EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

04.18.14

Some Perspective on Heartbleed®

Posted in GNU/Linux, Microsoft, Security at 8:12 am by Dr. Roy Schestowitz

Looking through the tube

Summary: Our views on the whole Heartbleed® bonanza, which seems like partly a PR stunt (for multiple stakeholders)

A LOT has been said about Heartbleed® since the firm of Microsoft's 'former' security chief (who had worked with the FBI, the NSA’s more evil twin) irresponsibly 'leaked' the flaw, and did so at the very same moment that Windows XP users rushed to GNU/Linux for security reasons. I know of such users (even corporations I deal with) and I saw their reaction to this unforeseen ‘leak’. Funny timing.

In this post we outline some key facts (carefully and patiently studied over the past 10 days). As my doctoral degree is not far from cryptography and I have consulted people who do security for a living, I can assure readers that we do grasp the technical details, unlike many so-called ‘journalists’ with degrees in English or history. We are not going to delve into less plausible theories like a connection between the flaw and the NSA although there are circumstantial connections, an NSA program specifically designated to this (NSA operation ORCHESTRA), and we already know that Red Hat relays non-SELinux code directly from the NSA to Torvalds, as we covered earlier this year (meaning that only a developer in the middle knows where the code originally came from). In this particular post we are going to focus on other important points that ought to be made now that Heartbleed® is mostly out of the headlines and little new information will come out during Easter. This post is based on assessment of about 100 reports and subsequent research lasting many hours.

A little and slightly old tidbit shared with us by iophk (a network security professional) said that even the NSA and its circles are negatively affected by Heartbleed®. This article states: “”I am waiting for a patch,” said Jeff Moss, a security adviser to the U.S. Department of Homeland Security and founder of the Def Con hacking conference.”

There are reasons to believe that the NSA was not aware of this flaw or had not exploited it. For instance, the government’s demands from Lavabit may suggest that OpenSSL back doors were not known at that time (2013). Also, reading all about the personal background of the man behind the bug, it’s nearly impossible to find any connection to the NSA and its ilk. The guy is German, but another German Danish developer (Poul-Henning Kamp, a FreeBSD and Varnish developer) spoke only some months ago about a US program of introducing bugs into FOSS (see “NSA operation ORCHESTRA” above).

iophk responds to the article about firewalls woes by asking: “Why the hell is he not running one based on Linux or BSD? Something’s not right. Proprietary “solutions” have no place in infrastructure for just these kinds of reasons.”

Well, with Windows, for example, the NSA perhaps assumes a monopoly on back doors. It’s a form of total control.

The BSD community, which is also behind OpenSSH, has begun doing some commendable things [1,2] short of throwing away OpenSSL [3]. There is a new release of GnuTLS [4], for example, but we cannot be 100% certain that GnuTLS is immune to “bug doors”, as Julian Assange recently called them. “GnuTLS was immune to the OpenSSL bug,” writes iophk, “but in regards to the latter was ‘responsible disclosure’ followed? I got the feeling that it wasn’t and that the web site was set up and publicized before even the OpenSSL team was informed. Where can I find a detailed timeline of events?”

Well, a deceiving timeline was later published by the Australian press. Security gurus have widely chastised this form of ‘responsible’ disclosure of Heartbleed®; even the project site of OpenSSL hadn’t been patched before the disclosure. The same goes for the FBI, which again helps validate claims that the government was not fully aware of the issue.

OpenSSL was having limited resources and some articles covered it [5-7]. Regardless, it’s now claimed NSA knew about the bug for 2 years and we should always remember that Microsoft’s Howard Schmidt was connected to FBI before his firm published Heartbleed® for fame, fun, and profit. It’s not just Microsoft that makes his motives a tad suspicious. The whole Heartbleed® thing “has a very media friendly name and a cute logo,” as a British FOSS professional put it. It’s like a branding exercise. Also see this post titled “What Heartbleed Can Teach The OSS Community About Marketing”. “Ties in a bit with what you’ve posted,” iophk told me after I had noted the marketing angle.

As a recap, Heartbleed® was pretty much branded and released like a product by a firm headed by a Microsoft (and FBI) veteran. This firm also works with Microsoft, so the disclosure on Windows XP’s EOL date is too hard to ignore, If this was already known about by the NSA for years, then one may wonder if the disclosure came through whispers rather than research. Glyn Moody was told by Wikileaks (Twitter account seemingly run only by Julian Assange) that “Assange spoke about vulnerability of OS’s to bribes and bugdoors in upstream components.”

Howard Schmidt (chairman of board of company that marketed Heartbleed®) worked with the FBI and another NSA partner/PRISM pioneer (Microsoft). If the NSA knew about the bug, then one wonders what role Schmidt may have played. The last thing that the NSA wants is people (especially outside the US) adopting Free software and GNU/Linux because Microsoft is where back doors are; by design, not by accident. Heartbleed® was reportedly known to the NSA for years (every article that claims this cites Bloomberg, which is notable corporate press and usually a bit dubious when it comes to agenda). If true, this was the type of bug that Edward Snowden’s leaks had alluded to (bug doors, not back doors). Schmidt et al. might be trying to exploit it for FUD and profit, by opportunistically divulging it as soon as mass migration to GNU/Linux in enterprises and homes begins. A decade ago it seemed like a back door had been put inside Linux by the NSA, but the developers caught the intrusion and removed it. There were numerous reports last year saying that the NSA had approached Torvalds, asking him for back doors in Linux, so what Seggelmann did in OpenSSL should not be treated too lightly. The time of the committal is a little suspicious [8] (people away from home to celebrate New Year) and the reputation of OpenSSL is now thoroughly destroyed, which will help its competitors (including proprietary) [9]. There is now a lot of FUD out there about FOSS (the only one we’re willing to cite is [10] because it’s not too malicious), sometimes coming from the mouths of Microsoft boosters or challenging Torvalds’ famous “law” [11,12]. I even get taunted over this in Twitter. The old FUD is back, never mind Coverity’s latest report which again contradicts such FUD.

Mind the article “Heartbleed security flaw may not be as dangerous as thought” [13], which sheds some light on who’s able to exploit and who’s not able to exploit Heartbleed® given the resource limitations (the thing about crackers of the NSA and GCHQ is that they have supercomputers to have a crack at it, and the same is probably true when it comes to the FBI, which is in many ways worse and more aggressive than the NSA; the FBI infiltrates Windows with CIPAV). If the widely-cited reports are true and the NSA knew Heartbleed® (and used it for two years) [14-17], then it’s a massive revelation (the NSA denies this, but denials from the NSA are worthless given its track record when it comes to truth-telling).

Perhaps the most disturbing thing about the story is, the NSA may have discovered Heartbleed® years ago (if not made it, which sounds unlikely [18]) and the firm of Microsoft’s ‘former’ security chief is making a profit from this [19] (the Heartbleed® bounty is partly paid by Microsoft and the partly Microsoft-owned Facebook). A bunch of opportunists got paid for irresponsible disclosure that damaged the Internet [20,21] and harmed many people’s privacy (potentially leading to some people’s deaths).

The GNU/Linux brand is profoundly damaged by this (many GNU/Linux sites mentioned it [22-24]) even though the bug also affects Windows and Apple operating systems. To us it will always seem like marketing campaign coordinated to take place at a strategic date (Windows XP EOL).

Has Microsoft’s Howard Schmidt decided to ‘leak’ it to distract from XP EOL (which means insecurity by policy)? Perhaps. Schmidt had worked with the FBI, so he could have some inside knowledge. He might have former colleagues who could tell him about this (even leak it to him) before he would hype it up, give it a scary name, make a dot com web site, a logo, et cetera, essentially ‘merchandising’ the FUD.

Related/contextual items from the news:

  1. OpenBSD Team Cleaning Up OpenSSL
  2. OpenBSD has started a massive strip-down and cleanup of OpenSSL
  3. Please Put OpenSSL Out of Its Misery
  4. GNUtls: GnuTLS 3.3.0
  5. How to stop the next Heartbleed bug: pay open-source coders to protect us
  6. Will Open-Source Money Prevent the Next Heartbleed?
  7. 3 big lessons to learn from Heartbleed

    The devastating OpenSSL vulnerability proves the importance of data center orchestration, the wisdom of running older versions, and the need to give back to the OpenSSL project

  8. Heartbleed: developer who introduced the error regrets ‘oversight’

    Submitted just seconds before new year in 2012, the bug ‘slipped through’ – but discovery ‘validates’ open source

  9. After Heartbleed: 4 OpenSSL alternatives that work
  10. Heartbleed: Open source’s worst hour”>Heartbleed: Open source’s worst hour
  11. Does the Heartbleed bug refute Linus’s Law?

    The mistake being made here is a classic example of Frederic Bastiat’s “things seen versus things unseen”. Critics of Linus’s Law overweight the bug they can see and underweight the high probability that equivalently positioned closed-source security flaws they can’t see are actually far worse, just so far undiscovered.

  12. Heartbleed: Is Linus Torvald’s law invalid?

    How much data was compromised? How many billions lost? None that we know of. How much does the world loses every year because of Microsoft’s proprietary technologies? Billions of dollars are lost; nations’ securities are compromised and people lives are exposed to risks.

    A majority of NSA attacks won’t be possible without bugs in Microsoft products which the company reportedly shares with the agency so that it can be exploited to hack into computers that NSA can spy on. Microsoft bugs allowed USA to take down nuclear programs of countries like Iran, Microsoft bugs enabled NSA to spy on French president. Microsoft bugs allowed ‘alleged’ Chinese crackers to run a massive scale espionage against human rights activists in the US. In addition there are unaccounted thousands of cases every year where people and businesses lose millions due to security holes in Microsoft products.

  13. Heartbleed security flaw may not be as dangerous as thought

    But today, the content distribution network CloudFlare has announced Heartbleed may not allow access to those private keys after all. In two weeks of testing, the company has been unable to successfully access private keys with Heartbleed, suggesting the attack may not be possible at all. “If it is possible, it is at a minimum very hard,” researcher Nick Sullivan writes. “And we have reason to believe… that it may in fact be impossible.” If true, it makes Heartbleed much less dangerous than many had feared, offering a saving grace for compromised sites. Sullivan acknowledged that, in security tests, some private keys had been revealed by first requests to Apache servers, but he linked this to the process of restarting the server, which would severely limit the exposure to outside actors. Methods have also surfaced to help services tell if attackers have hit their servers using the bug. “Heartbleed still is extremely dangerous,” says CEO Matthew Prince, “but some of the worst fears about it having been used by organizations like the NSA to hoover up everyone’s private SSL keys look pretty unlikely to us based on this testing.”

  14. NSA has been exploiting Heartbleed for two years, leaving Americans exposed to cyber criminals: report [updated]

    As people were wondering NSA’s role in Heartbleed, it turned out that the agency was reportedly aware of the bug, as Bloomberg reports, for the last two years and has been exploiting it to spy on people. If the reports are true and NSA was aware of the bug and instead of getting it fixed it let extremely critical info of US citizens exposed to cyber criminals then NSA does need more oversight from the government.

    Heartbleed was not some minor bug, it affected almost every major web-service including Gmail, Amazon, Yahoo! and many more – holding the potential of exposing sensitive data to criminals. However, as soon as the bug was discovered the Open Source community immediately responded, patched the bug and start pushing the updates.

    While the Americans and the people from around the globe were exposed to cybercriminals, NSA was supposedly busy harvesting passwords and other critical to add it to already massive database.

    Bloomberg quotes Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer, “It flies in the face of the agency’s comments that defense comes first. They are going to be completely shredded by the computer security community for this.”

  15. NSA Said to Exploit Heartbleed Bug for Intelligence for Years
  16. Bloomberg: NSA Knew About, Exploited Open Source Heartbleed Bug for Years
  17. The NSA has exploited Heartbleed bug for years, Bloomberg reports
  18. Heartbleed coder admits ‘oversight’ but backs open source

    Seggelmann submitted the code at 11:59pm on New Year’s Eve 2011, but claims the timing had nothing to do with the mistake. Although the bug was also missed by the review process for OpenSSL, an open source project written and reviewed by volunteers, Seggelmann told British newspaper The Guardian that the bug’s eventual discovery shows the value of publically available open source code.

  19. Why a hacker got paid for finding the Heartbleed bug

    Microsoft and Facebook have also provided financial backing to Internet Bug Bounty, out of which Mehta’s prize money came, after running their own internal bug bounties that were very successful. Their money is benefiting the internet as a whole, but they don’t decide what money goes where.

  20. The Internet’s Telltale Heartbleed
  21. Heartbleed developer explains OpenSSL mistake that put Web at risk
  22. SteamOS Affected by Heartbleed Bug, Valve Hasn’t Updated the OS Yet
  23. Linux Foundation Responds to the Heartbleed Bug

    It’s nearly impossible to know for sure, due to the nature of the vulnerability, how much the Heartbleed vulnerability was used to snoop on secure data. We recommend for our sites the same as for other sites: first, watch for a statement to come out from your financial institutions, email providers, and others, which shares whether they were affected. Start changing your passwords. Use different passwords on different sites and store them in a password safe like KeePass, LastPass or 1Password. That way, if any sites that remain vulnerable leak your password, it won’t affect any other sites. Check back on sites that post statements after you changed the password, and then change the passwords again if needed.

  24. Working Out “Serious Security Flaws” In DRM Drivers

    While many are still busy working through fallout of the OpenSSL Heartbleed bug within organizations, on a separate but security related note, kernel developers specializing in the Direct Rendering Manager (DRM) graphics drivers are working to beef up their own driver security.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

A Single Comment

  1. Needs Sunlight said,

    April 18, 2014 at 1:43 pm

    Gravatar

    There is a timeline of the events published here:

    http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html

What Else is New


  1. Interesting Supreme Court Cases About Patents in the United States

    A quick review of some of the latest developments regarding SCOTUS (the US Supreme Court) as far as patents go



  2. Governments in Europe Still Active Against EPO Management

    There is still political work being done -- albeit rather discreetly -- against Battistelli and his goons at the European Patent Office's top-level management



  3. The European Spam Office (EPO)

    EPO budget at 'work', days after doing copy-paste jobs and also working overtime in the weekend for an extravagant and needless/purposeless event (except for Battistelli's own pride)



  4. Not Just Benoît Battistelli and Willy Minnoye (EPO): Željko Topić Too Thinks He is Above the Law, Avoids the Judges and Courts

    The latest developments regarding some of the criminal complaints and civil lawsuits against Topić, who is now a Vice-President at the European Patent Office (EPO)



  5. Nefarious Forces for Patent Abuse and Software Patents in the United States, Australia, India, Korea, and Europe

    A roundup of news from the weekend and today, with emphasis on the elements inside the system (or the media) which push for regressive policies that benefit them financially at the expense of everybody else



  6. [ES] El Sistema de Patentes de los EE.UU: Donde Uno Desperdicia Años en Corte y Gasta $8,000,000 en Honorarios de Abogados Peleándo una Patente Falsa

    un sumario de noticias acerca de las patentes de software en los EE.UU. Y ha lo que han llevado, debido en gran manera al decline en calidad de las patentes por parte de la USPTO (dejando que otros se las arreglen limpiando el desórden)



  7. [ES] La Oficina Europea de Patentes Todavía Sigilósamente Abusiva, Pagará $15,000 en Compensasió a Trabajadora Tras un Tardío Fallo de la ILO

    La Organización Internacional del Trabajo (ILO) emite un fallo en un caso de abuso de la EPO y nota “la excesiva duración de los procedimienteos internos de apelación.”



  8. Links 2/5/2016: Linux 4.6 RC6, DragonBox Pyra

    Links for the day



  9. Links 1/5/2016: Wine 1.9.9, Devuan Jessie 1.0 Beta

    Links for the day



  10. The US Patent System: Where One Wastes Years in Court and Spends $8,000,000 in Lawyers' Fees Fighting a Bogus Patent

    A roundup of news about software patents in the US and what they have led to, owing in part to the USPTO's declining patent quality (leaving others to clean up its mess)



  11. The European Patent Office Still Silently Abusive, Will Pay $15,000 in Compensation to Female Worker After Belated ILO Judgment

    The International Labour Organisation (ILO) issues a judgment on a case of abuse by the EPO and notes "excessive length of the internal appeal proceedings."



  12. [ES] Alice Continúa Quebrando Patentes de Software Asi Que los Abogados de Patentes, Cabilderos de los Monopolistas, Etc. Ahora Atacan a la Corte Suprema por Hacer Esto

    los cabilderos Corpórativos y abogados de patentes están tratándo de poner a Alicia en la tumba, por su impacto en las patentes de software que es muy profundo y así hasta ahora casi indetenible



  13. [ES] ¿Cómo Salvar la Reputación de la EPO?: Crear Más Jurados de Apelaciónes en Europa y Abolir la Malgíada/Malintencionada Fantasía de la UPC

    Una crítica evaluación de lo que ocurre en la Oficina Europea de Patentes (EPO), la que rápidamente se está yendo para abajo (y degradando sobre todo) a el nivel de los sistemas Chinos, en conjuntamente con corrupción, los abusos, y la bajísima calidad de las patentes



  14. [ES] La Corte de Apelaciónes del Circuito Federal (CAFC) Acaba de Ponerse a Favor de los Trolles de Patentes

    la tristémente célebre CAFC, que manifestó las patentes de software en los EE.UU, acaba de dar un regalo a los trolles de patentes quienes típicamente usan las patentes de software para extorsión enc complicidad con los jueces del Este de Texas



  15. [ES] Análisis de los Últimos Datos de Lex Machina Acerca de la Litigación de Patentes Muestra Como está Declinándo

    el Professor Mark Lemley de Lex Machina resalta las tendencias en litigation al colectar y analizar datos relacionados con patente y concerniéntes a monopolios intelectuales en general; actualmente muestra una sequía de litigaciones (muestran que ha disminuído)



  16. [ES] La India Está Teniendo Otra Prueba de los Peligros de las Patentes Occidentales, Debe Aprender a Rechazar Completamente las Patentes de Software en Medio de Gran Presión

    El gigante de software que es la India continua enfrentándos ea la cruel y agresivo cabildeo de Occidente, haciéndo que este controle a la India por patentes que no deberían de existir en primer lugar



  17. [ES] Microsoft Dice que Continuará Extorsiónando a Compañías Que Distribuyan Linux, Usando Patentes de Software Usuallmente

    La guerra de Microsoft contra Linux, una guerra que es peleada usando patentes de software patents (por ganancias y/o por chantáje con arreglos empaquetados), todavía continúa a pesar de todas las tácticas de relaciónes públicas de Microsoft y sus sócios



  18. Alice Continues to Smash Software Patents So Patent Lawyers, Monopolists' Lobbyists Etc. Now Attack the Supreme Court for Doing This

    Corporate lobbyists and patent lawyers are trying to put Alice in the grave, for its impact on software patents is very profound and thus far almost unstoppable



  19. How to Salvage the EPO's Reputation: Create More Boards of Appeal in Europe and Abolish the Misguided UPC Fantasy

    A critical evaluation of what goes on at the European Patent Office (EPO), which is quickly descending down (and overall degrading) to the level of Chinese systems, along with the corruption, the abuses, and the low quality of patents



  20. Court of Appeals for the Federal Circuit (CAFC) Has Just Sided With Patent Trolls

    The notorious CAFC, which manifested software patents in the United States, has just given a gift to patent trolls that typically use software patents for extortion down in Texas



  21. Analyses of the Latest Data From Lex Machina About Patent Litigation Show Some Litigation Declines

    Professor Mark Lemley's Lex Machina highlights litigation trends by collecting and analysing data related to patents and pertaining to intellectual monopolies in general; now it shows litigation droughts



  22. India is Having Another Taste of the Dangers of Western Patents, Must Learn to Reject Software Patents in the Face of Great Pressure

    The growing software giant which is India continues to face cruel and aggressive lobbying from the West, enabling the West to control India by patents that should not exist in the first place



  23. Links 29/4/2016: GNOME 3.21.1, Fairphone

    Links for the day



  24. Microsoft Says It Will Continue to Extort Companies That Distribute Linux, Using Software Patents As Usual

    Microsoft's war on Linux, a war which is waged using software patents (for revenue and/or for coercion in bundling deals), is still going on in spite of all the PR tactics from Microsoft and its paid partners



  25. Australia Might be Next to Block Software Patents If Commission's Advice is Followed

    Australian advice against software patents, which can hopefully influence Australian politicians and put an end, once and for all, to all software patents in Australia



  26. [ES] ''Si la Forma de Pensar de la EPO fuese Seguida, Guantánamo Sería Posible en Suelo Alemán.”

    La EPO está todavía bajo fuego, pero mucho de ello pasa detrás de las cortinas y envuelve abogados y/o burócratas



  27. The European Copy-Paste Office (EPO)

    This morning's example (not the first) of how the EPO uses 'social' media



  28. Links 28/4/2016: Fedora 24, EE Goes Open Source

    Links for the day



  29. Amid Referendum “the New European Unitary Patent System is Likely to Collapse Before It Started”

    The Unitary Patent Court (UPC) vision seems like it may be just one month away from its gradual death, depending on British voices amongst other key factors



  30. USTR is Trying to Shame and Bully India Into Introducing Software Patents in India

    Lobbying body of the US (corporations-led) is trying its usual dirty tactics against India's sound policy which excludes software/algorithms from patent scope


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts