nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

From: Rich Kulawiec <rsk () gsp org>
Date: Fri, 11 Apr 2014 16:48:02 -0400
On Fri, Apr 11, 2014 at 04:03:36PM -0400, William Herrin wrote:

If you told me they used it against the targets of the day while
putting out the word to patch I could buy it, but intentionally
leaving a certain bodily extension hanging in the breeze in the hopes
of gaining more valuable data than they lose would have been an
unusually gutsy move.


"unusually gutsy" compared to what, EXACTLY?

        Sources: NSA sucks in data from 50 companies
        http://theweek.com/article/index/245311/sources-nsa-sucks-in-data-from-50-companies

        Report: NSA Circumvented Encryption
        http://www.bankinfosecurity.com/report-nsa-circumvented-encryption-a-6045

        [ That one is interesting, by the way.  It's from September 6, 2013, and
        quotes reporting by the New York Times and Pro Publica the previous day.
        Here's an excerpt:

                Bruce Schneier, a widely followed cryptography expert,
                author and blogger, characterizes the revelation as
                explosive. "Basically, the NSA is able to decrypt most of
                the Internet," he writes in his blog. "They're doing it
                primarily by cheating, not by mathematics. ... Remember
                this: The math is good, but math has no agency. Code
                has agency, and the code has been subverted."

                According to the news report, some of NSA's most
                exhaustive efforts have concentrated on encryption widely
                used in the United States, including Secure Sockets
                Layer, virtual private networks and the protection used
                on fourth generation smart phones.

        Interesting that it mentions SSL, isn't it? ]

        NSA's pipe dream: Weakening crypto will only help the "good guys"
        http://arstechnica.com/security/2013/09/nsas-pipe-dream-weakening-crypto-will-only-help-the-good-guys/

        Exclusive: NSA infiltrated RSA security more deeply than thought
        
http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331?feedType=RSS&feedName=topNews&utm_source=dlvr.it&utm_medium=twitter&dlvrit=992637

        NSA Aiming To Infect "Millions" Of Computers Worldwide With Its Malware; Targets Telco/ISP Systems 
Administrators
        
http://www.techdirt.com/articles/20140312/07334826545/nsa-aiming-to-infect-millions-computers-worldwide-with-its-malware-targets-telcoisp-systems-administrators.shtml

        NSA hacker in residence dishes on how to "hunt" system admins
        http://arstechnica.com/security/2014/03/nsa-hacker-in-residence-dishes-on-how-to-hunt-system-admins/

Let me note in passing that the NSA is not the only intelligence agency
on this planet that has demonstrated both willingness and ability to
create and/or exploit large scale security breaches in order to acquire
information.  Surely nobody thinks that folks in Moscow and London and
Berlin and Bejing were just sitting on their hands.

---rsk
Previous By Date Next
Previous By Thread Next

Current thread: