« The Heartbleed Security Flaw, How Long It Existed, And The Role of the Intelligence Community | Main | Your Car Is The Next Advertising And Data Collection Frontier »

Monday, April 14, 2014


Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

I realize that it is very hard to trust the government, particularly our intelligence agencies given their past record of mendacity and prevarication. But government's past misconduct isn't probative on the instant question about what the government knew about Heartbleed and when it knew it.

So what does the open-source record tell us? Well, it doesn't tell us much. Indicting the NSA with the statement that it knew of Heartbleed before 7 April 2014 is Bloomberg's unknown source, and that is it. Bloomberg is a responsible news organization, but it is impossible to evaluate the credibility of an unknown source. We can't know the agenda, competence, loyalties, or character of an unknown source. And when it comes to intelligence, we are in very murky waters, where it is even possible that Bloomberg's source, which I am sure it believes in good faith, is a foreign intelligence operative, who is seeking to accomplish some nefarious purpose, such as having our government force the NSA to disclose every exploit that it knows of. That, of course, would foolish intelligence policy, which would be very damaging to the United States' ability to conduct legitimate signals intelligence.

And that Bloomberg's source is risking the jeopardy of a serious federal felony and prison time cuts both ways: It argues for the sources' credibility but also makes one wonder about who would risk imprisonment and why he or she would do so.

Against all of that we have the NSA's categorical denial. But that too has problems. Unfortunately, NSA less than candid former statements undercut its credibility, even though its past misconduct does not, as a matter of logic, prove that its instant denial is a lie. More troubling is that NSA's denial has a vagueness that could conceal deceit. But, on the other hand, NSA can't reasonably be expected to issue a statement of such clarity that it compromises its legitimate secrets, such as its relationships with its private contractors.

And it also isn't clear that the NSA would have done anything wrong in a moral sense even if it did know about Heartbled and even if it exploited it for intelligence purposes, if it had good reason for doing so. And, even if NSA knew of Heartbleed, I don't know of any law that requires the NSA to disclose exploits, so such disclosures is a matter of the NSA's policy, where it must weigh the advantages and disadvantages for United States of disclosing or not disclosing exploits to the public, nor does law prohibit the NSA from using exploits to conduct intelligence operations agains foreign citizens and governments.

So we have assertions from an unknown source that NSA knew about Heartbleed that contends for credibility against NSA's denial that it knew about Heartbleed, where both the accuser and the NSA's denial leave much to be doubted as to even the facts of what NSA knew about Heartbleed and when it knew it, much less whether NSA did anything wrong regarding Heartbleed in either a moral or legal sense.

George Jenkins


Heartbleed Disclosure Timeline: Who Knew What and When

NSA Must Reveal Bugs Like Heartbleed, Except When They Help The NSA

Obama Lests N.S.A. Exploit Some Internet Flaws, Officials Say


The comments to this entry are closed.


  • Updates via E-mail RSS Feed Updates via Twitter Updates via Facebook


  • Bloggers' Rights at EFF
  • George Jenkins, author of the I've Been Mugged Blog


  • © 2007 - 2017. George Jenkins. All Rights Reserved.


  • <$MTStatsScript$>