Skip to main content

View Diary: NSA said to use 'Heartbleed' bug to obtain intelligence, exposing consumers to internet risks (121 comments)

Comment Preferences

  •  I've been on the phone half of this week... (29+ / 0-)

    ...because of this! The thought that it's been propagated by the NSA has crossed my mind countless times over the past few days, as well.

    Abso-f*cking-lutely REPREHENSIBLE.

    If the NSA's engaging in ANY activities which would expand the use of this bug/spyware/malware, and (essentially) adding to this problem, it's tantamount to treason, just like virtually so many of the other ORWELLIAN matters we've read about, as far as the NSA's concerned, BUT PERHAPS on a level that's exponentially worse.

    So, it's with tremendous irony that I read trollish comments in my posts, and the posts of others in this community, referring to Snowden, et al, as a "traitor." Those that engage in this kind of behavior are very, very, very confused.

    Then again, domestically wiretapping the entire population, profiling and surveilling multiple ethnic and racial skews throughout the country, and generally making Orwell appear as if his stories were a day at the beach compared to what we're seeing play out in real life, all adds up to one big f*cking travesty of historical proportions.

    Compounding the matter, we're paying scores of billions of dollars for this stuff--all being done by more than a dozen intelligence/law enforcement agencies throughout this country--but we're told there is no money for unemployment benefits or food stamps, etc.

    How can any rational, sane person justify this insanity, let alone promote it?!?! Or, perhaps worse yet, engage in efforts to suppress the outrage about it?!?!?

    "I always thought if you worked hard enough and tried hard enough, things would work out. I was wrong." --Katharine Graham

    by bobswern on Fri Apr 11, 2014 at 12:56:52 PM PDT

    •  99.9% of the people and businesses in the U.S.... (12+ / 0-)

      ...that so much as use email or the Internet, or maintain any public facing servers, or (for that matter as I've learned over the past 36 hours) even work on Intranets or Private cloud-based systems are affected by this.

      How bad is this? Cisco's hardware and software pretty much RUNS the Internet. Here's their memo on how this affects their products!?!?!?! "Cisco Security Advisory" (4/9/14; updated 4/10/14)

      "I always thought if you worked hard enough and tried hard enough, things would work out. I was wrong." --Katharine Graham

      by bobswern on Fri Apr 11, 2014 at 01:07:06 PM PDT

      [ Parent ]

      •  Bob-- Cisco's mainline Enterprise switches (1+ / 0-)
        Recommended by:
        Remembering Jello

        ...and routers and VPN servers are unaffected according to your own link.

        The situation is plenty interesting on its own, and doesn't need extra hyperbole from us.

        -Jay-
        
        •  Really, well apparently RACKSPACE... (5+ / 0-)
          Recommended by:
          RFK Lives, gooderservice, TheMomCat, BYw, kurt

          ...known as one of the "Cadillacs" of the ISP biz, where I host all of my servers, is in full-fledged freakout mode, and they didn't get your "memo."

          (Although, if you call them on this, they'll probably deny it.)

          And, frankly, I'm glad that's the case, because if they were NOT freaking out about it, I'd be much more worried.

          So, sincerely, don't tell me where to put my "hyperbole," because that's total bullshit. It's not hyperbole.

          We work with some of the largest financial services firms in the U.S., as well as with most of the personal-private-info providers, too (i.e.: Experian, Equifax, Trans Union, LexisNexis, etc., etc.), and they ARE ALL freaking out about it.

          This is a HUGE issue. It's one big clusterf*ck as far as enabling  man-in-the-middle attacks is concerned. And, NONE of these companies have true control over that, no matter what "calming" words and accusations you might wish to offer up to our audience.

          Anyone in this business KNOWS that there's virtually no such thing as an unhackable network. But, the GREATER TRUTH that we're learning this week is that MOST NETWORKS are now much more readily hackable than any NetSec manager's worst nightmare could ever conjur up.

          Hyperbole? Seriously?

          "I always thought if you worked hard enough and tried hard enough, things would work out. I was wrong." --Katharine Graham

          by bobswern on Fri Apr 11, 2014 at 01:44:32 PM PDT

          [ Parent ]

          •  For many years... (4+ / 0-)
            Recommended by:
            gooderservice, TheMomCat, BYw, kurt

            ...I've had access to no less than 4 or 5 individuals that are self-proclaimed experts at hacking Cisco's firewalls/networks. And, that was their status BEFORE this story came into play.

            There is virtually no such thing as an unhackable network. Now, due to this story, we know that these networks are much more hackable than we ever thought possible.

            "I always thought if you worked hard enough and tried hard enough, things would work out. I was wrong." --Katharine Graham

            by bobswern on Fri Apr 11, 2014 at 01:53:40 PM PDT

            [ Parent ]

            •  "Your tax dollars at work." n/t (2+ / 0-)
              Recommended by:
              gooderservice, TheMomCat

              "I always thought if you worked hard enough and tried hard enough, things would work out. I was wrong." --Katharine Graham

              by bobswern on Fri Apr 11, 2014 at 01:54:27 PM PDT

              [ Parent ]

            •  A Pandora's Box was opened post-9/11 (3+ / 0-)
              Recommended by:
              TheMomCat, bobswern, Creosote

              Thus far, nobody in a position of authority has done much to try to close it.  We're talking systemic failure at this point.  This WH is unwilling/incapable of restoring constitutional balances, and the intelligence committees aren't much better.

              This republic has faced some serious crisis before, but this one is a lot more severe than people are willing to acknowledge.  227 years of constitutional traditions are in the balance here.

              Some men see things as they are and ask why. I dream of things that never were and ask why not?

              by RFK Lives on Fri Apr 11, 2014 at 02:40:41 PM PDT

              [ Parent ]

          •  "Freaking out about it" is not equal to... (1+ / 0-)
            Recommended by:
            JayBat

            "Affected by it."

            This ONLY applies to those secure implementations that used the OpenSSL code libraries  1a-1f.  

            Granted that is a LOT of supposedly secure products, probably close to 2/3rds of all SSH code in production.  That is what should be scaring everyone.

            However, consider that some industries (such as banking and medical) are very leery about open-source code.  The idea that anyone can freely analyze the sourcecode to THEIR STUFF has always scared them silly.  

            Also, due to IIS being offered free of charge by Microsoft for the first few years of its existence (and offered as a package deal with every copy of Windows Server sold), it has considerable market share.  It is not affected because IIS's implementation of SSH does not use this code library.  (We won't mention all the other security holes found in IIS over the years, lest this thread become a college lecture.)

            That leaves all the boxes running Apache and derivatives (such as WebSphere) as potentially vulnerable, along with the other technology (Jabber, file sharing, VPN) that uses OpenSSH.  These are all the locks that have to be changed out.

            That said... I would expect to see a LOT of new certificates offered by the likes of Google, Yahoo, Amazon, etc etc over the next few months.  Until you see those new certs, changing your passwords won't accomplish much, because they'll still be based on the old (and compromised) certs and thus could still be vulnerable.    

            Once those new certs are in play and the old ones revoked, THEN you can be sure that any passwords or RSA keys you use aren't likely to be vulnerable to Heartbleed.

            The Rich and Spoiled 1%'ers are making the Biker Gang 1%'ers look a lot better than they used to.

            by dcnblues on Fri Apr 11, 2014 at 03:51:05 PM PDT

            [ Parent ]

            •  dcnblues-- SSH is not affected n/t (0+ / 0-)
            •  IIS is the swiss cheese of NetSec... (0+ / 0-)

              ...frankly, I hate MS products...then again, I came into this business in the 1980's, and then well into the 1990's, with IBM being one of my largest clients. And, during that period, the animus between IBM and MS was outright legendary.

              "I always thought if you worked hard enough and tried hard enough, things would work out. I was wrong." --Katharine Graham

              by bobswern on Fri Apr 11, 2014 at 10:03:38 PM PDT

              [ Parent ]

          •  Bob-- Let me know when you switch (1+ / 0-)
            Recommended by:
            bobswern

            to all BOLDFACE AND UPPERCASE, then I'll know it's time for me to ignite my hair.. Just kidding. I am really truly trying not to be an asshole here.

            You may be reading more into my reply than I actually wrote. You said:

            How bad is this? Cisco's hardware and software pretty much RUNS the Internet. Here's their memo on how this affects their products!?!?!?! "Cisco Security Advisory" (4/9/14; updated 4/10/14)
            Now it's true that Cisco (and Juniper and Huawei and Alcatel/Lucent, in that order) "run the internet" (build and sell the switches and routers our precious packets run through). But Bob, when you actually go and read the Cisco Advisory, there is nothing (yet) to set off sirens and bells. Some of their VOIP desktop phones and horrendously expensive teleconferencing platforms? Meh.

            There is one line in that file (as of Revision 1.3  2014 April 11 20:28 UTC) that gets your attention:

            The following Cisco products are currently under investigation:
            Cisco IOS XR
            That's interesting. So IOS XR (used on the newest/biggest core routers) is using OpenSSL and they haven't yet convinced themselves that all releases in the field have the kind of runtime memory partitioning that they would normally do... But even if that turns out to have been vulnerable, semi-competent admins don't expose admin ports on $500K core routers to the outside, right? And if they do, they've got far worse problems than Heartbleed.

            No, I'm a card-carrying EFF member (errr, t-shirt wearing, they don't give us cards!) because of front doors like PRISM, not because of intentional or unintentional back doors like Heartbleed. It is likely that Snowden/Greenwald have exposed only a tiny fraction of what PRISM is really doing, and programs like PRISM are what really pisses me off.

            Heartbleed exploitation (whether NSA or Russian credit card gangs) is about service providers, not network infrastructure.

            All the best.

            -Jay-
            
            •  You're obviously clueless about the role... (0+ / 0-)

              ...call center technology has in the finance business. Because if you were aware of that, you'd understand whereof I speak. And, most of these call center platforms directly interface with the primary network servers of the entire operation(s) at these large financial services cos., and in a very big way, too.

              I'm talking: every major bank, mortgage firm, debt collection firm, etc., etc.

              "I always thought if you worked hard enough and tried hard enough, things would work out. I was wrong." --Katharine Graham

              by bobswern on Fri Apr 11, 2014 at 09:59:18 PM PDT

              [ Parent ]

              •  Huh? (0+ / 0-)

                I know all about the outsource call center business (ACS/Xerox is everywhere). Again, if you haven't properly firewalled/tunnelled your contractor's access to the subset of your CRM systems they need, you've got waaay worse problems than Heartbleed. Shrug

                Have a great day.

                -Jay-
                
        •  "Extra hyperbole" means you really don't (3+ / 0-)
          Recommended by:
          TheMomCat, DeadHead, bobswern

          understand what is happening.    There is no hyperbole involved.   THIS is a big fucking deal.  

          Dallasdoc: "Snowden is the natural successor to Osama bin Laden as the most consequential person in the world, as his actions have the potential to undo those taken in response to Osama."

          by gooderservice on Fri Apr 11, 2014 at 02:37:28 PM PDT

          [ Parent ]

    •  They're trollish posts because they ARE trolls (6+ / 0-)

      People put here, or manipulated by people put here, to intentionally and deliberately smear folks like Snowden and Greenwald and anyone who appreciates what they've done, divide the left, and defend the national insecurity state and the corporate interests that own it.

      What kind of person does that?

      Stupid people
      Authoritarians
      Weak-minded people
      Schmucks
      Cowards
      Sociopaths
      Clueless people

      You don't have to be all of these. Only one will suffice. Most people are at least one of these. That's how the other side wins.

      "Reagan's dead, and he was a lousy president" -- Keith Olbermann 4/22/09

      by kovie on Fri Apr 11, 2014 at 01:11:14 PM PDT

      [ Parent ]

      •  You forgot... (2+ / 0-)
        Recommended by:
        DeadHead, greenbell

        Democratic Party apologists.

        "[I]n the absence of genuine leadership, they'll listen to anyone who steps up to the microphone...They're so thirsty for it they'll crawl through the desert toward a mirage, and when they discover there's no water, they'll drink the sand."

        by cardboardurinal on Fri Apr 11, 2014 at 01:26:22 PM PDT

        [ Parent ]

        •  Who fit neatly into the above categories IMO (1+ / 0-)
          Recommended by:
          DeadHead

          Most tribal types are quite stupid or weak IMO, hiding behind some imagined team because they lack individual strength or identity. They have their team's "back", but does it have theirs? The true test of tribal worth.

          "Reagan's dead, and he was a lousy president" -- Keith Olbermann 4/22/09

          by kovie on Fri Apr 11, 2014 at 01:34:55 PM PDT

          [ Parent ]

          •  I was trying... (0+ / 0-)

            not to be so blunt about it...but you are probably correct about a lot of them.  

            "[I]n the absence of genuine leadership, they'll listen to anyone who steps up to the microphone...They're so thirsty for it they'll crawl through the desert toward a mirage, and when they discover there's no water, they'll drink the sand."

            by cardboardurinal on Fri Apr 11, 2014 at 01:47:33 PM PDT

            [ Parent ]

            •  I'm too old to harbor sentimental delusions (1+ / 0-)
              Recommended by:
              Tool

              Mind you, I don't say such things to the faces of people I believe to be in such categories, for the most part. What's the point? And, some of them may yet come around, someday, but it's not my job to jolt them there.

              "Reagan's dead, and he was a lousy president" -- Keith Olbermann 4/22/09

              by kovie on Fri Apr 11, 2014 at 01:50:12 PM PDT

              [ Parent ]

      •  Just don't call their BS propaganda "tripe" (1+ / 0-)
        Recommended by:
        TheMomCat

        Or they'll HR you for it.




        Somebody has to do something, and it's just incredibly pathetic that it has to be us. ~ Garcia

        by DeadHead on Fri Apr 11, 2014 at 01:45:29 PM PDT

        [ Parent ]

        •  I know the rules (2+ / 0-)
          Recommended by:
          DeadHead, Tool

          and what I can and can't say here. I accuse no one specifically of such, so I'm good. And they can shove their tripe up their passive-aggressive un-American asses and maybe get a real job someday doing real work.

          "Reagan's dead, and he was a lousy president" -- Keith Olbermann 4/22/09

          by kovie on Fri Apr 11, 2014 at 01:54:14 PM PDT

          [ Parent ]

      •  Dividing the left... (0+ / 0-)

        seems to cut both ways. Your list of the qualities that define those who do not "appreciate" what Snowden and / or Greenwald has done, or are doing is quite divisive. Perhaps those who don't think Snowden and Greenwald should set security policy for the US are simply not comfortable with individuals deciding what is and what isn't necessary and sharing that with the world at large. What kind of person does that?

        Paranoid People
        Egostistical People
        Paternalistic People
        Dogmatic People

        People who are sure their way is the only way, and everyone else is stupid, clueless and weak-minded

        You don't have to be all of these, only one will suffice to "divide" the left. Did you really not see the irony in this comment?

        •  Pretty words (5+ / 0-)

          But simply not borne out by the facts. But go ahead and keep either believing the lies our government tells you because it's easier and more comforting and when your side does it it's ok.

          Our government spies on us, illegally. To deny it is delusional. To believe that it's for our own good is both idiotic and fascistic.

          Do you not see the irony in your own words?

          "Reagan's dead, and he was a lousy president" -- Keith Olbermann 4/22/09

          by kovie on Fri Apr 11, 2014 at 02:03:51 PM PDT

          [ Parent ]

          •  I actually didn't say... (1+ / 0-)
            Recommended by:
            Garrett

            which insulting and divisive list I would place myself on, I have a more nuanced opinion and wouldn't appreciate being placed on either. That was the point of my comment. The irony of calling something divisive and then posting a divisive list of how stupid people are. That's all.

            •  I didn't say JUST stupid (2+ / 0-)
              Recommended by:
              reginahny, DeadHead

              There are other reasons and motivations, but stupid is clearly one of them, along with authoritarian, foolish, naive and self-interested (my list wasn't exhaustive of course). Plus, very smart people can be selectively stupid. I know I've been such in the past. When it's easier to be stupid, one tends to be stupid. And it's easier to pretend that everything's AOK.

              "Reagan's dead, and he was a lousy president" -- Keith Olbermann 4/22/09

              by kovie on Fri Apr 11, 2014 at 02:24:44 PM PDT

              [ Parent ]

        •  Well... (3+ / 0-)
          Recommended by:
          Tool, TheMomCat, kovie
          Your list of the qualities that define those who do not "appreciate" what Snowden and / or Greenwald has done, or are doing is quite divisive.
          Except, one group is on the wrong side of history, and the other is disconnected from reality.
          Perhaps those who don't think Snowden and Greenwald should set security policy for the US are simply not comfortable with individuals deciding what is and what isn't necessary and sharing that with the world at large.
          Strawman. They don't set security policy, the people you seem to be defending do. Apparently you're okay with the the perpetrators "deciding" which of their abuses we get to know about and which ones we don't.
          What kind of person does that?
          Those who have a clue, perhaps?
          People who are sure their way is the only way, and everyone else is stupid, clueless and weak-minded
          Well, there really hasn't been a compelling argument put forth that proves otherwise.




          Somebody has to do something, and it's just incredibly pathetic that it has to be us. ~ Garcia

          by DeadHead on Fri Apr 11, 2014 at 02:21:37 PM PDT

          [ Parent ]

          •  People who call global warming deniers (1+ / 0-)
            Recommended by:
            DeadHead

            idiots, fools, liars and trolls are clearly being divisive, in an ironic way.

            Why can't we all learn to just love one another and accept our overlords?

            "Reagan's dead, and he was a lousy president" -- Keith Olbermann 4/22/09

            by kovie on Fri Apr 11, 2014 at 04:01:28 PM PDT

            [ Parent ]

          •  And who are you to tell me that 1 + 1 = 2?!? (1+ / 0-)
            Recommended by:
            DeadHead

            Don't persecute me divisively, bro!

            "Reagan's dead, and he was a lousy president" -- Keith Olbermann 4/22/09

            by kovie on Fri Apr 11, 2014 at 04:02:43 PM PDT

            [ Parent ]

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site