Heartbleed and the NSA: put your hand up if you've ever credited a responsible-disclosure vulnerability report to the NSA. Anybody? Anybody?

Heartbleed is no doubt the worst security bug to hit the Internet in a very, very long time, and this comes hot on the heels of serious SSL certificate checking bugs in iOS and OpenSSL.

Bloomberg says the NSA knew of Heartbleed and said nothing. The ODNI forcefully denies this. Unfortunately the denial is difficult to accept, and here is why. Vendors often credit the people or organisations who find vulnerabilities. As the ODNI themselves pointed out, the Federal government uses OpenSSL and, no doubt, many other open source security products.

It would make sense for the 'defensive' wing of the NSA to to audit these products and, following the logic the ODNI themselves laid out in the link above, responsibly disclose any vulnerabilities to the product owners.

Furthermore, it is an obvious PR win for the NSA to ask for credit, and they know how open source works, having done work on SELinux etc. People would say, "Hey, my tax dollars at work, making us all safer! Truly the NSA is a force for good in the world."

(On the other hand, it is an obvious counterintelligence win not to ask for credit, because then the Chinese, Russians etc. (and Germans, the MSF, and UNICEF to judge by their target list) would say 'The NSA can find that type of vulnerability? Better scan our software!' and Coverity would add a check for that class of problem, making future bug hunting harder.)

But here is the problem: does anyone recall any serious security vulnerabilities that were found and disclosed by the NSA? I don't. We know they search for vulnerabilities; the ODNI admits this themselves. Thanks to Snowden we know that programs such as FoxAcid can query a library of exploits in real time using complex criteria such as value, risk of disclosure etc.

If the ODNI's assertions regarding disclosure of vulnerabilities such as heartbleed are true, where are the corporations and open source projects that can stand up and credit the NSA with finding the problems for which they have issued patches? Why is their blog post above a context-free assertion of fact, instead of a litany of examples of past actions?

This is my conclusion. Anyone who works on OpenSSL or any other open source project such as BIND or Apache, and who has received a vulnerability disclosure from the NSA, needs to stand up and say so. Their continuing absence proves Bloomberg right and the ODNI wrong, and we need to know.

No comments: