell me what to do. Isn't that awsome??!?! Better hope the Chinese have adopted a better value system these days. There consideration of human life is pretty low... But it does look like the US government is adopting their legal system including the right of Kings to order death to any citizen without a trial at any time. Sweet eh?!?!? Lady Liberty is dead. Killed by the banking system owned by the Rothchild's.
I do understand there is some value in Ping-Pong economic strategy and theory but trade rebalancing should have happenened in 2005. And what was wrong if we're going to sell out for pennies on the dollar by the late 1990's at least making them fund their own god-damn research on advanced military technologies? No! I get to fund that too! No wonder some people here root for collapse or world war, the way mankind runs affairs is very dirty. I am pleased I know this will not be for too much longer but probably beyond my lifetime (I am 43).
This reminds me of how I view 911. While I cannot prove or disprove government intentionally did this (I believe it was not a purposeful plot against Americans) I ask WHAT THE FUCK ARE YOU DOING WITH MY TAX DOLLARS IF YOU CANNOT DO YOUR ONLY JOB AS A PROTECTION RACKET? See, I actually know the answer to this question. The Senate of Rome 2.0 are too busy protecting there (sic) investments over seas using MY TAX DOLLARS.
Yes. It is not just "overseas".
That is why they moved the Gold from the basement of the World Trade Center to the Federal Reserve Bank of New York vaults during the weeks PREVIOUS TO the attack.
Oh yes the US Government knew. THEY MOVED THE FUCKING GOLD. YES THEY KNEW. They were given ample forewarning of the event...so much so that Israeli Mossad Agents ("The Dancing Jews") were in the USA to "DOCUMENT THE ATTACK". Of course this was admitted on an Israeli Late Night Talk Show, INADVERTENTLY, by one of the agents involved.
This makes me sick to my stomach. What a bunch of fuckers allowing those people to die like that. What a bunch of fucked up PSYCHOPATHS.
If the 911 narrative falls, think of the outcomes. Someone else has, and they will defend the narrative until the bitter end, that seems clear. It's funny how the narrative for 911 gets woven into many discussions in different ways by different players. I wonder what the simulation says if the narrative does fail? Does physics stop working, and time stop at that point?
I agree with your overall points. I was suggesting, without personal knowledge of course, that what we're calling the "Heartbleed Bug" is in fact an NSA-or-similar "backdoor" installed purposefully to allow access to any information at any time, whenever a member of the surveillance state wants to access such. The way things are being done now, the direction would probably be given to an employee of a private corporation contracted by the government agency. This preserves deniability and extends the pretense that Constitutional protections are honored and Congressional and regulatory oversight means a damned thing. I would posit that none of those things are true.
I also don't think any of this is particularly new. As our systems have become more complex and pervasive, so does the authoritarian over-reach. But the over-reach and the authoritarian impulse are as old as human civilization. In fact, I don't see the concept of the nation-state as having a lot of relevance anymore either, except as a framing device and a marker for (often false) context. When GM, for instance, sells more cars in China that in the US, how do we call it a US corporation anymore? When all the major trade agreements between nations specifically exempt "foreign," usually US, corporations, from accountability to law, what is the meaning of nationhood?
Like you, I see many people get angry about this and hope for the whole edifice to be dragged down. Sometimes I feel that way too. But usually I don't. Usually I try to think of every one of my interactions as being between myself and another person. Most people I've ever encountered are decent enough, and usually quite good. When they don't seem decent or good it's usually because they're trying to serve some abstract entity or another, be it their employer or nation or religion or something else. If you can pry them loose of that set of contextual limitations and get them to interact with you as one person to another, things usually go pretty well. I don't think that's new, either. And while I'd like to think this whole dirty edifice will come crashing down sooner rather than later, I don't expect it will, so in my dealings, I try to find people I can engage with. If nothing else, it's a lot more pleasant talking to Sean the cell phone guy about how to straighten out some nonsense than the rigged outcome of the cage-match between swmnguy vs. Verizon. If that makes any sense.
I think the end-game for the way mankind currently runs its affairs is that eventually enough people are too busy interacting with each other and just don't have enough mental energy left to play along with these constructions of the power structure, so that becomes irrelevant and turns into something else perhaps a bit more conducive to human needs. At least a guy can hope.
"WHAT THE FUCK ARE YOU DOING WITH MY TAX DOLLARS IF YOU CANNOT DO YOUR ONLY JOB AS A PROTECTION RACKET?"
You misspelled "extortion racket."