Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NSA Allegedly Exploited Heartbleed

Soulskill posted about 4 months ago | from the according-to-somebody-who-may-or-may-not-be-a-person dept.

Security 149

squiggleslash writes: "One question arose almost immediately upon the exposure of Heartbleed, the now-infamous OpenSSL exploit that can leak confidential information and even private keys to the Internet: Did the NSA know about it, and did they exploit if so? The answer, according to Bloomberg, is 'Yes.' 'The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency's toolkit for stealing account passwords and other common tasks.'" The NSA has denied this report. Nobody will believe them, but it's still a good idea to take it with a grain of salt until actual evidence is provided. CloudFlare did some testing and found it extremely difficult to extract private SSL keys. In fact, they weren't able to do it, though they stop short of claiming it's impossible. Dan Kaminsky has a post explaining the circumstances that led to Heartbleed, and today's xkcd has the "for dummies" depiction of how it works. Reader Goonie argues that the whole situation was a failure of risk analysis by the OpenSSL developers.

cancel ×

149 comments

It's not a bug (-1, Flamebait)

OffTheLip (636691) | about 4 months ago | (#46729447)

it's a (NSA) feature...

Re:It's not a bug (2)

Moheeheeko (1682914) | about 4 months ago | (#46729509)

The only bug here is that it wasnt hidden deeply enough.

Re:It's not a bug (1)

fustakrakich (1673220) | about 4 months ago | (#46729571)

Really man! [slashdot.org] And nothing confirms this story like an official denial. (I think that's how it goes)

Re:It's not a bug (1)

Jeremiah Cornelius (137) | about 4 months ago | (#46729713)

I think that NSA has good coverage and analysis tools. They probably knew of Heartbleed, and they probably know of dozens more flaws like this.

I will be glad, when they cease to exist.

Re:It's not a bug (1)

the eric conspiracy (20178) | about 4 months ago | (#46729985)

When the NSA ceases to exist, it will be because they are adsorbed by something bigger and more powerful.

Look at the KGB. They were adsorbed by the Russian Oligarchy.

Re:It's not a bug (2)

Johann Lau (1040920) | about 4 months ago | (#46730291)

Yeah, empires never fade, and always get replaced by bigger ones.

So don't look at dinosaurs, and the tiny mammals that survived them, and surely not at entropy, which is breaking everything down to energy and then smearing that around, slowly, patiently, irreversibly. Do not realize that the universe is a joke at the cost of anyone who likes (to keep) power, that having lots of materials and commanding people around or killing them does not constitute power more than a fart constitutes a solid object, and is but a compensation price born out of delusion. Ignore that a chain binds the master more than the slave, and while it kills the master in an instant, it kills the slave much later or never.

The KGB, the NSA, the Russian Oligarchy, and so on -- all of them already lost, they are but empty husks propped up by smaller empty husks, all life and all reward is taking place in the blind spots, in the wrinkles and niches. The all seeing eye is utterly blind, it does not see the wood for the trees. It will take up last to the joke, and until then it attracts greedy, sadistic, and impotent people, acting as a sinkhole for the weakest humanity has to offer. It's always been thus. Powermongers never experience greatness themselves, but sometimes force their subjects into it. It's a joke at their expense on more than one level.

Re:It's not a bug (5, Insightful)

NoKaOi (1415755) | about 4 months ago | (#46729637)

it's a (NSA) feature...

Even if it's not an NSA feature...of course the knew about it! They would have to be even more incompetent than we think not to. They are HUGE, with something like 40,000 employees. At least of few of those employees must be dedicated to code review of OSS looking for vulnerabilities, and more in general looking for vulnerabilities in any widely used software. And if that's the case, then you'd think OpenSSL would be one of the first things they'd look at. The fact that they didn't tell anyone though shows that the S is NSA is bullshit. They cared more about being able to exploit the vulnerability themselves than making their country's computers more secure. If they cared one shit about their country's security then they'd have big teams dedicated to finding software vulnerabilities and working with vendors to fix them.

I feel the NSA can do some good. (0)

Anonymous Coward | about 4 months ago | (#46729933)

I imagine we could do that if we stopped with domestic and allied spying. By that I mean searching for vulnerabilities in the software we use and alert the proper companies in order to fix them.

Re:I feel the NSA can do some good. (1)

ComputersKai (3499237) | about 4 months ago | (#46731133)

The problem is, they will keep using the "National Security" excuse to justify their actions, as well as wording their responses to the general public in meaningless doublespeak. At the current stage, they seem to be utterly brainwashed in their own sewage, and the government unfortunately seems to be drinking in more of their trash everyday.

Re:It's not a bug (1)

bob_super (3391281) | about 4 months ago | (#46729965)

National Spying agency...

They do provide the right companies with expertise on security for securing important technology, and justifying compliance to said recommendation for sale of sensitive products. I don't know how many of the 40000 employees do that, but that's one "Security" feature that they _do_ offer.

Re:It's not a bug (1)

hereschenes (813329) | about 4 months ago | (#46730837)

The fact that they didn't tell anyone though shows that the S is NSA is bullshit.

Wouldn't that be the NBA? Interesting mashup there.

LeBron James: athlete, sycophant, spy.

Re:It's not a bug (1)

arobatino (46791) | about 4 months ago | (#46730887)

The fact that they didn't tell anyone though shows that the S is NSA is bullshit. They cared more about being able to exploit the vulnerability themselves than making their country's computers more secure.

It's a basic conflict of interest with police/defense/intelligence agencies. They gain power from the existence of threats, so it's in their self interest to favor policies that perpetuate them while pretending to do the opposite. The War on Drugs, Cuban Embargo, etc.

Re:It's not a bug (0)

thoth (7907) | about 4 months ago | (#46730895)

The fact that they didn't tell anyone though shows that the S is NSA is bullshit. They cared more about being able to exploit the vulnerability themselves than making their country's computers more secure. If they cared one shit about their country's security then they'd have big teams dedicated to finding software vulnerabilities and working with vendors to fix them.

You are confused as to what NSA's "defensive" mission is. They aren't there to be the defenders of the internet. They aren't there to be corporate America's QA department. They aren't there to review open source and provide fixes. They aren't there to "make the country's computers more secure".

They are there to protect DoD classified systems. That's the defensive mission, as an agency under the DoD umbrella. Protect DoD classified systems and anything that deals with military activities. All this extraneous whining - none of it is their mission.

It's a simple calculation on their side as far as the defensive mission - does "vulnerability X" involve classified DoD systems or ones that have military information? No? NOT THEIR PROBLEM.

Don't like it? Well too bad, you don't get to gripe when they don't follow their mandate and also gripe when they do.

If you want to complain, take that up with congress or the president to alter their mandate/directive. Or, take it up to congress to provide more funding for the agencies that are actually supposed to be looking out for commercial internet use and regular gov sites - NIST and DHS. Or, lobby congress to create a fully civilian non-DoD agency that's there to provide an extra security layer for the world at large. And in that last case, don't bitch about the government spending money when clearly the free market is failing to provide a solution, since it appears greedy for-profit corporations are happy to use but not contribute any resources towards this critical software infrastructure.

With the constant complaining about them and government in general from all the anti-government libertarian neck beards here, why would they even bother producing a fix? Who would trust code they released? This would not be like the selinux release, which is optional and provided new capabilities - if they produced a fixed openssl nobody would use it until code reviewing for years. They'd spend more time with PR and a ton of bullshit than doing nothing at all which is free from their perspective. If they disclosed the bug, they don't have any power to compel "the internet" to upgrade to a fixed version, so they'd be blamed for exploits and vulnerabilities during the time servers were slowly upgraded.

Whatever they do, somebody would gripe and given it ISN'T THEIR JOB in the first place, doing nothing looks like the game-theory resulting best call.

Fix is here (0, Funny)

Anonymous Coward | about 4 months ago | (#46729667)

Fix is here http://www.iis.net/ [iis.net]

Re:Fix is here (1)

fishbowl (7759) | about 4 months ago | (#46729731)

Or here: https://f5.com/ [f5.com]

Re:Fix is here (0)

Anonymous Coward | about 4 months ago | (#46731335)

Except they are vulnerable, too..

(enable javascipt temproarily to enjoy the fun...)

http://lmgtfy.com/?q=site%3Af5.com+sol15159&l=1

Re:It's not a bug (0)

Anonymous Coward | about 4 months ago | (#46729777)

Does it matter?, its reported the NSA have been using it but who else has who didnt get their fingers caught in the cookie jar has?

Re:It's not a bug (0)

Anonymous Coward | about 4 months ago | (#46729829)

Hi NSA!! get the fuck OUT OF MY COMPUTER. kthnxbai.

Re:It's not a bug (3, Interesting)

Arker (91948) | about 4 months ago | (#46729929)

Maybe, of course we cannot just believe them after seeing them repeatedly lying to Congress, but it strikes me likely in this particular case they are telling the truth. This bug, unless I am misunderstanding, essentially lets you read from a small contiguous pseudo-random block of memory. That's obviously not acceptable from a defender point of view - it could potentially expose any and all information so it's a severe flaw - but from an attackers point of view it seems less impressive.

You could probably try this thousands of times without actually obtaining any information of value. Sure, you might luck out and get the keys to the kingdom, but it seems like a crapshoot. From an attackers point of view, this might be better than nothing, but unless they have pretty near nothing to start from, it does not seem exciting.

And we know they have a lot more than nothing to start from. With Total Surveillance in effect on the net, with rootkits and zero-day exploits to deliver them, it's just really hard to see how this would add anything substantial to their toolkit.

No, I suspect this is exactly what it appears to be - a critical bug resulting from too much emphasis on fast and not enough on good. That's hardly unique to OpenSSL, it's a chronic problem across the industry as a whole.

Conflict of interest (5, Insightful)

benjfowler (239527) | about 4 months ago | (#46729487)

Why even have the same agency responsible for foreign electronic intelligence and put them in charge of "cyberdefence" (how I hate that term..).

It's a massive conflict of interest. You're virtually begging them to find and then sit on dangerous exploits.

Re:Conflict of interest (1)

grumpy_old_grandpa (2634187) | about 4 months ago | (#46729737)

> You're virtually begging them to find and then sit on dangerous exploits.

That was their mandate in the first place. Nobody begged - It was an order.

Re:Conflict of interest (2)

timeOday (582209) | about 4 months ago | (#46730133)

How do you propose to separate them? Offense and defense are not really two separate things; if you can do one, you can do the other.

Re:Conflict of interest (0)

Anonymous Coward | about 4 months ago | (#46730297)

It doesn't work like that in the virtual world though; the techniques used for defence of a network or software environment have little crossover with those used to attack the same system. In both cases you need to know about an exploit to be able to protect against or abuse it, but you can't defend a network by DDOSing another.

Re:Conflict of interest (2)

AHuxley (892839) | about 4 months ago | (#46730409)

Re How do you propose to separate them? Offense and defense are not really two separate things; if you can do one, you can do the other.
Think back to past presidents views on parts of the the US intelligence community.
JKF had is views on the CIA after the Bay of pigs.
Rockefeller Commission, Church Committee, Pike Committee, Murphy Commission, the Select Committee on Intelligence and the Directorate of Operations events in 1977. The domestic activities, human experimentation issues and need for a ban on assassinations all became public. The CIA changed to technical collection removing a lot of staff.
Then you had joys of the Iran-Contra Affair then onto Intelligence Authorization Act.
The NSA could face the same path due to the loud, public domestic activities around U.S. citizens and persons with U.S. permanent residence. A return to its classic quiet support role around the world vs its new emerging need to play a role or say in offensive direct action roles.
The GCHQ had it right - stay hidden, build a vast tech, political and staff foundation going back generations and never comment on very much.
Recall the end of the Clipper conversations the US gov had with the public over role of US code experts and US exports?
In the end it seemed you could have any crypto you wanted at any price or for free....
The "separate" has to come back to protecting U.S. citizens from a vast life long domestic spying program and global junk US crypto standards.

Re:Conflict of interest (1)

thoth (7907) | about 4 months ago | (#46730931)

Why even have the same agency responsible for foreign electronic intelligence and put them in charge of "cyberdefence" (how I hate that term..).

It's a massive conflict of interest. You're virtually begging them to find and then sit on dangerous exploits.

Their "cyberdefence" mission is to defend DoD systems, not the entire world's computers.

If you don't like it, gripe that NIST and DHS aren't doing their jobs (they are the agencies actually over commercial internet security and non-DoD government sites) or transfer/alter their authority. Everybody thinking the NSA is there to protect their banking and email all have the wrong idea of what they do.

Obligatory xk..... (5, Funny)

Anonymous Coward | about 4 months ago | (#46729499)

YOU SON OF A BITCH

Re:Obligatory xk..... (-1)

Anonymous Coward | about 4 months ago | (#46729763)

Problem with USA Communist Agencies (-1)

Anonymous Coward | about 4 months ago | (#46729521)

That is a common problem in communist countries like North Korea or USA. Spying and tracking citizens daily lives is far more important than security.
Who visited USA lately will notice growing Bolshevism. It starts with fingerprinting at airport, stupid questions and shock when tourist enters downtowns of popular cities.
Security forces are everywhere. Not only on street but in school and preschool, grocery stores and movie theatres.

It is terrifying how much in power are now comrades in USA.

They have a stash of 0-days (0)

Anonymous Coward | about 4 months ago | (#46729525)

They're not just exploits, they're "offensive capabilities."

Must have been nontrivial to make patches for their own exploits without being the actual developer.

This seems plausable (3, Insightful)

capedgirardeau (531367) | about 4 months ago | (#46729531)

I can understand this happening. It would make sense that the NSA would have someone or multiple people review every patch and check-in for a package as important as OpenSSH, just looking for exploitable mistakes.

I would not be surprised if they review a great deal of FOSS software they deem important to national security.

Re:This seems plausable (1, Insightful)

Anonymous Coward | about 4 months ago | (#46729823)

This is the dark side of the "with enough eyeballs, all bugs are shallow" theory. The eyeballs don't have to tell anyone else.

The full source code is conveniently carried to NSA without them needing to bully any company. Then it is analyzed by genius hackers who are paid top dollar for the job. They probably already have a good stock of other OSS exploits too, which are unknown to the rest of the world.

Re:This seems plausable (3, Interesting)

JDG1980 (2438906) | about 4 months ago | (#46729873)

Then it is analyzed by genius hackers who are paid top dollar for the job.

"Top dollar"? This is a government agency. They pay based on the GS scale. Even if the NSA's security hackers were classified at GS-15 (the highest rate), that's about $120K a year to begin – if they really are "geniuses" then they could do better in Silicon Valley, and probably feel better about their jobs as well.

In general, the GS scale pays somewhat more than typical private-sector rate for low-end jobs, but considerably less for high-end jobs.

Government contractors rake in the dough, but that money goes to politically-connected businessmen, not rank-and-file employees.

Re:This seems plausable (0)

Anonymous Coward | about 4 months ago | (#46729997)

They don't really need to "bully" any companies to get access to source code, companies bring it to them willingly. To get software installed on government computers, sources has to be audited, so companies readily show it to security agencies to get those sweet government contracts.

So yeah, they've got a good stock of OSS exploits and they've got a good stock of proprietary exploits. They're probably aching to try out some of those XP vulns they had stashed, now that they don't have to worry about them getting patched.

Re:This seems plausable (1)

koan (80826) | about 4 months ago | (#46730569)

But this presents an interesting challenge, how do you evade someone that has control of the network? Is it possible?

Re:This seems plausable (3, Interesting)

Smallpond (221300) | about 4 months ago | (#46730177)

This patch was submitted at 7pm on Dec 31st, 2011, so the only people looking at it were the ones expecting it. I guess they were not disappointed.

http://git.openssl.org/gitweb/... [openssl.org]

I am totally surprised by this (1)

Dega704 (1454673) | about 4 months ago | (#46729545)

Said no one ever.

This sounds likely (4, Insightful)

gurps_npc (621217) | about 4 months ago | (#46729549)

The basic fact is, if they did not exploit it, then someone working for them is thinking "DAMN, I wish I thought of using that!"

Re:This sounds likely (1)

Anubis IV (1279820) | about 4 months ago | (#46729883)

They definitely didn't exploit it. How do I know? Because they said so [twitter.com] , so it must be true. Right? They wouldn't lie to us, would they?

I don't understand (1)

Krojack (575051) | about 4 months ago | (#46729561)

Why can we not start a class action lawsuit against the Government, NSA and those that allow snooping around in personal data without probable cause?

Re:I don't understand (1)

raydobbs (99133) | about 4 months ago | (#46729605)

One cannot simply sue a branch of the government without asking permission from the government to allow it to be sued - guess how often THAT happens? Plus is NSA has a built-in out; its in the interests of national security. Its bullshit - we all know it - but it a legal out, its the reason they can deny your FOIA request for information about Area 51, the Roswell incident, as well as the intelligence records on Jimmy Hoffa or J. Edgar Hoover.

You don't understand, yep! (5, Informative)

rjh (40933) | about 4 months ago | (#46729651)

One cannot simply sue a branch of the government without asking permission from the government to allow it to be sued - guess how often THAT happens?

Glad you asked: it happens all the time, ever since the Tort Claims Act of 1948 substantially waived the sovereign immunity doctrine. You can read more about it at Wikipedia [wikipedia.org] .

People sue the government all the time. It's literally an everyday occurrence.

Re:You don't understand, yep! (1)

cold fjord (826450) | about 4 months ago | (#46729897)

That doesn't provide an opened ended unlimited right to sue. I very much doubt you'd have an allowable claim for injury on this.

Re:You don't understand, yep! (3)

rjh (40933) | about 4 months ago | (#46730045)

I'm not weighing in on that one. I'm only correcting the original poster, who said the U.S. rarely waives sovereign immunity. In fact, the opposite is true: it rarely invokes it. Tens of thousands of tort claims against the U.S. government are underway even as we speak, all of them with waived sovereign immunity.

Re:You don't understand, yep! (2)

raydobbs (99133) | about 4 months ago | (#46730007)

...and I learn something new every day. Thank you for sharing that without calling me a moron. I knew it had been a few years since my last political science class, now I have something new to read up on.

Re:I don't understand (1)

radarskiy (2874255) | about 4 months ago | (#46729837)

You need to have enough evidence of *something* possibly happening to show that you have standing to bring the case.

Re:I don't understand (1)

Vintermann (400722) | about 4 months ago | (#46729903)

That's a good idea, because the least accountable branch of government is surely on your side! /s

The judicial branch and the supreme court serve much the same purpose as the Tsar in old Russia. No matter how bad it gets, it's not the Tsar's fault. It's the noblemen's fault. The Tsar just has bad advisers. If only we could get past them and talk to him and make him understand, it'd all be OK.

Re:I don't understand (1)

the eric conspiracy (20178) | about 4 months ago | (#46729937)

To start with, because of sovereign immunity.

Re:I don't understand (0)

Anonymous Coward | about 4 months ago | (#46729939)

Sure, why don't we do that? Go ahead and call around for attorneys and I'll wait to hear back from you. *twiddle* Still sitting there? *twiddle*

It's called apathy.

As much as folks groan and complain about everything on here, that's all it will ever be. Just Slashdot users wondering why no one does X or Z.

Allegedly? (0)

Anonymous Coward | about 4 months ago | (#46729565)

It's a hugely used cryptographic library, and the NSA has resources galore. Even without having the manpower to manually go through the source (which they totally have) it's a simple enough problem that automated testing would show it up. From their perspective it would have almost been negligent of them to have not known about it since day one

Re:Allegedly? (0)

Anonymous Coward | about 4 months ago | (#46729749)

While I agree with you that is the case, the question is, how did nobody else find out about this until now? With it being open source and used by so many companies world-wide that focus on being secure, why did none of them bother to make sure it didn't have a gaping hole in it?

Re:Allegedly? (2)

AHuxley (892839) | about 4 months ago | (#46730541)

Re how did nobody else find out about this until now?
The same reason NATO and other US allies did not understand the NSA Martin and Mitchell defection http://en.wikipedia.org/wiki/M... [wikipedia.org] in 1960 with the press conference saying:
"As we know from our previous experience working at N.S.A., the United States successfully reads the secure communications of more than forty nations, including its own allies."
Embassies, govs and firms went on using the same junk standard crypto hardware over decades of revisions. Some even got to re read their own secure embassy communications 'leaked' to the Western press.
There seems to be something missing on the story of gov, staff and developers when it comes to crypto products.
Skilled EU gov experts handing their own political leaders broken crypto that 5++ other nations can break seems too good to be true over generations.
Junk in the hardware decades, junk in the software decades all for speed, interoperability and after a good sales pitch?
Or a lot of skilled people around the world know and just tell their respective govs to bait the junk communications networks until US political leaders speak out.

Anonymous also used this flaw? (0)

Anonymous Coward | about 4 months ago | (#46729567)

Anonymous likely also exploited this flaw to attack servers in the past including public facing government websites.

Re:Anonymous also used this flaw? (0)

Anonymous Coward | about 4 months ago | (#46729621)

Do you have a source for this or just sensationalistic speculation?

Do it enough times (1)

HermMunster (972336) | about 4 months ago | (#46729581)

If you know about it and have access to virtually unlimited resources you can afford to attach to your target and do it as many times as you want in order to get what you want.

And, frankly, I don't believe the guy that claims responsibility for the bug.

As well, if something this simple could cause such an issue then clearly it is an issue for lots of other important security programs.

Not the last we'll hear about OpenSSL? (2)

jphamlore (1996436) | about 4 months ago | (#46729585)

And what are the odds there aren't at least a half dozen other bugs as serious still to be found in the OpenSSL source code ...

NSA put the bug there, of course they exploited it (1)

EmagGeek (574360) | about 4 months ago | (#46729595)

We need to find out if the author of this bug is or was on the NSA payroll. It would not be surprising to find out he was paid to put it there.

Re:NSA put the bug there, of course they exploited (4, Informative)

93 Escort Wagon (326346) | about 4 months ago | (#46729647)

The author of this bug and the reviewer of the commit have both been very forthcoming about the mistake. There's little reason to suspect malicious intent in this particular instance.

That doesn't mean the NSA didn't know about it or exploit it, though.

Re:NSA put the bug there, of course they exploited (1)

rmdingler (1955220) | about 4 months ago | (#46730129)

You are probably correct. Still.

Heinlein's but don't rule out malice still applies.

Look. I get that the NSA has these incredible resources (thousands of personnel, alone), but they're still all working for the government: the king of big company bullshit with a side of no incentive to work hard. I'll kiss a pimple on your ass if there aren't many hundreds of others' disenfranchised like Snowden who lack either the luxury of being able to leave or the courage to do so.... these folks commitment is plausibly not legendary.

If they can buy a guy in on the production side of the coding, it just saves a lot of work.

Re:NSA put the bug there, of course they exploited (0)

Anonymous Coward | about 4 months ago | (#46730281)

What is to say the author wasn't offered $10 million to "accidently" put the bug in the code similiar to what happened at RSA? The NSA probably even coached him on what to say when the bug gets discovered.

Re:NSA put the bug there, of course they exploited (1)

davidhoude (1868300) | about 4 months ago | (#46730679)

The bug seems quite obvious. I would expect they could be a little more clever if they were to write the bug itself. This is failure of the OpenSSL project, period.

Re:NSA put the bug there, of course they exploited (2)

l0n3s0m3phr34k (2613107) | about 4 months ago | (#46731147)

lol...Maybe he was sent a stack of cash with a USB flashdrive and a note "You know what needs to be done. Love, NSA"

Re:NSA put the bug there, of course they exploited (1)

hawguy (1600213) | about 4 months ago | (#46729735)

We need to find out if the author of this bug is or was on the NSA payroll. It would not be surprising to find out he was paid to put it there.

The author responsible for the bug has already admitted that it was a mistake (and it's not like buffer overflows are unheard of, so it really is plausible). Sure, it's possible that the NSA secretly paid him (or ever coerced him by holding some incriminating evidence over his head), but it would likely take someone with the resources of the NSA to uncover such a secret NSA payout. Something of that nature probably wouldn't even be available in Snowden's document archive.

Re:NSA put the bug there, of course they exploited (1)

l0n3s0m3phr34k (2613107) | about 4 months ago | (#46731167)

some clues might be buried in there somewhere, but until Snowden's "cache" is publicly released we'll never actually know...but I'm guessing The Guardian et al are currently combing through the archive looking for some references.

It's time we own up to this one (4, Insightful)

Bruce Perens (3872) | about 4 months ago | (#46729661)

OK guys. We've promoted Open Source for decades. We have to own up to our own problems.

This was a failure in the Open Source process. It is just as likely to happen to closed source software, and more likely to go unrevealed if it does, which is why we aren't already having our heads handed to us.

But we need to look at whether Open Source projects should be providing the world's security without any significant funding to do so.

Re:It's time we own up to this one (5, Insightful)

Anonymous Coward | about 4 months ago | (#46729723)

The problem with open source when it comes to things like this is that there are so few people who are even qualified to implement protocols like this, and even fewer of them who are willing to work for nothing. The community needs to pony up some cash to have important projects audited like what they are trying to do with TrueCrypt right now.

Re:It's time we own up to this one (3, Informative)

Bruce Perens (3872) | about 4 months ago | (#46729769)

I'd say more than just the "community". We have a great many companies that incorporate this software and generate billions from the sales of applications or services incorporating it, without returning anything to its maintenance.I think it's a sensible thing to ask Intuit, for example: "What did you pay to help maintain OpenSSL?". And then go down the list of companies.

Re:It's time we own up to this one (4, Insightful)

l0n3s0m3phr34k (2613107) | about 4 months ago | (#46731205)

Exactly! Everyone can get to the source, the whole point of OSS is that the companies themselves can (and should, from a risk-analysis point) be reviewing all the code too before implementation...it's along the lines "you get what you pay for" yet at least here everyone is given the chance to see exactly what's being run (as opposed to pre-compiled apps). IMHO, this really isn't an OpenSSL issue as much as a failing of due diligence by all the companies using it. The admin's excuse of "well, we don't actually know what the code says" fails here, and anyone over the past two years could have reviewed it themselves and fixed this! Maybe this will spur corps to actually review code of critical infrastructure when it's avalible as part of corp policy from now on, perhaps the insurance companies who do "Errors and Omissions" policies will start forcing corps to do that; kinda surprised that this isn't already a standard policy, as code review of OSS is one of it's main strengths and if your company doesn't do it then their missing out on one of the biggest assets of using OSS.

Re:It's time we own up to this one (3, Informative)

AHuxley (892839) | about 4 months ago | (#46730655)

Re even qualified to implement protocols like this. Thats a very interesting point. How many have their tools of the trade via a top university settings and a security clearance option and dependant funding.
Once you start down the math path the classes get smaller and fewer stay for needed years vs lure of private sector telco or unrelated software work.
Most nations really do produce very few with the skills and keep them very happy.
Trips, low level staff to help, good funding, guidance, friendships all just seem to fall into place.
Bringing work home and helping open source could be seen as been an issue later vs students or team members who did open source games or made apps.

Re:It's time we own up to this one (0)

Anonymous Coward | about 4 months ago | (#46729745)

SSL is a much worse problem in itself. Relying on some "trustworthy" certificate authority sounds like a good idea, huh? It's a completely broken idea, especially in this age when the worst enemy is the own government.

Re:It's time we own up to this one (4, Interesting)

Bruce Perens (3872) | about 4 months ago | (#46729811)

I have to say I'm even less confident in the plan to couple it to DNSSEC.

Re:It's time we own up to this one (1)

hawguy (1600213) | about 4 months ago | (#46729753)

OK guys. We've promoted Open Source for decades. We have to own up to our own problems.

This was a failure in the Open Source process. It is just as likely to happen to closed source software, and more likely to go unrevealed if it does, which is why we aren't already having our heads handed to us.

But we need to look at whether Open Source projects should be providing the world's security without any significant funding to do so.

If it's just as likely to happen to closed source software, then why is it a failure of the Open Source process? It was discovered and fixed so quickly *because* it's open source - there may be similar holes in closed source software that are being exploited today, yet no white hats have discovered them yet.

Re:It's time we own up to this one (2)

Bruce Perens (3872) | about 4 months ago | (#46729781)

Sure. We're better. But we need to be even better than that.

Re:It's time we own up to this one (1)

Anonymous Coward | about 4 months ago | (#46729887)

It was discovered and fixed so quickly *because* it's open source

For crikessakes, the heartbleed vulnerability existed for over 2 years before being discovered and fixed!

Re:It's time we own up to this one (3, Interesting)

hawguy (1600213) | about 4 months ago | (#46730341)

It was discovered and fixed so quickly *because* it's open source

For crikessakes, the heartbleed vulnerability existed for over 2 years before being discovered and fixed!

Sorry my bad, that sentence was confusing -- I meant the fix was fast, not finding the bug.

An exact timeline for Hearthbleed is hard to find, but it looks like there was some responsible disclosure of the bug to some large parties about a week before public disclosure and release of the fixed SSL library.

In contract, Apple learned of its SSL vulnerability [nist.gov] over a month [theguardian.com] before they released an IOS patch and even after public disclosure of the bug, it was about a week before they released the OSX patch. And just like the OpenSSL bug, Apple's vulnerability was believed to have been in the wild for about 2 years before detection. (of course, since the library code was opensourced by Apple, several unofficial patches were released before Apple's official patch).

Re:It's time we own up to this one (1)

Bruce Perens (3872) | about 4 months ago | (#46730395)

I think we need to take a serious look at the "many eyes" theory because of this. Apparently, there were no eyes on the part of parties that did not wish to exploit the bug for close to two years. And wasn't there just a professional audit by Red Hat that caught another bug, but not this one?

Re:It's time we own up to this one (2)

MarcoAtWork (28889) | about 4 months ago | (#46729783)

this does not have anything to do with open source and all to do with the software development process (or lack of) used here: something like this could've happened in a closed source library just as easily, the only difference would be that rather than source analysis you'd have used other tools to find the vulnerability: if a new addition to a protocol comes in and you have bad intentions of course the first thing you do is to see what happens if you feed it invalid data, if you did that here you'd have found this extremely quickly (and probably faster than if you were trying to do source analysis).

The main issue here is that you should not be able to commit anything to something like OpenSSL with only one reviewer looking at it, period. The secondary issue is that for anything this important there should be a LOT of unit tests for everything and that absolutely everything everywhere should be tested with invalid input to make sure the library is solid: QA-ing a crypto library is a job as important as writing it in the first place and should be funded just as much, there unfortunately does seem to be a bias against QA being as important as development among developers, until this bias is removed this kind of issue will keep happening.

QA and development are two faces of the same coin for critical software, some people are better at writing something, others at finding issues with things other people developed: there should be no stigma for people preferring focusing more on QA, but in a lot of companies QA is seen as much less prestigious than development and the first thing to outsource, which leads to substandard testing, which creates more problems (because the tests are not good but give you the false impression that your software is ok).

Re:It's time we own up to this one (1)

MarcoAtWork (28889) | about 4 months ago | (#46729859)

and btw, funding is good, but funding does not buy you a good software development process: for that you need to actually focus on finding a good process first, and use the funding to achieve what you are planning without forgetting that if it's a critical piece of infrastructure nowadays it will be attacked by adversaries with much larger pockets than yours no matter how large yours are, so the process has to take into account that any development is done in a completely hostile environment, where a-priori you cannot trust ANYTHING, you can't trust your compiler, you can't trust your system libraries, you can't trust your fellow developers and you can't trust the repository you are using.

How do you deal with this? That is definitely a question you would need some of that funding to answer correctly, but it probably would include a lot of redundancy and testing: the advantage of the OSS model is that you can actually do this out in the open where everybody can see what you are doing and vet it every step of the way (a lot of those eyes are unskilled in your particular domain, but still it's a lot better than not having those eyes available at all).

Re:It's time we own up to this one (1)

l0n3s0m3phr34k (2613107) | about 4 months ago | (#46731247)

There was another person who looked at it before the commit, apparently they also missed it. So apparently a better code reviewing policy is also needed here.

Re:It's time we own up to this one (1)

oldhack (1037484) | about 4 months ago | (#46729995)

Bugs happen. We should assume there are more bugs of similar nature and have a plan on how to proceed when the next one is discovered. It's particularly important for OpenSSL as it may affect not only SSL encryption keys but whole chains of SSL certs.

Re:It's time we own up to this one (4, Insightful)

bill_mcgonigle (4333) | about 4 months ago | (#46730301)

This was a failure in the Open Source process.

Indeed. People have been saying for years that the OpenSSL code leaves much to be desired but nobody dares fix it because it might break something (needed: comprehensive unit tests).

There's been a bug filed for years saying that the code won't build with the system malloc, which in turn prevents code analysis tools from finding use-after-free conditions. The need here is less clear - leadership of the project has not made such a thing a priority. It's not clear that funding was the sole gating factor - commit by commit the code stopped working with the system malloc and nobody knew or cared.

Sure, a pile of money would help pick up the pieces, but lack of testing, continuous integration, blame culture, etc. might well have prevented it in the first place.

We still have sites like Sourceforge that are solving 1997 problems, like offering download space and mailing lists when what we need today is to be able to have continuous integration systems, the ability to deploy a vm with a complex project already configured and running for somebody to hack on, etc.

A failure of risk analysis, sure, but (0)

Anonymous Coward | about 4 months ago | (#46729687)

A "failure of risk analysis" by the OpenSSL team I can buy, but does that really have any bearing on whether the NSA would secretly exploit that failure?

Oh, wait, the NSA has denied it. They always tell the truth.

---

The US Constitution isn't perfect but it's better that what we've got.

North Korea and USA track people (0)

Anonymous Coward | about 4 months ago | (#46729697)

It is a common behaviour in communist countries like North Korea or USA. Spying and tracking citizens daily lives is far more important than security.
Who visited USA lately will notice growing Bolshevism. It starts with fingerprinting at airport, stupid questions and shock when tourist enters downtowns of popular cities.
Security forces are everywhere. Not only on street but in school and preschool, grocery stores and movie theatres.

It is terrifying how much in power are now comrades in USA.

Fork it. (4, Funny)

grub (11606) | about 4 months ago | (#46729711)


Theo de Raadt should fork OpenSSL. He could call it OpenOpenSSL.

.

Re:Fork it. (0)

Anonymous Coward | about 4 months ago | (#46729775)

about 250-500k into the coffers of the foundation and this might just happen.

Re:Fork it. (0)

Anonymous Coward | about 4 months ago | (#46729827)

Knowing Theo da Rat, he'd call it OpenSSL, and he'd be his impervious self whenever people pointed out how confusing and idiotic it is having different projects with the same name.

What OpenSSL needs is multiple independant line by line code audits of the paid variety, by teams of competent people. It may be an open source piece of software, but considering the countless billions of dollars at stake, there shouldn't be any fucking issue finding the money to make this shit happen.

Re:Fork it. (1)

gman003 (1693318) | about 4 months ago | (#46729911)

What OpenSSL needs is multiple independant line by line code audits of the paid variety, by teams of competent people. It may be an open source piece of software, but considering the countless billions of dollars at stake, there shouldn't be any fucking issue finding the money to make this shit happen.

What major corporations use SSL? Cisco? IBM? Anybody else like that? We could probably get them to foot most of the bill.

Cisco and IBM (0)

Anonymous Coward | about 4 months ago | (#46730227)

I would expect that Cisco and IBM work hand in hand with the NSA, embedding crypto backdoors and wiretapping capabilities in their products.

Re:Fork it. (0)

Anonymous Coward | about 4 months ago | (#46730287)

or FreeSSL

Does the "fix" include scrubbing? (2)

Animats (122034) | about 4 months ago | (#46729715)

When this was supposedly "fixed" in OpenSSL, did the fix just fix this one known bug? A real fix includes fixing the storage allocator to overwrite all released blocks, so no other old-data-in-buffer exploit would work.

We fixed the glitch. (1)

mythosaz (572040) | about 4 months ago | (#46729801)

Bob Porter: We always like to avoid confrontation, whenever possible. Problem is solved from your end.

Re:Does the "fix" include scrubbing? (2)

radarskiy (2874255) | about 4 months ago | (#46729847)

A real fix includes not rolling their own malloc, then fixing the bugs that were hidden by their badly written freelist which prevented people from reverting to a normal malloc.

According to who? (3, Insightful)

radarskiy (2874255) | about 4 months ago | (#46729851)

Bloomberg is the reporting organization, so they can't bee the source. They name no sources, just "two people familiar with the matter", which could mean they asked me twice.

Highly likely that NSA knew early on (3, Interesting)

JKAbrams (3613353) | about 4 months ago | (#46730053)

Actually I wrote this yesterday but was unable to publish it:
...
I have not yet grasped the full scope of the implications of this bug, but if you take the stance that things that could have been done also has been done (imho the only safe assumption), is this a good characterization? Or are there any limiting factors that makes this impossible? Like for example the amount of memory that could be leaked while the application is running (as servers aren't restarted often) is certain information that is stored statically in memory potentially not reachable?

During the last two years:
1. Any/all certificates used by servers running openssl 1.0.1 might have been compromized and should be revoked (the big cert-reset of 2014?)
2. Because of 1, any/all data sent over a connection to such servers might now be know by a bad MITM (i.e. for large scale: the various security services/hostile ISPs, local scale/targeted attacks: depends on who else happened to know, and this person/organization happened to be your adversary, looks unlikely, but who knows...)
3. Any/all data stored in SSL-based client applications might have been compromised.

From a users perspective - change all passwords/keys that has been used on applications based on openSSL-1.0.1? How to know what services? To be safe, change them all? Consider private data potentially sent over SSL to be open and readable by the security services?

Thinking about the large-scale:
For how long has the NSA been picking up information leaked by Heartbleed (assuming that they have at least since late evening the 7:th or early morning the 8:th seems a given)?
-Not in the Snowden documents that has been revealed so far (absence of proof != proof of absence, but language might give a hint)
-No report of unusual heartbeat streams being spotted in the wild (was anyone looking?)

Let's assume for the sake of argument the NSA does not have people actually writing the OpenSSL code in the first place.
When did they know about it's existence?

time_to_find_bug = budget * complexity_of_bug / size_of_sourcecode * complexity_of_sourcecode * intention_to_find_bugs

Where
budget = manpower * skillset
and
time_to_find_bug < inf.
when
skillset >= complexity_of_bug

Heartbeat bug:
complexity_of_bug = low

OpenSSL:
size_of_sourcecode = 376409 lines of code (1.0.1 beta1)
complexity_of_sourcecode = high

NSA:
intention_to_find_bugs = 1
budget = $20 * 10^9 ?
    => manpower = 30k ?
       skillset = high

Guesstimate: one to a few months -> early 2012 to go through the changes made to 1.0.1 building on earlier work already done on the 0.8.9 branch...
...
Or to say it another way, I think it is safe to assume that, given the simplicity of the bug, NSA knew about Heartbleed in early on. The anonymous comments to Bloomberg gives nice confirmation of this.

Re:Highly likely that NSA knew early on (1)

JKAbrams (3613353) | about 4 months ago | (#46730141)

Typo, meant the 0.9.8 branch of SSL of course.

Re:Highly likely that NSA knew early on (1)

l0n3s0m3phr34k (2613107) | about 4 months ago | (#46731259)

I know that at my company we don't "restart servers" as much as re-deploy another VM instance, switch all trafrfic to that, then kill the old VM. Yet sometimes it is over a year between reboots of the actual ESX servers themselves, as they are sometimes hosting dozens of VM's on a single box.

NSA.gov gets an F (0)

Anonymous Coward | about 4 months ago | (#46730191)

They can't even pass basic SSL security tests on their websites. Nor can FBI.gov, FDIC.gov, IRS.gov, VISA.com, MASTERCARD.com or PCISECURITYSTANDARDS.org

Absolutely amazing that something as basic as their public facing websites all fail with an F

Gomes is looking for consulting work (0)

Anonymous Coward | about 4 months ago | (#46730371)

I'll raise his tinfoil hat concern about "oh no, it's open people might see the open window" with my tinfoil hat concern of "it's hidden in a dark alley, no one will see the crack den in the basement because no one else can see the doors or windows".

I don't know how i fell, (0)

Anonymous Coward | about 4 months ago | (#46731025)

As a tax paying sheep I fell it's their Job to use everything at their dispose,

CloudFlare are experts at marketing (0)

Anonymous Coward | about 4 months ago | (#46731029)

In the report they published, it really just says that when trying to exploit Hearbleed on their OWN infrastructure with openssl + modified nginx they could not obtain public keys. That's all.

Heartbleed Challenge Over (5, Interesting)

xvx (624327) | about 4 months ago | (#46731135)

Welp, that didn't take long. Looks like someone solved CloudFlare's Heartbleed Challenge [cloudflarechallenge.com] and got their private server key...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...