Yesterday Bloomberg broke the news that NSA is said to had known about Heartbleed for months or years, without telling anybody – and the wheels of the media and blogosphere have started to churn out reactions from surprised through shocked to outraged.
Frankly, I am most surprised by the fact that anybody is surprised. After Snowden’s revelations we all should have already gotten used to the fact that what once was a crazy tin-foil hat paranoia, today is entirely within the realm of possible.
Even less surprisingly, a quick dementi has been issued on behalf of the NSA. Regular smoke and mirrors, as anybody could have expected, but with one very peculiar – and telling – paragraph (emphasis mine):
In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
What this means is that when a bug is found by a “security” agency, it might not get responsibly disclosed. If “there is a clear national security and law enforcement need”, it might be used in a weaponized form instead.
With the “America under attack” mentality and the ongoing “War on Terror” waged across the globe, we can safely assume that there is “a clear national security need”, at least in the minds of those making these decisions.
And we need to remember, that if there is a bug, and somebody has found it (but not disclosed it), somebody else will find it, eventually. It might be Neel Mehta or Marek Zibrow, who then discloses it responsibly; or it might be Joe Cracker, who exploits it or sells it to other shady organisations.
And because we all use the same encryption mechanisms, the same protocols and often the same implementations, it then will be used against us all.
Now, it is crucial to understand that it’s not about NSA and Heartbleed. It’s about all “security” agencies and any software bugs. By not responsibly disclosing discovered bugs “security” agencies make us all considerably less secure.
Regardless of whether NSA has or hasn’t known about Heartbleed, such a non-disclosure policy is simply irresponsible – and unacceptable.