At this point it's safer to say that an intelligence agency is responsible than that they aren't responsible. This is precisely what Schneier, Greenwald, et al. mean when they say that the NSA tactics degrade the security of the overall internet architecture. It's incredibly dangerous.
How can you make such a claim? Do you have any proof that they were involved with this specific bug?
I get that the NSA is after us but when you consider that the bug is of the exact same class as a bug every C programmer has ever made in their career, it seems probable that it could have happened on accident. Where do you see the malicious intent?
We know from the NSA's own files that they pour lots of money into programs that specifically introduce bugs like this [1]. Do the current batch of leaked documents outline this exact vulnerability? No. Does it perfectly fit the model of what the NSA's own files say they're doing and therefore make it a high-likelihood explanation? I think so. At the very least the assumption that an intelligence agency, such as NSA or GCHQ, is responsible is a useful way of thinking about the kind of adversaries one faces with this type of software.
I don't think the NSA had to create this bug. I do think that static analysis could find this bug, and if they did not have the static analysis tools to do so, they probably will soon enough. It is far better for them to find existing bugs than introduce new ones, because the former is untraceable. The latter, inevitably, leaves a paper trail. I'd need a lot of convincing to believe that OpenSSL is so darned secure that it has no bugs in it until the NSA adds them, just based on the software engineering practices of the product (using C, little test code, etc).
The NSA has two mandates. First, it is to ensure that Americans are using secure communication channels. Second, it is to collect data. When these two things come into conflict they have the authority to make a decision. For centralized communication channels, for example, they will often help beef up security in exchange for the ability to wiretap.
If this bug was not caught by the NSA, then they are incompetent, something that I've rarely seen levelled at them as of late, but it is possible. If this bug was perpetrated by the NSA, then they are evil because they are exposing Nato and other allied countries to foreign attacks and corporate espionage.
Given the stakes, what they've said in the PRISM slides, and their history, I'd say evil is more likely than incompetent.
Nobody caught this bug over two years (supposedly). Stranger things have happened.
Also, while the NSA might have wanted to create this bug to exploit it, you still haven't shown that they created this bug. They might have known about it and exploited it, but saying they put the bug in the first place is a very strong claim.
I'm not totally convinced that they even knew about it. If they had known about it, why bother going to the courts to coerce Lavabit to give up their SSL keys?
Any intelligence agency will prioritize source protection. Recall the efforts of the Ultra program in WWII: they sent out dummy reconnaissance planes to prevent the Germans from suspecting that Enigma had been broken. It's possible that the government already had the communications that Lavabit was trying to protect, but were putting on a public show so as not to reveal the brokenness of OpenSSL. See also "parallel construction".
Wasn't that the FBI? If there were other means (blank-cheque warrants) to achieve their goals, it seems unlikely that the NSA would loop those agents in.
Plus, would evidence obtained that way, without a warrant, even be admissible in any court? I mean, I guess this all went down after Snowden had left the country? So I'm not sure a court date was the end goal anyway. I'm fuzzy on the details/chronology.
It doesn't matter whether they created it. If your operations would suffer from the NSA having had access to this anywhere between 1 day and two years ago, then you have to assume they took advantage of it whether they created it or not, and you have to execute any damage control and mitigation procedures that you've created. I.e. assume your data has been read and used, and act accordingly.
We have no proof, but as such we have to assume that it's an NSA-directed compromise and take appropriate precautions, unless and until we have proof otherwise. That's why the NSA's actions really hurt.
This isn't a criminal proceeding . . . "preponderance of evidence" might be a more appropriate criterion. People are weighing whether they believe NSA malice or coder error are more likely in this situation.
That's an interesting thought. Some terrorist is in the US and planning something, but they don't want to give away their intel. So do a bit of parallel construction and tip off the local cops to some relatively small crime he's committed in the course of everything....
Or substitute "whistleblower" or "inconvenient politician" for "terrorist" if you prefer.
I didn't downvote you, but I expect those who did aren't reading it as "a question" as in "a request for information" - which I would think should rarely be downvoted - but as "a rhetorical question" whose purpose was to serve as a point of argument. Interpreted that way it seems to be attacking a strawman, poorly - such a comment would be deservedly downvoted.
I personally incline toward - memory safety in C is hard. We have had enough of those bug pop on their own to need encouragement. Whether interested parties knew of it and use it as a key towards all you can eat intelligence buffet is another story.
Memory safety in C is hard, but this bug, a memcpy with a user-supplied, unchecked length? I mean this is stuff that I learned about in my first serious class that involved C, and it wasn't even security related. C is a language where you code defensively at almost all times, yet this was ignored in the SSL implementation, a project which is based around communicating with a user? This is the situation where you really can't trust things like lengths. Either its incompetence or shilling, both of which are harrowing.
Incompetence on the part of the website companies that didn't pay the money to hire people to make sure that a piece of their critical infrastructure was up to the task? Yes, I agree.
Nah, I am extremely pro-Snowden & extremely anti-NSA... but I'm also a person that enjoys programming in C.
C is hard. I really think this was just a bug. What _is_ possible though is that the NSA knew about this bug since awhile back and kept it secret. But then if they knew about the bug, why was nasa.gov vulnerable? I would not expect any .gov domains to be vulnerable unless to create plausible deniability - but this kind of conspiracy logic has no end.
What's critical about nasa.gov? It's just a marketing facade. Not patching it means nothing.
I'm not saying that NSA did/didn't do X. Just that the above about .gov domains is not a valid argument. Intelligence gathering trumps trivial service to citizens.
"Safer" is an interesting adjective: its meaning depends on your threat model. Are you more worried about underestimating the already-tarnished honor of a secretive federal agency, or about being screwed over by that same agency? I personally care more about the latter.
