So pretty much everything exploded this week. If you were paying attention, you were probably warned not to go near things like your online banking site, or pretty damn near anything that advertises itself as having a secure connection. This is because of a pretty lethal bug in the software that provides that secure connection, in several cases, that pretty well rendered your secure connection worse than no security at all. There’s a pretty nice, if a little technical, explanation for it written up by the guys I’m paying for the use of this server, but the cliff notes version is the hole’s a few years old, and can provide someone who knows what they’re doing with access to pretty much any information stored in the memory of a server with the buggy software. So if someone knew how to take advantage of that security hole, they could potentially have access to usernames, passwords, creditcard numbers–basicly anything that happened to be in that server’s memory at the time.
There’s an updated version of that software in the wild now that plugs this security hole (note: not that anything on the server uses secure connections at the moment but I’m running that updated software now anyway), so as people get around to applying it that should be much less of a holy hell what in creation have I done kind of problem. Which is awesome, for guys like you and me. A little less awesome, though, for guys like the NSA.
The internet is still reeling from the discovery of the Heartbleed bug, and yesterday we wondered if the NSA knew about it and for how long. Today, Bloomberg is reporting that the agency did indeed know about Heartbleed for at least the past two years, and made regular use of it to obtain passwords and data.
While it’s not news that the NSA hunts down and utilizes vulnerabilities like this, the extreme nature of Heartbleed is going to draw more scrutiny to the practice than ever before. As others have noted, failing to reveal the bug so it could be fixed is contrary to at least part of the agency’s supposed mission:
Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.
“If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the U.S. Secret Service. “Invariably when this has happened over time, the offensive mission wins.”
So when the smoke clears, the NSA will have at least a little bit less access to John Q. User’s data–at least until they end up mandating another hole in some other layer of security software. But until then, it looks like the fine folks at stalker central will end up being the only ones dealing with a case of heartbleed when it’s all done and dusted. Now if it was only that easy to switch off the exploits they helped introduce.