Fwd: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
I'm not forwarding this to get into politics. I'm forwarding it because of the impact on operational security. Given the recent "I hunt sysadmins" leak, I think it's not unreasonable to suggest that everyone on this list has probably been targeted because of their privileged access to networks/servers/services/etc. ---rsk ----- Forwarded message from Richard Forno <rforno@infowarrior.org> -----
Date: Fri, 11 Apr 2014 15:05:03 -0400 From: Richard Forno <rforno@infowarrior.org> To: Infowarrior List <infowarrior@attrition.org> Subject: [Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years
NSA Said to Have Used Heartbleed Bug, Exposing Consumers
By Michael Riley Apr 11, 2014 2:58 PM ET
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bu...
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government's top computer experts.
Heartbleed appears to be one of the biggest glitches in the Internet's history, a flaw in the basic security of as many as two-thirds of the world's websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations' intelligence arms and criminal hackers.
Controversial Practice
"It flies in the face of the agency's comments that defense comes first," said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. "They are going to be completely shredded by the computer security community for this."
[snip]
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government's top computer experts.
I call B.S. Do you have any idea how many thousands of impacted NSA servers run by contractors hung out on the Internet with sensitive NSA data? If you told me they used it against the targets of the day while putting out the word to patch I could buy it, but intentionally leaving a certain bodily extension hanging in the breeze in the hopes of gaining more valuable data than they lose would have been an unusually gutsy move. These two unnamed sources are liars. Bet on it. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
* bill@herrin.us (William Herrin) [Fri 11 Apr 2014, 22:04 CEST]:
I call B.S. Do you have any idea how many thousands of impacted NSA servers run by contractors hung out on the Internet with sensitive NSA data? If you told me they used it against the targets of the day while putting out the word to patch I could buy it, but intentionally leaving a certain bodily extension hanging in the breeze in the hopes of gaining more valuable data than they lose would have been an unusually gutsy move.
Have you been paying attention at all. Please go read up on some recent and less recent history before making judgments on what would be unusually gutsy for that group of people. I'm not saying this has been happening but you will have to come up with a better defense than "it seems unlikely to me personally". -- Niels.
I wrote:
I'm not saying this has been happening ...
but here's the same news from a much more credible source: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bu... Still anonymously sourced but at least via people whose ability to vet sources you can usually trust. -- Niels.
* Niels Bakker (niels=nanog@bakker.net) wrote:
but here's the same news from a much more credible source:
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bu...
Still anonymously sourced but at least via people whose ability to vet sources you can usually trust.
hum. That was included in the original post... Stephen
Once upon a time, Niels Bakker <niels=nanog@bakker.net> said:
but here's the same news from a much more credible source:
Actually, that's the same news _from the same source_ as originally posted. That article also has other wonderful bits like: The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development. While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects. This is fairly typical big-business denigration of Open Source, ignoring the fact that (a) closed source software doesn't get reviewed for things like this, and (b) code like this isn't just written by "underfunded researchers". Red Hat (a billion-dollar company) got their package of OpenSSL through FIPS certification. Even the opening of the article: The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, The flaw has only existed for two years and a couple of weeks (and how many websites deployed a brand-new OpenSSL the day it came out?). So unless the patch was authored by the NSA (which the patch author claims is not the case), they'd have to have known about it before it existed. I don't even fully buy the "two-thirds of the world's websites". I'm not sure that 2/3 of the websites I visit even use SSL. Also, many versions of "enterprise" OSes like Red Hat Enterprise Linux weren't affected (RHEL 5 was not affected, and RHEL 6 was only affected starting with 6.5 from last November). There are a lot of web servers that aren't updated that often (or stay with more "stable" release trains). -- Chris Adams <cma@cmadams.net>
On Fri, Apr 11, 2014 at 4:10 PM, Niels Bakker <niels=nanog@bakker.net> wrote:
Please go read up on some recent and less recent history before making judgments on what would be unusually gutsy for that group of people.
I'm not saying this has been happening but you will have to come up with a better defense than "it seems unlikely to me personally".
Let me know when someone finds the second shooter on the grassy knoll. As for me, I do have some first hand knowledge as to exactly how sensitive several portions of the federal government are to the security of the servers which hold their data. They may not hold YOUR data in high regard... but the word "sensitive" does not do justice to the attention lavished on THEIR servers' security. In WW2 we protected the secret of having cracked enigma by deliberately ignoring a lot of the knowledge we gained. So such things have happened. But we didn't use enigma ourselves -- none of our secrets were at risk. And our adversaries today have no secrets more valuable than our own. -Bill -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Also on this same idea, in his book "The Puzzle Palace," James Bamford claims that we knew of the pending attack on Pearl Harbor but did nothing, because that would compromise we broke the Japanese Purple Cipher. matthew black california state university, long beach -----Original Message----- From: William Herrin [mailto:bill@herrin.us] Sent: Friday, April 11, 2014 2:06 PM To: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] On Fri, Apr 11, 2014 at 4:10 PM, Niels Bakker <niels=nanog@bakker.net> wrote:
Please go read up on some recent and less recent history before making judgments on what would be unusually gutsy for that group of people.
I'm not saying this has been happening but you will have to come up with a better defense than "it seems unlikely to me personally".
Let me know when someone finds the second shooter on the grassy knoll. As for me, I do have some first hand knowledge as to exactly how sensitive several portions of the federal government are to the security of the servers which hold their data. They may not hold YOUR data in high regard... but the word "sensitive" does not do justice to the attention lavished on THEIR servers' security. In WW2 we protected the secret of having cracked enigma by deliberately ignoring a lot of the knowledge we gained. So such things have happened. But we didn't use enigma ourselves -- none of our secrets were at risk. And our adversaries today have no secrets more valuable than our own. -Bill
Matthew, On Mon, Apr 14, 2014 at 10:48 AM, Matthew Black <Matthew.Black@csulb.edu>wrote:
Also on this same idea, in his book "The Puzzle Palace," James Bamford claims that we knew of the pending attack on Pearl Harbor but did nothing, because that would compromise we broke the Japanese Purple Cipher.
I assume you refers to pages 36 through 39 of "The Puzzle Palace" which is almost entirely a recounting of bureaucratic fumbling and delay. The sensitivity of a Purple Cipher decode did cause the intercepted information to be sent by a less immediate means to the US Naval authorities in Hawaii. Nevertheless, it was sent with every expectation that those authorities would receive it before the time of the attack. We do not know what those authorities would have done it they had received the intercept information as expected, instead of receiving it about 6 hours after the first bomb struck Pearl Harbor. Your implication that Bamford says "we decided to do nothing" bears no relationship to what Bamford actually wrote. Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com matthew black
california state university, long beach
-----Original Message----- From: William Herrin [mailto:bill@herrin.us] Sent: Friday, April 11, 2014 2:06 PM To: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
On Fri, Apr 11, 2014 at 4:10 PM, Niels Bakker <niels=nanog@bakker.net> wrote:
Please go read up on some recent and less recent history before making judgments on what would be unusually gutsy for that group of people.
I'm not saying this has been happening but you will have to come up with a better defense than "it seems unlikely to me personally".
Let me know when someone finds the second shooter on the grassy knoll. As for me, I do have some first hand knowledge as to exactly how sensitive several portions of the federal government are to the security of the servers which hold their data. They may not hold YOUR data in high regard... but the word "sensitive" does not do justice to the attention lavished on THEIR servers' security.
In WW2 we protected the secret of having cracked enigma by deliberately ignoring a lot of the knowledge we gained. So such things have happened. But we didn't use enigma ourselves -- none of our secrets were at risk. And our adversaries today have no secrets more valuable than our own.
-Bill
IIRC, the message was sent via courier instead of cable or telephone to prevent interception. Did the military not even trust its own cryptographic methods? Or did they not think withdrawal of the Japanese ambassador was not very critical? matthew black california state university, long beach From: Donald Eastlake [mailto:d3e3e3@gmail.com] Sent: Monday, April 14, 2014 8:28 AM To: Matthew Black Cc: William Herrin; nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Matthew, On Mon, Apr 14, 2014 at 10:48 AM, Matthew Black <Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu>> wrote: Also on this same idea, in his book "The Puzzle Palace," James Bamford claims that we knew of the pending attack on Pearl Harbor but did nothing, because that would compromise we broke the Japanese Purple Cipher. I assume you refers to pages 36 through 39 of "The Puzzle Palace" which is almost entirely a recounting of bureaucratic fumbling and delay. The sensitivity of a Purple Cipher decode did cause the intercepted information to be sent by a less immediate means to the US Naval authorities in Hawaii. Nevertheless, it was sent with every expectation that those authorities would receive it before the time of the attack. We do not know what those authorities would have done it they had received the intercept information as expected, instead of receiving it about 6 hours after the first bomb struck Pearl Harbor. Your implication that Bamford says "we decided to do nothing" bears no relationship to what Bamford actually wrote. Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com<mailto:d3e3e3@gmail.com> matthew black california state university, long beach -----Original Message----- From: William Herrin [mailto:bill@herrin.us<mailto:bill@herrin.us>] Sent: Friday, April 11, 2014 2:06 PM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] On Fri, Apr 11, 2014 at 4:10 PM, Niels Bakker <niels=nanog@bakker.net<mailto:nanog@bakker.net>> wrote:
Please go read up on some recent and less recent history before making judgments on what would be unusually gutsy for that group of people.
I'm not saying this has been happening but you will have to come up with a better defense than "it seems unlikely to me personally".
Let me know when someone finds the second shooter on the grassy knoll. As for me, I do have some first hand knowledge as to exactly how sensitive several portions of the federal government are to the security of the servers which hold their data. They may not hold YOUR data in high regard... but the word "sensitive" does not do justice to the attention lavished on THEIR servers' security. In WW2 we protected the secret of having cracked enigma by deliberately ignoring a lot of the knowledge we gained. So such things have happened. But we didn't use enigma ourselves -- none of our secrets were at risk. And our adversaries today have no secrets more valuable than our own. -Bill
On Mon, Apr 14, 2014 at 10:09:14PM +0000, Matthew Black wrote:
IIRC, the message was sent via courier instead of cable or telephone to prevent interception. Did the military not even trust its own cryptographic methods? Or did they not think withdrawal of the Japanese ambassador was not very critical?
The message was sent by Western Union. There being no cable between the Hawaiian Islands and the mainland at the time, the message went by commercial radio, in plaintext, and thence by civilian bicycle messenger (of Japanese ancestry, as it happened) to Fort Shafter, where it was read while the attack was in progress. David Kahn's fine book, _The Codebreakers_, discusses this in rather more detail. I recommend the original version; the paperback and later hardback editions contain rather less meat. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin
On Fri, Apr 11, 2014 at 04:03:36PM -0400, William Herrin wrote:
If you told me they used it against the targets of the day while putting out the word to patch I could buy it, but intentionally leaving a certain bodily extension hanging in the breeze in the hopes of gaining more valuable data than they lose would have been an unusually gutsy move.
"unusually gutsy" compared to what, EXACTLY? Sources: NSA sucks in data from 50 companies http://theweek.com/article/index/245311/sources-nsa-sucks-in-data-from-50-co... Report: NSA Circumvented Encryption http://www.bankinfosecurity.com/report-nsa-circumvented-encryption-a-6045 [ That one is interesting, by the way. It's from September 6, 2013, and quotes reporting by the New York Times and Pro Publica the previous day. Here's an excerpt: Bruce Schneier, a widely followed cryptography expert, author and blogger, characterizes the revelation as explosive. "Basically, the NSA is able to decrypt most of the Internet," he writes in his blog. "They're doing it primarily by cheating, not by mathematics. ... Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted." According to the news report, some of NSA's most exhaustive efforts have concentrated on encryption widely used in the United States, including Secure Sockets Layer, virtual private networks and the protection used on fourth generation smart phones. Interesting that it mentions SSL, isn't it? ] NSA's pipe dream: Weakening crypto will only help the "good guys" http://arstechnica.com/security/2013/09/nsas-pipe-dream-weakening-crypto-wil... Exclusive: NSA infiltrated RSA security more deeply than thought http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331?feedType=RSS&feedName=topNews&utm_source=dlvr.it&utm_medium=twitter&dlvrit=992637 NSA Aiming To Infect "Millions" Of Computers Worldwide With Its Malware; Targets Telco/ISP Systems Administrators http://www.techdirt.com/articles/20140312/07334826545/nsa-aiming-to-infect-m... NSA hacker in residence dishes on how to "hunt" system admins http://arstechnica.com/security/2014/03/nsa-hacker-in-residence-dishes-on-ho... Let me note in passing that the NSA is not the only intelligence agency on this planet that has demonstrated both willingness and ability to create and/or exploit large scale security breaches in order to acquire information. Surely nobody thinks that folks in Moscow and London and Berlin and Bejing were just sitting on their hands. ---rsk
On Fri, Apr 11, 2014 at 04:03:36PM -0400, William Herrin wrote:
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government's top computer experts.
I call B.S. Do you have any idea how many thousands of impacted NSA servers run by contractors hung out on the Internet with sensitive NSA data? If you told me they used it against the targets of the day while putting out the word to patch I could buy it, but intentionally leaving a certain bodily extension hanging in the breeze in the hopes of gaining more valuable data than they lose would have been an unusually gutsy move.
You're assuming that the NSA is a single monolithic entity. IIRC, the offense team and the defense team don't really talk much, and they *certainly* have very different motivations. It wouldn't surprise me at all if the offense got hold of a juicy bug, and since they're paid to capture data, and knowing that they wouldn't get in trouble if the defense lost data, their motivations to keep their little bug to themselves are entirely understandable. The interesting thing to me is that the article claims the NSA have been using this for "over two years", but 1.0.1 (the first vulnerable version) was only released on 14 Mar 2012. That means that either: * The NSA put it in there (still a bridge too far for me to believe without further evidence, although I can certainly understand why people could believe it) and hence were using it from day 1; * The NSA found it *amazingly* quickly (they're very good at what they do, but I don't believe them have superhuman talents); or * The article has got at least one fact wrong, in which case it's entirely plausible they've got other things wrong, too. - Matt -- That's why I love VoIP. You don't get people phoning up to complain that the network is down. -- Peter Corlett, in the Monastery
On Fri, Apr 11, 2014 at 5:56 PM, Matt Palmer <mpalmer@hezmatt.org> wrote:
You're assuming that the NSA is a single monolithic entity. IIRC, the offense team and the defense team don't really talk much, and they *certainly* have very different motivations. It wouldn't surprise me at all if the offense got hold of a juicy bug, and since they're paid to capture data, and knowing that they wouldn't get in trouble if the defense lost data, their motivations to keep their little bug to themselves are entirely understandable.
Hi Matt, I assume only individual motivations, like CYA. Folks at the bottom don't make bold decisions. A potentially career-making or career-ending decision like this would have been kicked up the chain until it reached someone who could, after consulting several other folks to cover his own posterior, authorize the risk. This and the high odds of a leak are how I know the NSA hasn't cracked the prime factoring problem either. And anyone surprised by Snowden's revelations either didn't read about or didn't understand Mark Klein's 2006 AT&T documents. There are things that folks at the NSA could plausibly be doing. Intentionally sitting on a massive security hole in their own systems for two years isn't one of them. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said:
The interesting thing to me is that the article claims the NSA have been using this for "over two years", but 1.0.1 (the first vulnerable version) was only released on 14 Mar 2012. That means that either:
* The NSA found it *amazingly* quickly (they're very good at what they do, but I don't believe them have superhuman talents); or
You seriously think the NSA *isn't* watching the commits to security-relevant open source? Remember - it was a bonehead bug, it's *not* unreasonable for somebody who was auditing the code to spot it. Heck, there's a good chance that automated tools could have spotted it.
I'm not sure if anyone of you has access to those automated tools, but I'd be interested in learning if any of them do catch the bug. Frank -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Friday, April 11, 2014 7:50 PM To: Matt Palmer Cc: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said: <snip> Heck, there's a good chance that automated tools could have spotted it.
I'd be interested in the other 0 days they have..;) Sent from my T-Mobile 4G LTE Device -------- Original message -------- From: Frank Bulk <frnkblk@iname.com> Date: 04/11/2014 11:24 PM (GMT-07:00) To: Valdis.Kletnieks@vt.edu,Matt Palmer <mpalmer@hezmatt.org> Cc: nanog@nanog.org Subject: RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] I'm not sure if anyone of you has access to those automated tools, but I'd be interested in learning if any of them do catch the bug. Frank -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Friday, April 11, 2014 7:50 PM To: Matt Palmer Cc: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said: <snip> Heck, there's a good chance that automated tools could have spotted it.
Vladis is %100 on the money here. Lets take this a step farther and ask is there a criminal liability for the person who checked that code in - Oh you bet there is... Todd On 4/11/2014 5:49 PM, Valdis.Kletnieks@vt.edu wrote:
On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said:
The interesting thing to me is that the article claims the NSA have been using this for "over two years", but 1.0.1 (the first vulnerable version) was only released on 14 Mar 2012. That means that either: * The NSA found it *amazingly* quickly (they're very good at what they do, but I don't believe them have superhuman talents); or You seriously think the NSA *isn't* watching the commits to security-relevant open source? Remember - it was a bonehead bug, it's *not* unreasonable for somebody who was auditing the code to spot it. Heck, there's a good chance that automated tools could have spotted it.
-- ------------- Personal Email - Disclaimers Apply
On Mon, Apr 14, 2014 at 9:27 AM, TGLASSEY <tglassey@earthlink.net> wrote:
Vladis is %100 on the money here. Lets take this a step farther and ask is there a criminal liability for the person who checked that code in - Oh you bet there is...
Todd
Thank you--I needed some humour in my morning, I was starting to take the day too seriously. Thank you for putting a smile back on my face, and giving me something to laugh about today. ^_^ Matt
Matt Palmer wrote:
* The NSA found it *amazingly* quickly (they're very good at what they do, but I don't believe them have superhuman talents); or
It's quite plausible that they watch the changes in open-source projects to find bugs. They could do nice diffs and everything.
It's quite plausible that they watch the changes in open-source projects to find bugs. They could do nice diffs and everything.
the point of open source is that the community is supposed to be doing this. we failed. randy
On 04/13/2014 07:30 AM, Randy Bush wrote:
It's quite plausible that they watch the changes in open-source projects to find bugs. They could do nice diffs and everything. the point of open source is that the community is supposed to be doing this. we failed.
Versus all of the closed source bugs that nobody can know of or do anything about? Bugs are a fact of life. The best we can do is fix, learn and evolve. Mike
the point of open source is that the community is supposed to be doing this. we failed. Versus all of the closed source bugs that nobody can know of or do anything about?
for those you can blame the vendor. this one is owned by the community. it falls on us to try to lower the probability of a next one by actively auditing source as our civic duty. randy
On 04/13/2014 07:52 AM, Randy Bush wrote:
the point of open source is that the community is supposed to be doing this. we failed. Versus all of the closed source bugs that nobody can know of or do anything about? for those you can blame the vendor.
Or not.
this one is owned by the community. it falls on us to try to lower the probability of a next one by actively auditing source as our civic duty.
And we all know how well civic duty works as a motivator. If we really want to do something constructive, convince the corpro-takers to open their wallets to fund those auditing functions. Mike
And we all know how well civic duty works as a motivator. If we really want to do something constructive, convince the corpro-takers to open their wallets to fund those auditing functions.
For once, I agree with Mike. (Twice in one year?) Considering how widely openssl is used, and how important it is, it's shameful how little support it gets. I'd also point out that auditing security code is hard, and auditing SSL/TLS code is extremely hard because the spec depends on a lot of unusually arcane algorithms, and its implementation is almost perversely complex (that means PKI and ASN.1.) So random programmer eyes are much less likely to find useful stuff than people who have spent a while learning about the technology. http://jl.ly/Internet/openssl.html R's, John
* randy@psg.com (Randy Bush) [Sun 13 Apr 2014, 16:52 CEST]:
the point of open source is that the community is supposed to be doing this. we failed. Versus all of the closed source bugs that nobody can know of or do anything about? for those you can blame the vendor.
BSAFE is almost worse if you go by the recent advisories that have been released about it. Many vendors incorporated OpenSSL into their products and sold the result for commercial profit without doing (in retrospect) enough due diligence. Besides, having a third party to blame doesn't make our data safer... At least one vendor, Akamai is helping out now: http://marc.info/?l=openssl-users&m=139723710923076&w=2 I hope other vendors will follow suit.
this one is owned by the community. it falls on us to try to lower the probability of a next one by actively auditing source as our civic duty.
I donated some money to the OpenSSL project and hope others will do, or have already done, the same. It's clear that they are internet infrastructure and need more support. -- Niels.
Doesn't OpenSSL even fundraise? Based on the number of dollars they've taken in (what I could find online) most of them are better off taking side jobs as psychics to pay for audits. I know of at least one thing they could have predicted in the future. ;) Sent from my T-Mobile 4G LTE Device -------- Original message -------- From: Niels Bakker <niels=nanog@bakker.net> Date: 04/13/2014 10:55 AM (GMT-07:00) To: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] * randy@psg.com (Randy Bush) [Sun 13 Apr 2014, 16:52 CEST]:
the point of open source is that the community is supposed to be doing this. we failed. Versus all of the closed source bugs that nobody can know of or do anything about? for those you can blame the vendor.
BSAFE is almost worse if you go by the recent advisories that have been released about it. Many vendors incorporated OpenSSL into their products and sold the result for commercial profit without doing (in retrospect) enough due diligence. Besides, having a third party to blame doesn't make our data safer... At least one vendor, Akamai is helping out now: http://marc.info/?l=openssl-users&m=139723710923076&w=2 I hope other vendors will follow suit.
this one is owned by the community. it falls on us to try to lower the probability of a next one by actively auditing source as our civic duty.
I donated some money to the OpenSSL project and hope others will do, or have already done, the same. It's clear that they are internet infrastructure and need more support. -- Niels.
I applaud their effort but please see https://blogs.akamai.com/2014/04/heartbleed-update-v3.html & http://lekkertech.net/akamai.txt Kind regards / Vriendelijke groet, IS Group Thijs Stuurman -----Oorspronkelijk bericht----- Van: Niels Bakker [mailto:niels=nanog@bakker.net] Verzonden: Sunday, April 13, 2014 6:53 PM Aan: nanog@nanog.org Onderwerp: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] * randy@psg.com (Randy Bush) [Sun 13 Apr 2014, 16:52 CEST]:
the point of open source is that the community is supposed to be doing this. we failed. Versus all of the closed source bugs that nobody can know of or do anything about? for those you can blame the vendor.
BSAFE is almost worse if you go by the recent advisories that have been released about it. Many vendors incorporated OpenSSL into their products and sold the result for commercial profit without doing (in retrospect) enough due diligence. Besides, having a third party to blame doesn't make our data safer... At least one vendor, Akamai is helping out now: http://marc.info/?l=openssl-users&m=139723710923076&w=2 I hope other vendors will follow suit.
this one is owned by the community. it falls on us to try to lower the probability of a next one by actively auditing source as our civic duty.
I donated some money to the OpenSSL project and hope others will do, or have already done, the same. It's clear that they are internet infrastructure and need more support. -- Niels.
On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker <niels=nanog@bakker.net>wrote:
At least one vendor, Akamai is helping out now: http://marc.info/?l=openssl-users&m=139723710923076&w=2 I hope other vendors will follow suit.
Although it appears they may now be regretting doing so... http://www.techworld.com.au/article/542813/akamai_admits_its_openssl_patch_f... (Of course, the end result is positive, but...) Scott
On Apr 14, 2014, at 15:47 , Scott Howard <scott@doc.net.au> wrote:
On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker <niels=nanog@bakker.net>wrote:
At least one vendor, Akamai is helping out now: http://marc.info/?l=openssl-users&m=139723710923076&w=2 I hope other vendors will follow suit.
Although it appears they may now be regretting doing so...
http://www.techworld.com.au/article/542813/akamai_admits_its_openssl_patch_f...
(Of course, the end result is positive, but...)
[NOTE: I'll just remind everyone up front that I worked at Akamai for a very long time, so take my comments with however many grains of salt you feel appropriate.] If the only thing that happens when a large company steps up to help the open source community is ridicule and/or derision, one should probably not in the same breath ask why no companies are publishing any code. I applaud Akamai for trying, for being courageous enough to post code, and for bucking the trend so many other companies are following by being more secretive every year. Or we can flame anyone who tries, then wonder why no one is trying. -- TTFN, patrick
On Mon, Apr 14, 2014 at 3:59 PM, Patrick W. Gilmore <patrick@ianai.net> wrote:
I applaud Akamai for trying, for being courageous enough to post code, and for bucking the trend so many other companies are following by being more secretive every year.
Or we can flame anyone who tries, then wonder why no one is trying.
I thought vendors existed primarily as a place to hang the blame when dealing with a manager or customer who just doesn't get it. -Bill -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On 04/14/2014 12:59 PM, Patrick W. Gilmore wrote:
On Apr 14, 2014, at 15:47 , Scott Howard <scott@doc.net.au> wrote:
On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker <niels=nanog@bakker.net>wrote:
At least one vendor, Akamai is helping out now: http://marc.info/?l=openssl-users&m=139723710923076&w=2 I hope other vendors will follow suit.
Although it appears they may now be regretting doing so...
http://www.techworld.com.au/article/542813/akamai_admits_its_openssl_patch_f...
(Of course, the end result is positive, but...)
[NOTE: I'll just remind everyone up front that I worked at Akamai for a very long time, so take my comments with however many grains of salt you feel appropriate.]
If the only thing that happens when a large company steps up to help the open source community is ridicule and/or derision, one should probably not in the same breath ask why no companies are publishing any code.
I applaud Akamai for trying, for being courageous enough to post code, and for bucking the trend so many other companies are following by being more secretive every year.
Or we can flame anyone who tries, then wonder why no one is trying.
Agreed ... review is good, comments on needed fixes are good, but saying that Akamai, "should not be sending out non-functional, bug ridden patches to the OpenSSL community" as Pinckaers did is not constructive. Part of the problem here is the whole "You can't play in my sandbox!" attitude. Doug
On Mon, Apr 14, 2014 at 03:59:21PM -0400, Patrick W. Gilmore wrote:
On Apr 14, 2014, at 15:47 , Scott Howard <scott@doc.net.au> wrote:
On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker <niels=nanog@bakker.net>wrote:
At least one vendor, Akamai is helping out now: http://marc.info/?l=openssl-users&m=139723710923076&w=2 I hope other vendors will follow suit.
Although it appears they may now be regretting doing so...
http://www.techworld.com.au/article/542813/akamai_admits_its_openssl_patch_f...
(Of course, the end result is positive, but...)
[NOTE: I'll just remind everyone up front that I worked at Akamai for a very long time, so take my comments with however many grains of salt you feel appropriate.]
If the only thing that happens when a large company steps up to help the open source community is ridicule and/or derision, one should probably not in the same breath ask why no companies are publishing any code.
I applaud Akamai for trying, for being courageous enough to post code, and for bucking the trend so many other companies are following by being more secretive every year.
Or we can flame anyone who tries, then wonder why no one is trying.
-- TTFN, patrick
well, if $vendor publishes code frags, the code must have been vetted and ready for _my_ environment so i'll just cut/paste and then when it doesn't work, its their fault for leading me down the primrose path... $vendor, that why I pay you... to read my mind! darn it. /bill
On Mon, Apr 14, 2014 at 12:59 PM, Patrick W. Gilmore <patrick@ianai.net> wrote: I applaud Akamai for trying, for being courageous enough to post code, and
for bucking the trend so many other companies are following by being more secretive every year.
Just to be clear, so do I! As I said, the end result was net positive - within hours the fact they made this code snippet "open source" resulted in it be available to many more eyeballs, and bugs in it being found. By releasing the code, Akamai has not only helped the community (at least as a starting point - even if their actual code had issues the concept is good and no doubt will be improved upon by the wider community), but helped themselves by discovering that they were operating under the mistaken impression that their SSL keys were safe when potentially they were not. On Mon, Apr 14, 2014 at 1:07 PM, Doug Barton <dougb@dougbarton.us> wrote:
Agreed ... review is good, comments on needed fixes are good, but saying that Akamai, "should not be sending out non-functional, bug ridden patches to the OpenSSL community" as Pinckaers did is not constructive.
Especially when the release specifically stated "*This should really be considered more of a proof of concept than something that you want to put directly into production*" and "*do not just take this patch and put it into production without careful review*." Akamai made mistakes here, but releasing what they obviously believed to be workable code in the way that they did wasn't one of them. Scott
On Apr 13, 2014, at 7:52 AM, Randy Bush <randy@psg.com> wrote:
the point of open source is that the community is supposed to be doing this. we failed. Versus all of the closed source bugs that nobody can know of or do anything about?
for those you can blame the vendor. this one is owned by the community. it falls on us to try to lower the probability of a next one by actively auditing source as our civic duty.
is that kind of like jury duty? if only it were more like literature, which we could read for enjoyment.
randy
for those you can blame the vendor. this one is owned by the community. it falls on us to try to lower the probability of a next one by actively auditing source as our civic duty. is that kind of like jury duty? if only it were more like literature, which we could read for enjoyment.
true. also, as someone whacked me, far too many networkers can not read code at all. randy
On 4/14/14 4:06 PM, Randy Bush wrote:
for those you can blame the vendor. this one is owned by the community. it falls on us to try to lower the probability of a next one by actively auditing source as our civic duty. is that kind of like jury duty? if only it were more like literature, which we could read for enjoyment. true. also, as someone whacked me, far too many networkers can not read code at all.
It's much, much worse than that. I can still read code plenty fine, but bugs can be extremely obscure, and triply so with convoluted security code where people are actively going after you to find problems in most inventive ways. Openssl, etc, probably need to be treated more like Mars Landers than the typical github forkfest. Mike
On 04/14/2014 07:14 PM, Michael Thomas wrote:
It's much, much worse than that. I can still read code plenty fine, but bugs can be extremely obscure, and triply so with convoluted security code where people are actively going after you to find problems in most inventive ways. Openssl, etc, probably need to be treated more like Mars Landers than the typical github forkfest.
You mean this one? http://en.wikipedia.org/wiki/Mars_Climate_Orbiter ;)
On 04/14/2014 05:02 PM, Nathan Angelacos wrote:
On 04/14/2014 07:14 PM, Michael Thomas wrote:
It's much, much worse than that. I can still read code plenty fine, but bugs can be extremely obscure, and triply so with convoluted security code where people are actively going after you to find problems in most inventive ways. Openssl, etc, probably need to be treated more like Mars Landers than the typical github forkfest.
You mean this one? http://en.wikipedia.org/wiki/Mars_Climate_Orbiter
;)
That of course wasn't an orbiter, it was a splater. :) Mike
Shouldn't a decent OS scrub RAM and disk sectors before allocating them to processes, unless that process enters processor privileged mode and sets a call flag? I recall digging through disk sectors on RSTS/E to look for passwords and other interesting stuff over 30 years ago. matthew black california state university, long beach -----Original Message----- From: Randy Bush [mailto:randy@psg.com] Sent: Sunday, April 13, 2014 7:31 AM To: Bengt Larsson Cc: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
It's quite plausible that they watch the changes in open-source projects to find bugs. They could do nice diffs and everything.
the point of open source is that the community is supposed to be doing this. we failed. randy
Le 2014-04-14 10:38, Matthew Black a écrit :
Shouldn't a decent OS scrub RAM and disk sectors before allocating them to processes, unless that process enters processor privileged mode and sets a call flag? I recall digging through disk sectors on RSTS/E to look for passwords and other interesting stuff over 30 years ago.
All modern OSes do that. What's your point? Simon -- DTN made easy, lean, and smart --> http://postellation.viagenie.ca NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca
Yes Matthew it should. The question is whether they do or not. Todd On 4/14/2014 7:38 AM, Matthew Black wrote:
Shouldn't a decent OS scrub RAM and disk sectors before allocating them to processes, unless that process enters processor privileged mode and sets a call flag? I recall digging through disk sectors on RSTS/E to look for passwords and other interesting stuff over 30 years ago.
matthew black california state university, long beach
-----Original Message----- From: Randy Bush [mailto:randy@psg.com] Sent: Sunday, April 13, 2014 7:31 AM To: Bengt Larsson Cc: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
It's quite plausible that they watch the changes in open-source projects to find bugs. They could do nice diffs and everything. the point of open source is that the community is supposed to be doing this. we failed.
randy
-- ------------- Personal Email - Disclaimers Apply
On 4/11/2014 4:03 PM, William Herrin wrote:
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government's top computer experts. I call B.S. Do you have any idea how many thousands of impacted NSA servers run by contractors hung out on the Internet with sensitive NSA data? If you told me they used it against the targets of the day while putting out the word to patch I could buy it, but intentionally leaving a certain bodily extension hanging in the breeze in the hopes of gaining more valuable data than they lose would have been an unusually gutsy move.
These two unnamed sources are liars. Bet on it.
Regards, Bill Herrin
I would imagine that federal contractors have to adhere to FIPS 140-2 standards (or some similar requirement) for sensitive environments, and none of the affected OpenSSL versions were certified to any FIPS standard... the last version that WAS certified (0.9.8j) is only rated to Level 1, which, being the lowest possible rating, I suspect is not permitted for use by NSA contractors -- they're probably required to use level 3 or 4 for everything.
And their Level 3 to 4 accomplished what exactly?? They were owned the same way the own others, from the inside. On 4/11/14, 4:27 PM, "Peter Kristolaitis" <alter3d@alter3d.ca> wrote:
On 4/11/2014 4:03 PM, William Herrin wrote:
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government's top computer experts. I call B.S. Do you have any idea how many thousands of impacted NSA servers run by contractors hung out on the Internet with sensitive NSA data? If you told me they used it against the targets of the day while putting out the word to patch I could buy it, but intentionally leaving a certain bodily extension hanging in the breeze in the hopes of gaining more valuable data than they lose would have been an unusually gutsy move.
These two unnamed sources are liars. Bet on it.
Regards, Bill Herrin
I would imagine that federal contractors have to adhere to FIPS 140-2 standards (or some similar requirement) for sensitive environments, and none of the affected OpenSSL versions were certified to any FIPS standard... the last version that WAS certified (0.9.8j) is only rated to Level 1, which, being the lowest possible rating, I suspect is not permitted for use by NSA contractors -- they're probably required to use level 3 or 4 for everything.
On Fri, Apr 11, 2014 at 6:27 PM, Peter Kristolaitis <alter3d@alter3d.ca> wrote:
I would imagine that federal contractors have to adhere to FIPS 140-2 standards (or some similar requirement) for sensitive environments, and none of the affected OpenSSL versions were certified to any FIPS standard... the last version that WAS certified (0.9.8j) is only rated to Level 1, which, being the lowest possible rating, I suspect is not permitted for use by NSA contractors -- they're probably required to use level 3 or 4 for everything.
Some of the time, sure. And some of the time they buy Red Hat Linux off the shelf like everybody else. They have budgets too. They can't do everything at the highest protection level. Or did you think they were above and immune to the ordinary business realities of the 21st century? Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
participants (27)
-
Bengt Larsson
-
bmanning@vacation.karoshi.com
-
Chris Adams
-
Donald Eastlake
-
Doug Barton
-
Frank Bulk
-
John Levine
-
Mark Seiden
-
Matt Palmer
-
Matthew Black
-
Matthew Petach
-
Michael Thomas
-
Mike A
-
Nathan Angelacos
-
Niels Bakker
-
Patrick W. Gilmore
-
Peter Kristolaitis
-
Randy Bush
-
Rich Kulawiec
-
Scott Howard
-
Simon Perreault
-
Stephen Frost
-
TGLASSEY
-
Thijs Stuurman
-
Valdis.Kletnieks@vt.edu
-
Warren Bailey
-
William Herrin