A lot happened last week. First, there was the revelation about the Heartbleed security flaw, Then, the Heartbleed bug was found in Cisco routers and Juniper Networks equipment. Networking vendors, including F5 Networks and Fortigate, issued security alerts about their equipment. Many mobile devices running the Android operating system are vulnerable. There was speculation Friday about when the intelligence community learned about Heartbleed. Bloomberg reported on Friday that the NSA knew about it and used it for surveillance and hacking.
Also on Friday, the developer who introduced the error into the SSL open-source code apologized. For readers that are unfamiliar with the history of SSL (Secure Sockets Layer), it was introduced by Netscape in 1994. Like any other software, there have been several versions (e.g., 1.0, 2.0, etc.) of it. Some versions have more vulnerabilities than other versions. SSL is also open-source software, meaning it is community-based: developers from several companies work on it (as their employers donate time and resources) to improve it. The theory is that several people working on software will make it stronger and better than otherwise.
There is no way for consumers to know which OpenSSL version a website uses. Sites may use their own, proprietary version or the open-source version. The Heartbleed site listed the vulnerability by version:
"OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable. OpenSSL 1.0.1g is NOT vulnerable. OpenSSL 1.0.0 branch is NOT vulnerable. OpenSSL 0.9.8 branch is NOT vulnerable. Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug."
This makes one wonder if there wasn't enough invested in OpenSSL improvements. Or, too many websites used older versions. Or both. Meanwhile, online criminals and identity thieves have gotten better and more skillful. So, software like OpenSSL needs to be continually improved.
Later on Friday, the Office of the Director of National Intelligence (ODNI) issued a statement responding to the Bloomberg report. The ODNI statement on April 11 read in part:
"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report.
Reports that say otherwise are wrong. Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services... If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."
So, we are to believe that the largest, most advanced, and heavily funded intelligence agency on the planet did not know about a security flaw in encryption software. Encryption is essential to the business of spying, and we know from past news reports that the NSA sought to break all encryption.
So, I'm not believing the ODNI statement. The NSA and ODNI have made less than truthful statements before to the U.S. Congress. If they will lie to elected officials, they will lie to journalists and citizens. When these lies happen, they break the public's trust.
With trust broken, I find it most difficult to believe that the largest, most heavily funded, and advanced intelligence agency on the planet missed the Heartbleed security flaw. That's like the entire intelligence community missing the 9-11 hijackers' planning.
Since the surveillance document disclosures started last year, I have learned that it is important to parse the exact words in any statements from the ODNI and NSA. Did any NSA contractors and vendors know about Heartbleed? Did any NSA vendors and contractors exploit the Heartbleed flaw for surveillance and hacking? Did any other U.S. intelligence agencies know and use the Heartbleed security flaw? Did any other country's intelligence organization (e.g., GCHQ) know and use the Heartbleed security flaw? What definition of the word "know" is the ODNI using today? Did the NSA refer to this security flaw by a different name?
Hopefully, some investigative journalists are re-reading the disclosed documents for references to Heartbleed or an equivalent. More importantly, it is time for citizens to hear from Congressional officials on the intelligence oversight committees. It is time for the politicians responsible for oversight to do their jobs, or resign so we can elect representatives who will faithfully do their oversight jobs. It is time for the oversight committees to ask the tough direct questions, get honest (not prearranged) answers, hold the NSA and intelligence community accountable, and share what they've learned with their constituents.
On Friday, we also learned that the Heartbleed bug was found in Cisco routers and Juniper equipment. Networking vendors, including F5 Networks and Fortigate, have also issued security alerts about their equipment. What other brands have been affected? There are direct and indirect costs resulting from this mess. A poll earlier this year found that the public's confidence in online privacy has fallen for three straight years. Experts have warned that the dragnet NSA mass surveillance could cost U.S.-based cloud-services vendors $35 billion in lost revenues. Remember, lost revenues equal lost jobs.
In July 2013, we learned that the NSA had inserted code into the Google Android operating system software. Remember that? BusinessWeek reported on July 3, 2013:
"Google spokeswoman Gina Scigliano confirms that the company has already inserted some of the NSA’s programming in Android OS... Through its open-source Android project, Google has agreed to incorporate code, first developed by the agency in 2011, into future versions of its mobile operating system, which according to market researcher IDC runs on three-quarters of the smartphones shipped globally in the first quarter. NSA officials say their code, known as Security Enhancements for Android, isolates apps to prevent hackers and marketers from gaining access to personal or corporate data stored on a device."
So, we are to believe from Google that the NSA is trying to enhance or make security better. Really? How's that working for you? It doesn't seem too well, especially if it missed or failed to focus on OpenSSL encryption.
Some consumers have privately expressed their frustrations with having to change their online passwords piecemeal as each site implements Heartbleed fixes. Some people have just gone ahead and changed all of their passwords while hoping for the best. This raises more questions:
- How long can this mess continue before it starts to have a big negative impact on people's willingness to use the Internet?
- Will consumers use the Internet less and only for banking and shopping?
- Or, are consumers so dependent on the convenience of the Internet that they will continue using it regardless of privacy abuses, except upon threat of death?
- Can the Internet be fixed so it becomes the reliable, secure, private, and trustworthy medium we all hoped it would be?