Why didn't Snowden disclose Heartbleed (and others)?

Tue Apr 15 09:47:54 PDT 2014

On Tue, Apr 15, 2014 at 06:16:15PM +0200, Lodewijk andré de la porte wrote:
> Exhaustive list of possibilities (please extend where possible):
> A Did not know
> B Did not care
> C Felt like it would negatively impact the NSA's (legitimate) functioning
> D Didn't get around to it yet
> E Snowden is an unconventional NSA set up
> F Snowden's documents are not recent enough
> 
> A, is interesting, as it would show that the NSA has levels of secrecy and
> secret data that go further than what they had so far. Something above "TOP
> SECRET" should probably exist, and Snowden didn't find it. This actually
> makes a lot of sense to me, so it might well be it.
> 

The short answer to the question in the
subject is that HB is not worth using if
you can execute remote code on openssl
(call me a troll just because you disagree).

As for above TOP secret:
I don't believe snowden's documents
about Tor reflect the current
evilness of NSA -- just don't
trust what the NSA/snowden allegedly disclose
about Tor.

Some targets got in jail for 
naively using Tor (check thereg).

Reference for the Tor documents
is the ACLU mirror of snowden.

Probably this drama is explained by
the saying:
"A society of sheep deserves a
government of wolves".

> B, he might think it's not very interesting. Using 0-days should be old-hat
> and expected. Disclosing specific exploits would not stop the bleeding, the
> NSA would just find new ones. He might even consider 0-day hoarding
> acceptable business, just not the mass employment of them.
> 
> C, he's often maintained a sort of "I'm coming out to the public with this,
> but I'm very sorry to hurt the US in a way"- kind of attitude. It would
> definitely cripple the NSA if he released novel and important bugs. Think
> of how hard it would be to hack-back at China!
> 
> D, There's some scheduling going on to maximize impact. He might release
> the "0-day-exploit list that endangers live as we know it, and the NSA did
> nothing" later, when attention dies down again.
> 
> E, Maybe the NSA have become a common thing in popular culture and they
> dislike their image of being a completely opaque organization with
> potentially unlimited power. So now they are sharing information about the
> "outer shell" of the organization, a sort of facade. Meanwhile it seems
> like the world is crushing down upon them.
> 
> In a few years their image will be renewed. Everyone will think "The NSA
> was not that unlimited in it's capabilities and worked very hard. Now that
> they have rules and limits it will all be okay". And with that a whole new
> level of FUD will have been achieved. Making people believe they are the
> evil you know.
> 
> Of course, this is religious level conspiracies. And of course, that's
> exactly the level the NSA would start to accept. They're the information
> and espionage experts. If anyone could pull this off, it'd be them.
> 
> (Didn't the CIA/NSA own the media? Don't they still? This might be easier
> than you'd expect)
> 
> F, I couldn't find exactly to which date his documents go. Heartbleed was
> merged December 31 2011 (lonely night? sneaky vacation timing?). Assuming
> the NSA checks patches (ofc they do) they should've found it in Jan 2012.
> Snowden. Ah. Found it. "reenwald began working with Snowden in either
> February[113] or in April after Poitras asked Greenwald to meet her in New
> York City, at which point Snowden began providing documents to them both"
> That'd be April 2013.
> 
> He still might've stolen the documents earlier, but who knows?