Change all your passwords, everywhere

[Grumman]

I have a great idea: lets get rid of the NSA and spend the money on an agency that actually protects America's security, instead of nurturing its weaknesses for its own use.

[phongn]

You are being paranoid. We know who committed the change.

From Bloomberg, the NSA knew about the issues with OpenSSL and exploited them instead of informing users. And if they risk the security of millions of companies and users it's not a big stretch to assume they may have put it there in the first place. Or if they haven't, that they try it next time.

Bloomberg cites anonymous sources and no evidence. This is clickbait.

Further, DNI says they didn't know about it. I'm inclined to believe them: OpenSSL makes up a lot of systems the Federal government uses. That said, they have plenty of other ways of compromising private keys (including but not limited to certificate authority coercion, hacking, etc.)

[Irbis]

Further, DNI says they didn't know about it. I'm inclined to believe them: OpenSSL makes up a lot of systems the Federal government uses. That said, they have plenty of other ways of compromising private keys (including but not limited to certificate authority coercion, hacking, etc.)

Your link states NSA would disclose zero day vulnerabilities to affected companies had they found them. The same NSA that used five different, unknown zero day holes creating Stuxnet?

Oookay

[Irbis]

Also, as edit window passed: upon re-reading, note he says the 'unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities'. Merely biased, not 'we will do it'. Would he inform public that there was a 'clear national security need' to retain the Heartbleed knowledge had such problem existed? I don't think so.

[TronPaul]

Any zero-day exploit can be argued as a 'clear national security or law enforcement need'. By having that loophole, with no time limits, the NSA has no obligation to report zero-days they find. I haven't been able to find any record of NSA reported zero-days. With the amount of security research they do, I'd suspect to find something that they reported and used as PR if they were reporting things.

[Welf]

I have a great idea: lets get rid of the NSA and spend the money on an agency that actually protects America's security, instead of nurturing its weaknesses for its own use.

I think you misunderstand the job of a security agency: it's not to provide security for the people but from the people.

[phongn]

I think you misunderstand the job of a security agency: it's not to provide security for the people but from the people.

NSCID 9 rather firmly established that the NSA's prime mission is signals intelligence.

[folti78]

What? No. OpenSSL has a handful of developers and is badly underfunded.

The company, yes, but I meant a lot of programmers I know tend to look at source code of things they work with or similar to their projects as hobby or means of learning.

OpenSSL's code is not something people will look for to learn, unless they study the ways a very old codebase mutates over time. It's also quite large, where portions of the code still in use is mixed with portions that were only needed if you wanted to build it on say, Mac OS 9, so good luck spotting some literally one liner errors. Also, people, who'd have to work with it professionally would do what working people do. Tried to understand it as much as needed, and spent their working time to develop their company's software that used OpenSSL, because that's what they are paid for. If all the companies would have been really interested in improving OpenSSL, they should have hired people to exactly just that. Like the way it goes with the Linux kernel, or the GCC package of compilers, where large number of contributors are actually employees of companies heavily invested into the Linux ecosystem. You'd see a lot of people contributing with a @redhat.com email address.

The people of the OpenBSD project started a major rework of the codebase, as an attempt to clear their own shame, because they, as a group focused on computer security, shipped products with OpenSSL, without looking at it. The selected commits from the effort are quite entertaining, in their own scary ways.

Also, OpenSSL isn't developed by a company, but by volunteers in a non-profit foundation. The company is there to allow getting some income from support contracts and consulting, but according to their own admission was simply peanuts.

You are being paranoid. We know who committed the change.

Yes, we know who did it. Do we know if it was stupidity, laziness, or malice?

To elaborate: at the moment I said it could be intentional work, I saw a post stating the change was added right after Christmas 2011, rather curious time for work (and good time if you wanted everyone to not look too attentively). I didn't checked if it was the correct change personally, though, so take it with grain of salt, surely someone will do research and publish a story on that soon.

Duuude ...
First, it was committed on new years eve roughly an hour after midnight. Not everyone's preferred way of spending that time partying, getting drunk and throwing fireworks. The committer was the guy who audited it, a long time developer of OpenSSL. The original writer was another guy, who contributed to the project in the past and apparently respected by them. So no, it's not exactly some NSA foul play. Keep in mind, that I linked to the web interface of their Git repo for a reason. As far as things are currently, it's rather hard, bordering on impossible to insert commits into a Git repo, without the change itself raise alarm, when people try to synchronize their own repositories with the compromised one. Unless they took over Dr Stephen Henson's machine and changed the commit before he pushed it, but that'd be rather impressive feat ... (as in Hollywood action movie level)

Second, the two reasons the bug has been hidden this long was

1. OpenSSL's own memory manager, which they implemented nearly half a decade before, hid all the ugly memory errors from people testing it with memory checking tools like Valgrind, or just the memory protection schemes implemented by the memory handling functions of various modern standard C library implementations, namely OpenBSD's own stuff.
2. As mentioned already, nobody ever took a serious look over the code and audited it properly and reported it back to the OpenSSL people that it's a major mess. Or raised a ruckus about it.