Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say - NYTimes.com - 0 views
www.nytimes.com/...ernet-flaws-officials-say.html
surveillance state Obama NSA NSA-backdoors exploits must-read Iranian-nukes-myth Stuxnet
shared by Paul Merrell on 13 Apr 14
- No Cached
-
Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.
-
elements of the decision became evident on Friday, when the White House denied that it had any prior knowledge of the Heartbleed bug, a newly known hole in Internet security that sent Americans scrambling last week to change their online passwords. The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers.Caitlin Hayden, the spokeswoman for the National Security Council, said the review of the recommendations was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosure when a security flaw is discovered, against the value of keeping the discovery secret for later use by the intelligence community.“This process is biased toward responsibly disclosing such vulnerabilities,” she said.
-
The N.S.A. made use of four “zero day” vulnerabilities in its attack on Iran’s nuclear enrichment sites. That operation, code-named “Olympic Games,” managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.Not surprisingly, officials at the N.S.A. and at its military partner, the United States Cyber Command, warned that giving up the capability to exploit undisclosed vulnerabilities would amount to “unilateral disarmament” — a phrase taken from the battles over whether and how far to cut America’s nuclear arsenal.“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.” Even a senior White House official who was sympathetic to broad reforms after the N.S.A. disclosures said last month, “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”
- ...2 more annotations...
-
One recommendation urged the N.S.A. to get out of the business of weakening commercial encryption systems or trying to build in “back doors” that would make it far easier for the agency to crack the communications of America’s adversaries. Tempting as it was to create easy ways to break codes — the reason the N.S.A. was established by Harry S. Truman 62 years ago — the committee concluded that the practice would undercut trust in American software and hardware products. In recent months, Silicon Valley companies have urged the United States to abandon such practices, while Germany and Brazil, among other nations, have said they were considering shunning American-made equipment and software. Their motives were hardly pure: Foreign companies see the N.S.A. disclosures as a way to bar American competitors.Continue reading the main story Continue reading the main story AdvertisementAnother recommendation urged the government to make only the most limited, temporary use of what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give an attacker access to a computer — and to any business, government agency or network connected to it. The flaws get their name from the fact that, when identified, the computer user has “zero days” to fix them before hackers can exploit the accidental vulnerability.
-
But documents released by Edward J. Snowden, the former N.S.A. contractor, make it clear that two years before Heartbleed became known, the N.S.A. was looking at ways to accomplish exactly what the flaw did by accident. A program code-named Bullrun, apparently named for the site of two Civil War battles just outside Washington, was part of a decade-long effort to crack or circumvent encryption on the web. The documents do not make clear how well it succeeded, but it may well have been more effective than exploiting Heartbleed would be at enabling access to secret data.The government has become one of the biggest developers and purchasers of information identifying “zero days,” officials acknowledge. Those flaws are big business — Microsoft pays up to $150,000 to those who find them and bring them to the company to fix — and other countries are gathering them so avidly that something of a modern-day arms race has broken out. Chief among the nations seeking them are China and Russia, though Iran and North Korea are in the market as well.
-
Note that this is only an elastic policy, not law. Also notice that NYT is now reporting as *fact* that the NSA did the cyber attack on the Iranian enrichment centrifuges. By any legal measure, if true that was an act of war, a war of aggression. So why wasn't the American public informed that we were at war with Iran?