Why didn't Snowden disclose Heartbleed (and others)?
Exhaustive list of possibilities (please extend where possible): A Did not know B Did not care C Felt like it would negatively impact the NSA's (legitimate) functioning D Didn't get around to it yet E Snowden is an unconventional NSA set up F Snowden's documents are not recent enough A, is interesting, as it would show that the NSA has levels of secrecy and secret data that go further than what they had so far. Something above "TOP SECRET" should probably exist, and Snowden didn't find it. This actually makes a lot of sense to me, so it might well be it. B, he might think it's not very interesting. Using 0-days should be old-hat and expected. Disclosing specific exploits would not stop the bleeding, the NSA would just find new ones. He might even consider 0-day hoarding acceptable business, just not the mass employment of them. C, he's often maintained a sort of "I'm coming out to the public with this, but I'm very sorry to hurt the US in a way"- kind of attitude. It would definitely cripple the NSA if he released novel and important bugs. Think of how hard it would be to hack-back at China! D, There's some scheduling going on to maximize impact. He might release the "0-day-exploit list that endangers live as we know it, and the NSA did nothing" later, when attention dies down again. E, Maybe the NSA have become a common thing in popular culture and they dislike their image of being a completely opaque organization with potentially unlimited power. So now they are sharing information about the "outer shell" of the organization, a sort of facade. Meanwhile it seems like the world is crushing down upon them. In a few years their image will be renewed. Everyone will think "The NSA was not that unlimited in it's capabilities and worked very hard. Now that they have rules and limits it will all be okay". And with that a whole new level of FUD will have been achieved. Making people believe they are the evil you know. Of course, this is religious level conspiracies. And of course, that's exactly the level the NSA would start to accept. They're the information and espionage experts. If anyone could pull this off, it'd be them. (Didn't the CIA/NSA own the media? Don't they still? This might be easier than you'd expect) F, I couldn't find exactly to which date his documents go. Heartbleed was merged December 31 2011 (lonely night? sneaky vacation timing?). Assuming the NSA checks patches (ofc they do) they should've found it in Jan 2012. Snowden. Ah. Found it. "reenwald began working with Snowden in either February[113] or in April after Poitras asked Greenwald to meet her in New York City, at which point Snowden began providing documents to them both" That'd be April 2013. He still might've stolen the documents earlier, but who knows?
On Tue, Apr 15, 2014 at 06:16:15PM +0200, Lodewijk andré de la porte wrote:
Exhaustive list of possibilities (please extend where possible): A Did not know B Did not care C Felt like it would negatively impact the NSA's (legitimate) functioning D Didn't get around to it yet E Snowden is an unconventional NSA set up F Snowden's documents are not recent enough
A, is interesting, as it would show that the NSA has levels of secrecy and secret data that go further than what they had so far. Something above "TOP SECRET" should probably exist, and Snowden didn't find it. This actually makes a lot of sense to me, so it might well be it.
The short answer to the question in the subject is that HB is not worth using if you can execute remote code on openssl (call me a troll just because you disagree). As for above TOP secret: I don't believe snowden's documents about Tor reflect the current evilness of NSA -- just don't trust what the NSA/snowden allegedly disclose about Tor. Some targets got in jail for naively using Tor (check thereg). Reference for the Tor documents is the ACLU mirror of snowden. Probably this drama is explained by the saying: "A society of sheep deserves a government of wolves".
B, he might think it's not very interesting. Using 0-days should be old-hat and expected. Disclosing specific exploits would not stop the bleeding, the NSA would just find new ones. He might even consider 0-day hoarding acceptable business, just not the mass employment of them.
C, he's often maintained a sort of "I'm coming out to the public with this, but I'm very sorry to hurt the US in a way"- kind of attitude. It would definitely cripple the NSA if he released novel and important bugs. Think of how hard it would be to hack-back at China!
D, There's some scheduling going on to maximize impact. He might release the "0-day-exploit list that endangers live as we know it, and the NSA did nothing" later, when attention dies down again.
E, Maybe the NSA have become a common thing in popular culture and they dislike their image of being a completely opaque organization with potentially unlimited power. So now they are sharing information about the "outer shell" of the organization, a sort of facade. Meanwhile it seems like the world is crushing down upon them.
In a few years their image will be renewed. Everyone will think "The NSA was not that unlimited in it's capabilities and worked very hard. Now that they have rules and limits it will all be okay". And with that a whole new level of FUD will have been achieved. Making people believe they are the evil you know.
Of course, this is religious level conspiracies. And of course, that's exactly the level the NSA would start to accept. They're the information and espionage experts. If anyone could pull this off, it'd be them.
(Didn't the CIA/NSA own the media? Don't they still? This might be easier than you'd expect)
F, I couldn't find exactly to which date his documents go. Heartbleed was merged December 31 2011 (lonely night? sneaky vacation timing?). Assuming the NSA checks patches (ofc they do) they should've found it in Jan 2012. Snowden. Ah. Found it. "reenwald began working with Snowden in either February[113] or in April after Poitras asked Greenwald to meet her in New York City, at which point Snowden began providing documents to them both" That'd be April 2013.
He still might've stolen the documents earlier, but who knows?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/15/2014 11:16 AM, Lodewijk andré de la porte wrote:
Exhaustive list of possibilities (please extend where possible): A Did not know B Did not care C Felt like it would negatively impact the NSA's (legitimate) functioning D Didn't get around to it yet E Snowden is an unconventional NSA set up F Snowden's documents are not recent enough
Personally, I'm going with D but with some caveats. Snowden has long preached the 'encryption works but the endpoints are so weak that it often doesn't matter'. I've always read this as 'encryption works when it's done right. And it's almost never done right'. This might have been a hint about Heartbleed, but I doubt it. I don't see Snowden as the type of man who'd put the entire world's security at risk just in the interests of US National Security. This is why I've long been an advocate of total disclosure. I think the document holders should publish everything they have. After they do that, they could continue to 'leak release' documents with detailed explanations for those who are too lazy or too confused by the documents to sift through them and read them but having a document dump out there would make the process of disclosure /much/ faster. And it would freak the NSA out - a happy plus. I say fuck national security. These guys are burning down the entire world just to further their agenda. They deserve no consideration, even if it does put them at a disadvantage. Me - -- Want to communicate with me privately? Find my PGP public key here: http://pgp.mit.edu/pks/lookup?op=get&search=0x5BAEB5B2FA26826B Fingerprint: 6728 40CE 35EE 0BF3 2E15 C7CC 5BAE B5B2 FA26 826B -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTTYRGAAoJEFuutbL6JoJrQq8P/ibFbU9oBLG0NPY4EQYUDWNu EkCwnF85wx6HIteAxMaRYRyG9JHzNuXIE27/0+jcgStB3zz9Qis7LXvMOziH485x Rc0vJshsvseuInSaPDfR91Infy0KDpvuSgCSFib1ZnmGFaKrBtNE0cciAnrb3+La 0CoG6wMiyS1RuTJnb48y3Jr2cqsswXcl/6CkgU9hLsjGcTucoUv0tRa1IBJslv4s JxWS0KE0ww/pwF32LCRD1LQIDMScbtgD5vZtZrxUc2FmgFubOPzbXVQ4/IU9tmTA +8pHNBQfXY0OQ2WpraMNyjHSMfeZtEd6xgWOhekCM3ARhwPLlA9AZV3IDWcHWv// kappxWfL2J1quycc/ujGkQlIvGG7xLFen5fkRL5cz+I6E99uaR5Om/HF2qNsvudB bHThid3RS9AK07sm8HDBjOj9FVFA5XMFwwPamBf9UQjQllfm7RycAMczgc5tyYx6 FHojMzvRRbc6kXT4eWbWjWwC/dug8u7dcjKrvpfJh15v2JTHOmwU0ww36/Ib3gBu 5CKDqz+w5KI5cUDWaKZ8FmNuAZs0d0K9crCHQoPwQxGAsoxVzoQvxhDyDZ3tXVxS CPb/wr08M+oBdWYAM9FVNQRmQfynkXGcximSQr76yNHKXEbiL97U7gh9uWwcJZSX GIbXR2xNqQocEXnfKHAJ =yzRN -----END PGP SIGNATURE-----
On Tue, Apr 15, 2014, at 12:11 PM, Cypher wrote: [...]
I say fuck national security. These guys are burning down the entire world just >them to further their agenda. They deserve no consideration, even if it does put >a disadvantage.
+1! They put the entire world of e-commerce and communication at a disadvantage by intentionally weakening encryption standards. Fuck them with a chainsaw. Drop the whole cache of Snowden docs at once, let the sunlight in and watch these crooked coackroach fucks shit themselves in panic.
2014-04-15 21:11 GMT+02:00 Cypher
This is why I've long been an advocate of total disclosure. I think the document holders should publish everything they have. After they do that, they could continue to 'leak release' documents with detailed explanations for those who are too lazy or too confused by the documents to sift through them and read them but having a document dump out there would make the process of disclosure /much/ faster.
The problem is that the general public is very slow to learn. Every step along the way even the wise said things like "OH! The NSA said A, but they'll *never* say B!". Then two weeks later the docs show that B has not just been said, it'd been SCREAMED. Then the word is "But they'll never say C!". Etc. Maybe at some point people will pick it up differently. It also fits the media format better to drip info. A new news article every new drip. That makes for a lot more exposure. It's sad but true. I would *LOVE* instant full disclosure. But it just wouldn't have the same effect. Maybe you could do selective full disclosure, but who'd be allowed access? And who'd prevent the store of data from being leaked again? Additionally there's the rewriting and securing. Often documents have person-specific typo's or sentence changes that can identify a specific instance of a document. There was this company that wanted to use it on e-books, rewriting "good" to "not bad", etc. Anyway, mixed bag regarding full disclosure. I think this is easier, safer and reaches the general public better and as such it's the right choice. It's a damn shame that it is, sensationalism isn't fun.
On Tue, 2014-04-15 at 18:16 +0200, Lodewijk andré de la porte wrote:
F, I couldn't find exactly to which date his documents go. Heartbleed was merged December 31 2011 (lonely night? sneaky vacation timing?). Assuming the NSA checks patches (ofc they do) they should've found it in Jan 2012. Snowden. Ah. Found it. "reenwald began working with Snowden in either February[113] or in April after Poitras asked Greenwald to meet her in New York City, at which point Snowden began providing documents to them both" That'd be April 2013.
He still might've stolen the documents earlier, but who knows?
I think the documents are significantly earlier than that. I think it's probably a mix of A and F; more sensitive information is probably more watched even if it's still just TOP SECRET. Also, there are definitely classifications above and within TOP SECRET. Look at the annotations on the Snowden documents. -- Sent from Ubuntu
2014-04-16 18:19 GMT+02:00 Ted Smith
I think the documents are significantly earlier than that.
You'd say so, but we really have no idea. Maybe he was adding pages slowly. Maybe he was still while moving into Russia. Computers are tricky like that :(
Also, there are definitely classifications above and within TOP SECRET. Look at the annotations on the Snowden documents.
Yeah, I know. That's why there were "" marks. I should have really made that clearer haha. Sorry about that. I sortof meant "TOP-EST SECRET" would still have another layer. And just cells. The NSA must have seperated information cells . Cells that do not share sysadmins with badly defined rights ;)
participants (5)
-
Cypher -
Georgi Guninski -
Lodewijk andré de la porte -
shelley@misanthropia.info -
Ted Smith