Summary: Our views on the whole Heartbleed® bonanza, which seems like partly a PR stunt (for multiple stakeholders)
A LOT has been said about Heartbleed® since the firm of Microsoft’s ‘former’ security chief (who had worked with the FBI, the NSA’s more evil twin) irresponsibly ‘leaked’ the flaw, and did so at the very same moment that Windows XP users rushed to GNU/Linux for security reasons. I know of such users (even corporations I deal with) and I saw their reaction to this unforeseen ‘leak’. Funny timing.
In this post we outline some key facts (carefully and patiently studied over the past 10 days). As my doctoral degree is not far from cryptography and I have consulted people who do security for a living, I can assure readers that we do grasp the technical details, unlike many so-called ‘journalists’ with degrees in English or history. We are not going to delve into less plausible theories like a connection between the flaw and the NSA although there are circumstantial connections, an NSA program specifically designated to this (NSA operation ORCHESTRA), and we already know that Red Hat relays non-SELinux code directly from the NSA to Torvalds, as we covered earlier this year (meaning that only a developer in the middle knows where the code originally came from). In this particular post we are going to focus on other important points that ought to be made now that Heartbleed® is mostly out of the headlines and little new information will come out during Easter. This post is based on assessment of about 100 reports and subsequent research lasting many hours.
A little and slightly old tidbit shared with us by iophk (a network security professional) said that even the NSA and its circles are negatively affected by Heartbleed®. This article states: “”I am waiting for a patch,” said Jeff Moss, a security adviser to the U.S. Department of Homeland Security and founder of the Def Con hacking conference.”
There are reasons to believe that the NSA was not aware of this flaw or had not exploited it. For instance, the government’s demands from Lavabit may suggest that OpenSSL back doors were not known at that time (2013). Also, reading all about the personal background of the man behind the bug, it’s nearly impossible to find any connection to the NSA and its ilk. The guy is German, but another German Danish developer (Poul-Henning Kamp, a FreeBSD and Varnish developer) spoke only some months ago about a US program of introducing bugs into FOSS (see “NSA operation ORCHESTRA” above).
iophk responds to the article about firewalls woes by asking: “Why the hell is he not running one based on Linux or BSD? Something’s not right. Proprietary “solutions” have no place in infrastructure for just these kinds of reasons.”
Well, with Windows, for example, the NSA perhaps assumes a monopoly on back doors. It’s a form of total control.
The BSD community, which is also behind OpenSSH, has begun doing some commendable things [1,2] short of throwing away OpenSSL [3]. There is a new release of GnuTLS [4], for example, but we cannot be 100% certain that GnuTLS is immune to “bug doors”, as Julian Assange recently called them. “GnuTLS was immune to the OpenSSL bug,” writes iophk, “but in regards to the latter was ‘responsible disclosure’ followed? I got the feeling that it wasn’t and that the web site was set up and publicized before even the OpenSSL team was informed. Where can I find a detailed timeline of events?”
Well, a deceiving timeline was later published by the Australian press. Security gurus have widely chastised this form of ‘responsible’ disclosure of Heartbleed®; even the project site of OpenSSL hadn’t been patched before the disclosure. The same goes for the FBI, which again helps validate claims that the government was not fully aware of the issue.
OpenSSL was having limited resources and some articles covered it [5-7]. Regardless, it’s now claimed NSA knew about the bug for 2 years and we should always remember that Microsoft’s Howard Schmidt was connected to FBI before his firm published Heartbleed® for fame, fun, and profit. It’s not just Microsoft that makes his motives a tad suspicious. The whole Heartbleed® thing “has a very media friendly name and a cute logo,” as a British FOSS professional put it. It’s like a branding exercise. Also see this post titled “What Heartbleed Can Teach The OSS Community About Marketing”. “Ties in a bit with what you’ve posted,” iophk told me after I had noted the marketing angle.
As a recap, Heartbleed® was pretty much branded and released like a product by a firm headed by a Microsoft (and FBI) veteran. This firm also works with Microsoft, so the disclosure on Windows XP’s EOL date is too hard to ignore, If this was already known about by the NSA for years, then one may wonder if the disclosure came through whispers rather than research. Glyn Moody was told by Wikileaks (Twitter account seemingly run only by Julian Assange) that “Assange spoke about vulnerability of OS’s to bribes and bugdoors in upstream components.”
Howard Schmidt (chairman of board of company that marketed Heartbleed®) worked with the FBI and another NSA partner/PRISM pioneer (Microsoft). If the NSA knew about the bug, then one wonders what role Schmidt may have played. The last thing that the NSA wants is people (especially outside the US) adopting Free software and GNU/Linux because Microsoft is where back doors are; by design, not by accident. Heartbleed® was reportedly known to the NSA for years (every article that claims this cites Bloomberg, which is notable corporate press and usually a bit dubious when it comes to agenda). If true, this was the type of bug that Edward Snowden’s leaks had alluded to (bug doors, not back doors). Schmidt et al. might be trying to exploit it for FUD and profit, by opportunistically divulging it as soon as mass migration to GNU/Linux in enterprises and homes begins. A decade ago it seemed like a back door had been put inside Linux by the NSA, but the developers caught the intrusion and removed it. There were numerous reports last year saying that the NSA had approached Torvalds, asking him for back doors in Linux, so what Seggelmann did in OpenSSL should not be treated too lightly. The time of the committal is a little suspicious [8] (people away from home to celebrate New Year) and the reputation of OpenSSL is now thoroughly destroyed, which will help its competitors (including proprietary) [9]. There is now a lot of FUD out there about FOSS (the only one we’re willing to cite is [10] because it’s not too malicious), sometimes coming from the mouths of Microsoft boosters or challenging Torvalds’ famous “law” [11,12]. I even get taunted over this in Twitter. The old FUD is back, never mind Coverity’s latest report which again contradicts such FUD.
Mind the article “Heartbleed security flaw may not be as dangerous as thought” [13], which sheds some light on who’s able to exploit and who’s not able to exploit Heartbleed® given the resource limitations (the thing about crackers of the NSA and GCHQ is that they have supercomputers to have a crack at it, and the same is probably true when it comes to the FBI, which is in many ways worse and more aggressive than the NSA; the FBI infiltrates Windows with CIPAV). If the widely-cited reports are true and the NSA knew Heartbleed® (and used it for two years) [14-17], then it’s a massive revelation (the NSA denies this, but denials from the NSA are worthless given its track record when it comes to truth-telling).
Perhaps the most disturbing thing about the story is, the NSA may have discovered Heartbleed® years ago (if not made it, which sounds unlikely [18]) and the firm of Microsoft’s ‘former’ security chief is making a profit from this [19] (the Heartbleed® bounty is partly paid by Microsoft and the partly Microsoft-owned Facebook). A bunch of opportunists got paid for irresponsible disclosure that damaged the Internet [20,21] and harmed many people’s privacy (potentially leading to some people’s deaths).
The GNU/Linux brand is profoundly damaged by this (many GNU/Linux sites mentioned it [22-24]) even though the bug also affects Windows and Apple operating systems. To us it will always seem like marketing campaign coordinated to take place at a strategic date (Windows XP EOL).
Has Microsoft’s Howard Schmidt decided to ‘leak’ it to distract from XP EOL (which means insecurity by policy)? Perhaps. Schmidt had worked with the FBI, so he could have some inside knowledge. He might have former colleagues who could tell him about this (even leak it to him) before he would hype it up, give it a scary name, make a dot com web site, a logo, et cetera, essentially ‘merchandising’ the FUD.
— source techrights.org