This page has been archived and commenting is disabled.
NSA Abused Heartbleed Bug For Years, Left Consumers Exposed To Attack
It is one thing for the NSA to spy on everyone in the world, especially US citizens because all of them are obviously potential "terrorizers" just waiting for their opportunity to blow shit up (except for anything in close proximity to the Boston marathon - those things the NSA promptly filters out), but when the NSA itself is found to have not only known and itself abused the prevalent and widespread Heartbleed bug, but left consumers exposed, then it may be time to finally launch a class action lawsuit against Obama's favorite means to eavesdropping on the entire world.
NSA SAID TO EXPLOIT HEARTBLEED BUG FOR INTELLIGENCE FOR YEARS
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
And the punchline:
NSA SAID TO HAVE USED HEARTBLEED BUG AND LEFT CONSUMERS EXPOSED
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”
More:
The potential stems from a flaw in the protocol used to encrypt communications between users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.
Questions remain about whether anyone other than the U.S. government might have exploited the flaw before the public disclosure. Sophisticated intelligence agencies in other countries are one possibility. If criminals found the flaw before a fix was published this week, they could have scooped up troves of passwords for online bank accounts, e-commerce sites, and e-mail accounts across the world.
Evidence of that is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park, California.
The fact that the vulnerability existed in the transmission of ordinary data -- even if it’s the kind of data the vast majority of users are concerned about -- may have been a factor in the decision by NSA officials to keep it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies.
“They actually have a process when they find this stuff that goes all the way up to the director” of the agency, Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”
Lewis said the NSA has a range of options, including exploiting the vulnerability to gain intelligence for a short period of time and then discreetly contacting software makers or open source researchers to fix it.
Thank you NSA, for once again showing that you are from the government and are there to "help" and of course "protect" everyone.
How much more abuse from the government can the (granted mostly obese) US population take before it finally snaps?
»
- 24869 reads
- Printer-friendly version
- Send to friend
- advertisements -
But...but Jamie and Lloyd ARE Amerikans...
Your governmet cares for you in exactly the same way a farmer cares for his cattle.
New Guy - Wow! That is one of the most insightful and short comments I have seen in a year! Well done Sir!
New Guy - Wow! That is one of the most insightful and short comments I have seen in a year! Well done Sir!
All the more reason for SSL open or otherwise to implement Perfect Foward Security (PFS) which uses per-session keys for each data transfer. Even if a site's private key is compromised the prior sessions are protected against retroactive decryption. Problem though is any signed certificates they got you at issuer, there is a reason why the exploit is only in openssl and not commercial versions. If they knew about it for at least 2 years and exploited it you'd think they would have also had it put into commercial versions of SSL surreptitiously. Sites really need to issue their own certificates and implement (PFS) on their end as long as SSL is used. Purity my friends, purity.
Ball is in your court to reveal why or not.
Just remember the internet is the modern day library of Alexandria on digital steriods even if most people don't know how to use it to it's full potential, let alone have the tools to even do so if they did. It is worth fighting for to keep open at all costs. Encryption is one of them ensurers of openness of the library.
It would not surprise me if this vulnerability was introduced by the NSA or GCHQ, the agencies have a bad reputation when it comes to this stuff, the A5/1 GSM encryption was also weakened by the English secret service so they could eavesdrop more easily.
Wouldn't be surprised if there are a dozen more of these vulnerabilities floating around in widely used (opensource) software, the NSA has already cracked all popular operating systems, webservices and telecommunication providers so this is only the tip of the iceberg.
I agree, but I suspect that opensource s/w is less likely to be affected by backdoors than commercial closed source stuff. simply because opensource can be checked and compiled by anyone who has the skills.
Please excuse me if this has been mentioned on ZH before...BUT
Last weekend I was chatting to an American guy from North Carolina who now lives here in NE Brazil. Our conversation naturally moved on to the state of American government and the preps DHS are making for potential civil unrest/war in the US.
He strongly believes that the USG has an agreement with the Canadian government whereby if civil unrest/war breaks out in the US, Canadian armed forces will move in to maintain law & order. Meaning that a Canadian soldier will be less iffy about shooting an American than an American soldier.
If this is true, "it" alone is enough to start a civil war.
Smacker - No different than King George and the Prussians. History is going to rythme a lot more than what I wish for :(
Russia - The willing instrument of destruction. Russian leadership is not as visionary as some may thing but perhaps they may yet be defenders of liberty. Time will tell but time is short...
Smacker - No different than King George and the Prussians. History is going to rythme a lot more than what I wish for :(
Russia - The willing instrument of destruction. Russian leadership is not as visionary as some may think but perhaps they may yet be defenders of liberty. Time will tell but time is short...
Sorry for dupes - Being tracked slows down my connection. Hi goons! Are you you becoming Americans yet or do you wish to continue sucking Rothschilds dick for a paycheck some more? You soon will have to choose whether you wish it or not. If you slay instead of serve you are living by the sword and those that do....
What utter balderdash
I hope you're right but you provide no reason to disbelieve it. Is it perhaps simply that you find it too difficult to believe or that you're Canadian?
btw: I have often pondered whether the British gov has a similar secret deal with the French gov. There are plenty of Frenchies who dislike Brits(!)
No, that is true. There is an agreement you can look up on the US NORTHCOM page. Canadian forces can operate here and US forces can operate in Canada. That was about two years ago.
I remember it because I was still in the reserves and we were joking about mounting Canadians over the fireplace with their little blue United Nerds berets.
But seriously, we do not want to have to shoot any northern brothers, so don't come down here and you will be OK. None of our guys want to go up north, either, this is a gig by politicians.
So family members of US military would be killed by Canucks and said military personnel would, by extension, be fine with that? There's likely more " assualt rifles" in Harris county than in all of canada. I doubt there's such a plan.
If cyber warfare and cyber-attacks are not on your list of modern worries, it is time you put them on. Either could make your life much more difficult or in a worse case scenario end it. A series of high-profile events since 2010 has highlighted the increasing and multifaceted threat of cyber-attacks.
U.S. cyber-security policy continues to evolve to meet these challenges, but critical gaps remain, including the incomplete protection of digital infrastructure vital to national security, such as power grids and financial networks. On a personal level having your accounts hacked, or having someone steal your identity can turn your life upside down. More on this subject in the article below.
http://brucewilds.blogspot.com/2013/05/cyber-warfare-and-attacks.html
Tell that to all the Americans who have been fraudclosed, dood!
Tell that to all the members of the Occupy Wall Street who have been targeted for revenge by The State, dood!
Go tell that to your mother, if you actually know her name, dood!
Why would most Americans be worried about identity theft when all they have to steal is bad credit and students loans.
metal gods
Wow...never has a country been so utterly destroyed from within.
Americans, you have no country, there is nothing there that you can claim. A handful of people own, control and rule over everything.
The last thing that needs to happen, and ironically it will be good for America as it may cause a reset....hyperinflation.
Funny how hte Microsoft monopoly Anti Trust prosecution talk disappeared right about the time the Gates Foundation was formed.
In my neck of the woods the Gates foundation contributed to a luxury low income housing project* http://www.hcd.ca.gov/feature/tierra_del_sol.html
Which ended up costing taxpayers tens of millions of dollars, and was then used to house the adult children http://articles.latimes.com/2011/may/24/local/la-me-housing-inquiry-2011... of hightly paid City of LA public officials.
I accuse Gates of bribing public officials across the nation with his phony "foundation".
Oh no, Lois Lerner & the IRS did not investigate.
AUTOPSY OF THE LEFT
Fuck You NSA. The only person living in fear is yourself. If the petrodollar is wiped out, you’ll become a redundancy in the labor market. Start at the top of problem. If you don’t, they will. Are we clear? Get busy..
With these cockgarblers spying on goddamn everything, I'd say they're more afraid of us than we are of them.
But that entire apparatus really needs to be deep sixed.
Of course, no goddamn one will ever go to fucking jail for anything. The public will roll over, put another Democrat or Republican in office, or at least be told they elected someone, and go back to business as usual. Everything will be tits aws long as the diet coke keeps flowing and the costco card works.
But they have no knowledge of it.
Fuckers!
The NSA used to pay people cash to write viruses. You could sit in a bar with a laptop, drink beer and play keno all day if you know how to write simple malicious code.
The nice thing about Open Source is that anyone at any location can review it. Lots of expert eyeballs increase the chance of catching something amiss and getting it fixed.
The bad thing about any code is that it can sometimes contain bone-head logic which some skilled reviewer should have caught long ago -- but no one ever did.
Give the author a break. He won't be the last programmer to think he's sealed up all the holes and missed one. It's rare and in this case dangerous. But that doesn't mean he was working on behalf of the NSA or less than fully skilled or dedicated to get it right.
That the NSA are now disclaiming any prior knowledge (or active exploit) of this hole is pretty much what they would say whether it is true or not.
Fuck -A. Gonna have another drink and think about FUCKING OVER ANOTHER BANKER.
This week has been brutal for me. Made it through the winter, but now that the weather is getting nicer, I find the squirrels have chewed two holes into my garage, my trusty van has a gas leak, my computer can no longer print postage (thanks Apple, PayPal, Java) and the bank has stopped paying the taxes on the house I live in which they have had in foreclosure for 4+ years (this actually may be good news).
I also figured out that if you retire at 62 and get 75% of the benefits that you'd get at 66, it would take 12 years to make up the money you forego, by waiting (trust me, it's simple math). But, but, but, if you make more than $15,480 a year from 62-65, for every $2 over that amount, they REDUCE your benefit by $1. So, they keep you poor (or you cheat). Not to worry, the SSA says they'll reimburse you for every $1 they reduced, after you turn 65, or something like that. Holy fucking shit, they've got it all covered, suckahz!
Stay poor, die. That seem to be their plan.
Did I mention I needed another drink?
UNITED NATIONS, Apr 10 2014 (IPS) - The 132-member Group of 77, the largest single coalition of developing nations, has urged Secretary-General Ban Ki-moon to provide, “as soon as possible…alternative options for banking services” in New York City following the mass cancellation of bank accounts of U.N. missions and foreign diplomats.
The draft resolution, a copy of which was obtained by IPS, is an “agreed text” which has the blessings of all 132 countries, plus China.
Responding to a demand by member states for reciprocal retaliation, the G77 requests the secretary-general to review the “U.N. Secretariat’s financial relations with the JP Morgan Chase Bank and consider alternatives to such financial institutions and to report thereon, along with the information requested....
The draft resolution also requests the secretary-general to review and report to the General Assembly, within 120 days of its adoption, “of any obstacles or impediments observed in the accounts of permanent missions or their staff at the JP Morgan Chase Bank in the City of New York, and the impact these impediments have on the adequate functioning of their offices.”
And to this end, the G77 invites all members to provide the secretary-general with relevant information that will facilitate the elaboration of such report.
In an appeal to the United States, the G77 has also underscored the importance of the host country taking the necessary measures to ensure that personal data and information of persons affected by the closure of accounts is kept confidential by banking institutions, and requests the secretary-general to work with the host country in that regard and to report to the General Assembly within 90 days.
The closure of accounts was triggered by a request from the U.S. treasury, which wanted all banks to meticulously report every single transaction of some 70 “blacklisted” U.N. diplomatic missions, and individual diplomats – perhaps as part of a monitoring system to prevent money laundering and terrorism financing.
But the banks have said such an elaborate exercise is administratively expensive and cumbersome.
And as a convenient alternative, they have closed down, or are in the process of closing down, all accounts, shutting off banks from the diplomatic community in New York.”
So, in other words,
"USG Shoots Foot Again."
Don't forget that the originals tried everything in the world they could think of to keep the British tyranny from erupting into a war. They made trips to England, made plea after plea to parliament and to the crown.
It didn't just explode overnight. It was half a century in the making.
Then, one day, it all came together.
Bingo!
A winner for the man from Mars! He gets a new powder flask!
Step up, men! Anyone can be a winner!
Nu. So what else is new?
"General Alexander, we have bad news."
"What is it, Captain?"
"We left a vulnerability in our spy software by mistake. The CIA has got all of our PWs, even yours."
"Dammit, this is going too far. No wonder my bigbuttbabesdotcom account got wiped out!"
"Nobody knows what's going on, General! Our Ron Paul spy program was written by a dyslexic, and now RP has a data dump on all our bank accounts! The damn program went into reverse."
"Captain,does anyone know what's going on here?
"I don't think so, sir."
"OK, tell Congress we need moar funding."
Just today, I got an email from my credit union about this heartbleed thingy. Apparently, if you were using OpenCSS you were vulnerable. They assured me they were not using OpenCSS, and I'm supposed to feel better.
Just now, I have a little less than a hundred bucks in that account. I only fund it when I need to make online purchases.
I have no reason to distrust my credit union. I have no reason to trust them, either.