NSA Knew About Heartbleed, Did Nothing, Sources Say

Status
Not open for further replies.

jhansonxi

Distinguished
May 11, 2007
525
0
18,930
0
it open source, anyone could have fixed it.
Encryption systems are complicated and relatively few programmers have the expertise for understanding them. Although a common programming mistake with C, the bug wasn't obvious and was in a rather mundane section of code. It was made worse by an obsolete performance enhancement that hid the presence of the bug by masking errors caused by the eploit. There were two bug reports about problems caused by side effects of the bug but the reporters apparently didn't notice the wider risk potential. One problem of OpenSSL development is the lack of development support on the part of the millions of companies that use it.

There's one thing that most of the reports overlook - it's a server problem so the software the client is using doesn't matter. In addition, users that have the same password on multiple sites will have all their accounts compromised if any one of the sites is vulnerable, regardless if some are running M$ IIS or not.
 

Camikazi

Distinguished
Jul 20, 2008
745
0
18,930
0
Too many folks seeing too many conspiracies. Seriously, take a deep breath and relax a bit. The US government is not out to get everyone. Don't buy into all of the hype.
Well they are out to get everyone but they are not behind every little thing that goes wrong.
 

f-14

Distinguished
Apr 2, 2010
774
0
18,940
4
i believe the NSA when they say they didn't know about it or abuse it.... however while every one is watching what the left hand is doing they are forgetting about the right hand, the CIA which is always under the table and it is not below them to be part of backdoor/front door, keys to all the locks policy written by socialist democrats and greedy republicans of the 1990's legislation when they controlled the house, the senate, supreme court/appeals courts, and presidency.

''If we don't pass this bill, we could find London or Frankfurt or years down the road Shanghai becoming the financial capital of the world,'' said Senator Charles E. Schumer, Democrat of New York.
 

Ian Von Essex

Estimable
Mar 7, 2014
2
0
4,510
0
Scumbag NSA.
Steals Your Data.
Does Nothing to protect it.
They did the job perfectly... your DATA is safe on their servers !
Is not their job to fix broken servers... is their job to exploit this and "protect" your data.
Maybe they wrote it as STUX virus... good job. Problem is that NO ONE observe it until now (and is not close source either).
 

Ian Von Essex

Estimable
Mar 7, 2014
2
0
4,510
0
Scumbag NSA.
Steals Your Data.
Does Nothing to protect it.
They did the job perfectly... your DATA is safe on their servers !
Is not their job to fix broken servers... is their job to exploit this and "protect" your data.
Maybe they wrote it as STUX virus... good job. Problem is that NO ONE observe it until now (and is not close source either).
 

ddpruitt

Honorable
Jun 4, 2012
227
0
10,860
7
The article is pure bunk. I'm sure the "Anonymous Sources" don't actually exist and the article on Bloombergs's was written purely to sell ads. The NSA has a history of privately disclosing vulnerabilities like this to those responsible for maintaining the software. The NSA may do some shady things but a vulnerability of this level would have been disclosed.
 

ddpruitt

Honorable
Jun 4, 2012
227
0
10,860
7
Encryption systems are complicated and relatively few programmers have the expertise for understanding them. Although a common programming mistake with C, the bug wasn't obvious and was in a rather mundane section of code.
Actually if check the git repo you see that the bug isn't a common C mistake and should have been obvious. This a mistake I would expect out of CS 101 student, not someone maintaining a widely used encryption package. I mean seriously, you don't bother checking the length of the message you received before echoing it? XKCD has the best explanation of the bug I've seen so far:

http://xkcd.com/1354/
 
That is because they wrote it
It's open source. We know exactly who wrote it. Robin Seggelmann
http://www.pcpro.co.uk/news/388162/heartbleed-coder-bug-in-openssl-was-an-honest-mistake

Turns out he's one of the authors of the RFC regarding the heartbeat functionality of SSL, and his implementation contradicts the the RFC (server is supposed to not respond if the length of the requested data does not match the specified length).

So unless the NSA is somehow surreptitiously bribing foreigners working on open source security projects to insert code which subverts the purpose of the project they're working on out of love, no the NSA didn't write it.

Actually if check the git repo you see that the bug isn't a common C mistake and should have been obvious. This a mistake I would expect out of CS 101 student, not someone maintaining a widely used encryption package. I mean seriously, you don't bother checking the length of the message you received before echoing it?
It's not a common mistake if you're writing C code by the seat of your pants. But it's one I can easily see creeping in if you're editing and cutting and pasting code. When you write code like this, you do a length check once, then everything you write afterwards assumes the length has been checked. You do not re-check the length every time you use the variable.

If you rearrange the code, or cut and paste a piece while forgetting to also cut and paste the length check, suddenly you get this bug. It's a common enough error that malloc specifically has protections to prevent this bug (it'll crash the program, forcing you to re-check your code to find the bug). Unfortunately, the OpenSSL team disabled that safeguard in order to improve performance on some systems which were ran too slow with the safety check in place.
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
R Streaming Video & TVs 4
TheDudeAdibes Streaming Video & TVs 4
Y Streaming Video & TVs 3
D Streaming Video & TVs 1
S Streaming Video & TVs 1
G Streaming Video & TVs 4
R Streaming Video & TVs 2
M Streaming Video & TVs 5
G Streaming Video & TVs 5
G Streaming Video & TVs 1
G Streaming Video & TVs 0
G Streaming Video & TVs 6
G Streaming Video & TVs 5
G Streaming Video & TVs 0
G Streaming Video & TVs 2
G Streaming Video & TVs 5
G Streaming Video & TVs 0
G Streaming Video & TVs 4
G Streaming Video & TVs 13
G Streaming Video & TVs 5

ASK THE COMMUNITY