04/15/2014: NSA Said to Have Exploited Heartbleed Bug for Intelligence for Years
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
For several weeks now, the so called “Heartbleed” bug has threatened the security of websites across the globe, threatening to expose sensitive information across the internet on a massive scale.
To send information across the web securely, the majority of websites use some variant of Transport Layer Security (TLS). In particular, one common version, an open source protocol known as OpenSSL, was recently found to have had a massive security vulnerability introduced to it during a minor patch made to it 2012. Many website administrators are now scrambling to update their systems before the vulnerability can be exploited to steal private information from their servers. The problem was so extensive that even government activities were affected, causing sensitive transactions like tax filings to be postponed.
According to insiders, however, the NSA was aware of this vulnerability years before it was publicly announced about a month ago, and actively exploited it to steal passwords and other sensitive data.
While finding online security flaws is an important part of the NSA’s work, their motives are controversial. It could be argued that the NSA’s primary mission should be a defensive one, maintaining the security of the government and protecting the general population. The NSA has come under fire, however, for its aggressive use of technology in the past, having reportedly used such deploying such security issues against others instead of working to ensure they are no longer a problem. If anything, the only victims in this system are the ordinary people, who are vulnerable to these kinds of threats from individuals and organizations with sinister motives.
This raises several important questions about the future of online security. With such a wealth of important information defended only by a comparatively small number of dedicated researchers working on security protocols, how safe is our personal data as consumers on the internet? The threat of hackers only continues to grow, and as we can see it is not only seedy underground organizations on the hunt.
Another important issue, of course, is the role that the NSA and other “security” organizations are playing. Is it really ethically justifiable to exploit such massive, global security problems for their own gain? Such illicit methods of information gathering, used at the cost of individual security, should be closely examined. While these measures are defended by appealing to the greater good, it is always dangerous to allow individual rights to be trampled without restriction.
Peer Reviewer: Uday Mehta, Section 102 (udaymehta@berkeley.edu)
Good article. I agree that this issue, in addition to being quite timely and relevant, brings about several ethical issues that directly relate to the field of engineering, specifically software engineering and computer science.
My main takeaway was the duration that this security flaw was not reported (a little over a year). This presented a duality about the ethical purpose of the National Security Agency (NSA), which has a core mission of serving the interests of the government, and thereby protecting the government’s computers and data. However, it is widely understood that the government is an institution established to protect the people, and hence by the transitive property we (the people) have a right to believe that the NSA holds a responsibility to the people to report this. Of course, if there was a pertinent issue regarding national security, they would have precedence in withholding the information, but in the stories that have come out since the news broke, this appears not to be the case.
The article also briefly discussed the issue of risk, which we touched upon in class. It is rather confusing how (or if) the NSA performed risk analysis, considering that the vulnerability in the form of Heartbleed could have been exploited by anyone with the know-how, including other governments or independent contractors. The article referred to the latter as groups that may have a lower standard of ethics, but it is also important to note that (in light of the Snowden leaks about the NSA’s tendency to spy on United States citizens) the NSA itself may be looked at an entity with a diminished amount of ethical accountability
Your reflection, while it does a good job of recapping the main points of the article and presents all the pertinent questions, should also consist of your opinion on the issue. When you post this to your personal blog, it would be good if you added a paragraph that explained your thought process while reading the article, and your reaction to the aftermath, considering it has been mere weeks since this story originally broke. Approved.