Apr 13, 2014
Not only did the NSA know about the Heartbleed internet bug--found to have exposed the sensitive information of countless web users--but they exploited it for their own intelligence gathering purposes for years, sources charge.
Bloomberg News reported late Friday that the agency found Heartbleed shortly after its introduction in early 2012, according to a person "familiar with the matter," and rather than reporting or repairing the flaw, the NSA adopted it as "a basic part of they agency's toolkit for stealing account passwords and other common tasks."
Heartbleed, believed to be one of the biggest flaws in the Internet's history, is a vulnerability in OpenSSL protocol, which is used to encrypt communications between users and websites. The bug makes those supposedly secure sites an "open book," Bloomberg explains. The existence of Heartbleed was first made public on April 7.
By adding Heartbleed to their arsenal--as a means of obtaining passwords and other secure information--critics say the agency not only furthered their own controversial practice of stockpiling user information but they left vulnerable millions of users against outside attack.
After the allegations surfaced, the White House denied that they knew about Heartbleed prior to April 2012.
Regardless, Bloomberg's sources note that, in addition to Heartbleed, the NSA currently "has a trove of thousands of such vulnerabilities that can be used to breach some of the world's most sensitive computers."
The incident highlights what many are saying are the "fundamentally incompatible" dual missions of the agency: securing cyber-infrastructure and gathering foreign intelligence.
"Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals," John Pescatore, director of emerging security trends at a cyber-security training firm, the SANS Institute, told Bloomberg.
Fred Cate, director of Indiana University's Center for Applied Cybersecurity Research, wrote in October 2013:
Privacy and security advocates have long worried that in pursuit of the latter, increasingly dominant mission, the agency would learn about software and other vulnerabilities and rather than disclose or attempt to fix them, the agency would exploit them, thus compromising the former mission.
"The president has identified cyber threats as among the most critical dangers facing the nation," added Cate. "Yet it is hard to take this claim too seriously when key responsibility for fighting those threats is given to the agency with the most to gain by hiding and exploiting them."
Warning of this such abuse, in December 2013, President Obama's NSA review panel said the White House should not "undermine efforts to create encryption standards" and not "subvert, undermine, weaken or make vulnerable" commercial security software.
And as Julian Sanchez, founding editor of the Just Security blog, adds: "It's time to create an organization that's fully devoted to safeguarding the security of Internet users - even if that might make life harder for government hackers."
_____________________
Join Us: News for people demanding a better world
Common Dreams is powered by optimists who believe in the power of informed and engaged citizens to ignite and enact change to make the world a better place. We're hundreds of thousands strong, but every single supporter makes the difference. Your contribution supports this bold media model—free, independent, and dedicated to reporting the facts every day. Stand with us in the fight for economic equality, social justice, human rights, and a more sustainable future. As a people-powered nonprofit news outlet, we cover the issues the corporate media never will. |
Our work is licensed under Creative Commons (CC BY-NC-ND 3.0). Feel free to republish and share widely.
Lauren McCauley
Lauren McCauley is a former senior editor for Common Dreams covering national and international politics and progressive news. She is now the Editor of Maine Morning Star. Lauren also helped produce a number of documentary films, including the award-winning Soundtrack for a Revolution and The Hollywood Complex, as well as one currently in production about civil rights icon James Meredith. Her writing has been featured on Newsweek, BillMoyers.com, TruthDig, Truthout, In These Times, and Extra! the newsletter of Fairness and Accuracy in Reporting. She currently lives in Kennebunk, Maine with her husband, two children, a dog, and several chickens.
Not only did the NSA know about the Heartbleed internet bug--found to have exposed the sensitive information of countless web users--but they exploited it for their own intelligence gathering purposes for years, sources charge.
Bloomberg News reported late Friday that the agency found Heartbleed shortly after its introduction in early 2012, according to a person "familiar with the matter," and rather than reporting or repairing the flaw, the NSA adopted it as "a basic part of they agency's toolkit for stealing account passwords and other common tasks."
Heartbleed, believed to be one of the biggest flaws in the Internet's history, is a vulnerability in OpenSSL protocol, which is used to encrypt communications between users and websites. The bug makes those supposedly secure sites an "open book," Bloomberg explains. The existence of Heartbleed was first made public on April 7.
By adding Heartbleed to their arsenal--as a means of obtaining passwords and other secure information--critics say the agency not only furthered their own controversial practice of stockpiling user information but they left vulnerable millions of users against outside attack.
After the allegations surfaced, the White House denied that they knew about Heartbleed prior to April 2012.
Regardless, Bloomberg's sources note that, in addition to Heartbleed, the NSA currently "has a trove of thousands of such vulnerabilities that can be used to breach some of the world's most sensitive computers."
The incident highlights what many are saying are the "fundamentally incompatible" dual missions of the agency: securing cyber-infrastructure and gathering foreign intelligence.
"Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals," John Pescatore, director of emerging security trends at a cyber-security training firm, the SANS Institute, told Bloomberg.
Fred Cate, director of Indiana University's Center for Applied Cybersecurity Research, wrote in October 2013:
Privacy and security advocates have long worried that in pursuit of the latter, increasingly dominant mission, the agency would learn about software and other vulnerabilities and rather than disclose or attempt to fix them, the agency would exploit them, thus compromising the former mission.
"The president has identified cyber threats as among the most critical dangers facing the nation," added Cate. "Yet it is hard to take this claim too seriously when key responsibility for fighting those threats is given to the agency with the most to gain by hiding and exploiting them."
Warning of this such abuse, in December 2013, President Obama's NSA review panel said the White House should not "undermine efforts to create encryption standards" and not "subvert, undermine, weaken or make vulnerable" commercial security software.
And as Julian Sanchez, founding editor of the Just Security blog, adds: "It's time to create an organization that's fully devoted to safeguarding the security of Internet users - even if that might make life harder for government hackers."
_____________________
Lauren McCauley
Lauren McCauley is a former senior editor for Common Dreams covering national and international politics and progressive news. She is now the Editor of Maine Morning Star. Lauren also helped produce a number of documentary films, including the award-winning Soundtrack for a Revolution and The Hollywood Complex, as well as one currently in production about civil rights icon James Meredith. Her writing has been featured on Newsweek, BillMoyers.com, TruthDig, Truthout, In These Times, and Extra! the newsletter of Fairness and Accuracy in Reporting. She currently lives in Kennebunk, Maine with her husband, two children, a dog, and several chickens.
Not only did the NSA know about the Heartbleed internet bug--found to have exposed the sensitive information of countless web users--but they exploited it for their own intelligence gathering purposes for years, sources charge.
Bloomberg News reported late Friday that the agency found Heartbleed shortly after its introduction in early 2012, according to a person "familiar with the matter," and rather than reporting or repairing the flaw, the NSA adopted it as "a basic part of they agency's toolkit for stealing account passwords and other common tasks."
Heartbleed, believed to be one of the biggest flaws in the Internet's history, is a vulnerability in OpenSSL protocol, which is used to encrypt communications between users and websites. The bug makes those supposedly secure sites an "open book," Bloomberg explains. The existence of Heartbleed was first made public on April 7.
By adding Heartbleed to their arsenal--as a means of obtaining passwords and other secure information--critics say the agency not only furthered their own controversial practice of stockpiling user information but they left vulnerable millions of users against outside attack.
After the allegations surfaced, the White House denied that they knew about Heartbleed prior to April 2012.
Regardless, Bloomberg's sources note that, in addition to Heartbleed, the NSA currently "has a trove of thousands of such vulnerabilities that can be used to breach some of the world's most sensitive computers."
The incident highlights what many are saying are the "fundamentally incompatible" dual missions of the agency: securing cyber-infrastructure and gathering foreign intelligence.
"Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals," John Pescatore, director of emerging security trends at a cyber-security training firm, the SANS Institute, told Bloomberg.
Fred Cate, director of Indiana University's Center for Applied Cybersecurity Research, wrote in October 2013:
Privacy and security advocates have long worried that in pursuit of the latter, increasingly dominant mission, the agency would learn about software and other vulnerabilities and rather than disclose or attempt to fix them, the agency would exploit them, thus compromising the former mission.
"The president has identified cyber threats as among the most critical dangers facing the nation," added Cate. "Yet it is hard to take this claim too seriously when key responsibility for fighting those threats is given to the agency with the most to gain by hiding and exploiting them."
Warning of this such abuse, in December 2013, President Obama's NSA review panel said the White House should not "undermine efforts to create encryption standards" and not "subvert, undermine, weaken or make vulnerable" commercial security software.
And as Julian Sanchez, founding editor of the Just Security blog, adds: "It's time to create an organization that's fully devoted to safeguarding the security of Internet users - even if that might make life harder for government hackers."
_____________________
We've had enough. The 1% own and operate the corporate media. They are doing everything they can to defend the status quo, squash dissent and protect the wealthy and the powerful. The Common Dreams media model is different. We cover the news that matters to the 99%. Our mission? To inform. To inspire. To ignite change for the common good. How? Nonprofit. Independent. Reader-supported. Free to read. Free to republish. Free to share. With no advertising. No paywalls. No selling of your data. Thousands of small donations fund our newsroom and allow us to continue publishing. Can you chip in? We can't do it without you. Thank you.