Obama Tells NSA To Reveal, Not Exploit, Flaws... Except All The Times It Wants To Do The Opposite

from the a-bias? dept

But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.

“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.”

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Last week there was some confusion as Bloomberg published a story claiming that the NSA was well aware of the Heartbleed bug and had been exploiting it for "at least" two years. That seemed fairly incredible, given that the bug had only been around for slightly over two years. The NSA came out with a pretty strongly worded denial -- which left out much of the usual equivocation and tricky wording that the NSA normally uses in denying things. The general consensus seems to be that it is, in fact, unlikely that the NSA knew about Heartbleed (though that makes some wonder if some team at the NSA is now in trouble forfiguring it out). If anything, it seems likely that the Bloomberg reporters got confused by other programs that the NSA is known to have to break parts of SSL , something it's supposedly been able to do since around 2010.However, the NY Times had a story this weekend about how this move has forced the administration to clarify its position on zero day exploits. It's already known that the NSA buys lots of zero day exploits and makes the internet weaker as a result of it. Though, in the past, the NSA has indicated that it only makes use of the kinds of exploits that only it can use (i.e., exploits that need such immense computing power that anyone outside of the NSA is unlikely to be able to do anything). However, the NY Times article notes that, following the White House's intelligence review task force recommendation that the NSA stop weakening encryption and other technologies, President Obama put in place an official rule that the NSA should have a "bias" towards revealing the flaws and helping to fix them, but leaves open aloophole:Amusingly, the NY Times initially had a title on its story saying that President Obama had decided that the NSA should "reveal, not exploit, internet security flaws," but the title then changed to the much more accurate: "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say."Of course, the cold war analogy used by people in the article seems... wrong:Except, it's meaningless that no one expects the Chinese (or the Russians or anyone else) to give up zero days. The simple fact is that if the NSA were helping tozero daysusing those zero days. In fact, closing zero days isdisarming both sides, because it takes the vulnerability out of service. It's not about us giving up our "weapons," it's about building a better defense for the world. And yet the NSA isn't willing to do that. Because they're not about protecting anyone -- other than themselves.

Filed Under: barack obama, exploits, heartbleed, national security, nsa, surveillance