Heartbleed on Tumblr

Heartbleed bug

The surreal world that is the United States Intelligence Community has recently released a statement over the Heartbleed vulnerability as a rebuttal to an article from Bloomberg. The government's statement is as follows:

Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report.

There are a number of issues I'd like to point out (aka the bleedin' obvious)...

  1. 30 second summary:
    This is the best layman's explanation of the problem.
  2. This is serious:
    The Heartbleed bug has been described as a "catastrophic bug" and "On the scale of 1 to 10, this is an 11" by security expert Bruce Schneier.
  3. Bloomberg's claim:

    The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

    The Bloomberg article goes on to describe the Heartbleed bug to be one of the biggest flaws in the Internet’s history, affecting the basic security of as many as two-thirds of the world’s websites. Yes, it's that serious.

  4. Tumblr:
    The government's official rebuttal was posted on Tumblr. That's right. Tumblr. The bastion of middle school angst is now the official vehicle of the Office of the Director of National Intelligence (DNI). If you didn't want to shout "grow up guys" before, you will want to now:

    Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report.

    But it's OK, really, because this Tumblr account was created at the direction of the President of the United States, [to] provide immediate, ongoing and direct access to factual information related to the lawful foreign surveillance activities carried out by the U.S. Intelligence Community. Really? The US government has it's own authoritative TLD (.gov) to do whatever it likes with and it publishes a rebuttal to the worst Internet vulnerability found to date - on Tumblr? One facepalm is simply not enough.

  5. Ask me no questions...
    Facts are good. But this release may not actually be factual. One of the mission goals of the National Security Agency is to find "zero day" software vulnerabilities. It also leads all the high-tech spying stuff and, in 2013, paid out over $25million to third-party contractors for zero day exploits. Richard Clarke, the former White House cyber tsar and member of the NSA review panel, told the Financial Times in a 2012 interview:

    I think what is happening is when NSA is told about a vulnerability, they start exploiting it, and they say we’ll tell American companies about it if we ever see signs [that] China, or Russia have figured it out and are using it. But until then we’re going to use it.

The government's admission that NSA did not know about Heartbleed until a few days ago should be the grounds to fire most of the senior management at NSA for sheer incompetence. Claiming not to know about the vulnerability is simply a smoke screen. After all, our tax dollars apparently paid for this knowledge. Withholding that same knowledge, in violation of the NSA's mandate to protect US companies and networks is another reason.