Latest posts by Alvin Bryan (see all)
- Millionaire Tyupkin Malware ATM Hackers May Come to US, India After Hitting Europe - October 23, 2014
- BitLicense Will Allow Bitcoin Spying in New York - October 22, 2014
- Australians are Fighting Data Retention Laws - October 22, 2014
The Electronic Frontier Foundation (EFF) is suing the NSA over zero days like the Heartbleed exploit. The Office of the Director of National Intelligence (ODNI) is also part of the lawsuit filed under the Freedom of Information Act (FOIA). The EFF says that the NSA and the Director of National Intelligence knew about several zero day exploits and kept them secret. They also used these flaws, like the Heartbleed exploit, for their own spying activities. The EFF wants them to tell the public how they decide whether or not to reveal information about such exploits.
Concealing Zero Day, Heartbled Exploits
We found out in April that the NSA knew about and used the Heartbleed exploit. They used it to conduct secret surveillance instead of sharing the information with security companies. They could have helped prevent Heartbleed exploits yet they chose not to reveal the issue. Reports said that they exploited the vulnerability for a minimum of two years before it was discovered by other researchers. The government says that it is not true.
The US government responded to the April claims through the White House blog. They deny knowing about Heartbleed exploits or the flaw itself, but say that they are thinking about similar disclosures. They described a new process for assessing computer vulnerabilities and deciding if these should be made public. They assure us that they have a disciplined and rigorous process, but do not tell us how they decide
The EFF requested details of the procedure under the FOIA on May 6. The ODNI promised to fast track the release of the information. But they have not produced any documents yet. The EFF therefore filed a lawsuit against this office and the NSA to force them to release the documents. Then we can see how spy agencies decide what zero day vulnerabilities like Heartbleed exploit the government chooses to hide and why. The EFF explains that we need to understand how this works so we can make informed decisions about spying and privacy.
The NSA Spying Debate
The NSA has been engaged in secret spy activities since President Truman established the agency. Since then we have not been overly concerned about how they conduct their activities. We have trusted in laws to protect us and believed that government agencies would not put us in harm’s way. When Edward Snowden showed us what the NSA has really been doing, this all changed. The EFF has been a strong champion of Internet freedoms and privacy. Now the EFF is actively pursuing the links between the NSA and security flaws like Heartbleed exploits to find out more.
This lawsuit is an important step in the effort to rein in the NSA. They have been conducting questionable surveillance activities that have angered many people around the world. One of the illicit techniques they have been employing is the alleged use of computer vulnerabilities to spy on people. We learned about this after the Heartbleed exploit went public. Heartbleed is a flaw in the OpenSSL library that allows attackers to gain access to computers regardless of encryption. We already know that the NSA has been working on cracking encryption technologies. The Heartbleed exploit was a great asset to this effort.
It is very important to know how intelligence agencies deal with zero day exploits most especially. Zero days are security flaws that are newly discovered and not yet patched. This makes them very dangerous in the hands of whoever knows about them. Most researchers will immediately report these flaws in software and online services so they can be fixed. But if the NSA has hidden these, and more so if they have used them for spying, they have put the public in great danger. Other countries’ governments and a slew of cybercriminals can also learn about the flaw and use it against innocent Internet users. These vulnerabilities like he Heartbleed exploit have such a huge potential to do harm to users all around the world. This is why it is vital that we know how the government decides which ones they hide from security experts who can fix them to keep us safe.