Horseshoes and hand grenades

Two things where close can be good enough. Very different from things that actually require precision, like: interdicting terrorist bombers and exploiting long-lived, massive flaws in encryption.

The US intelligence community, including NSA and FBI, have snatched defeat from the jaws of victory many times in the last few years. Just two examples: the 2013 Boston Marathon bombing and missing the Heartbleed bug in the ubiquitous OpenSSL encryption library.

As to the latter the NSA was quick to deny any knowledge of the vulnerability in OpenSSL shortly after its existence was made public. At the same time certain unnamed sources within the agency assured journalists that NSA had indeed long known about and actively used the bug to compromise security around the world.

The official denial is understandable, as NSA was and is feeling the heat from the public, private business and even Congress over the agency’s abandoning of its mission to defend the country against security threats in order to become such a threat themselves.

The unofficial leaks are also easy to understand. No one at the NSA has an interest in people believing them to be so incompetent, even given hundreds of billions of dollars in resources, that they missed this vulnerability.

Which one of these versions of events is true?

Cue this report that appeared in the New York Times on April 18:

For the past week, researchers at the Berkeley National Laboratory and the National Energy Research Scientific Computing Center, a separate supercomputer facility, have been examining Internet traffic they recorded going in and out of their networks since the end of January, looking for responses that would indicate a possible Heartbleed attack.

They found none, said Vern Paxson, a network researcher at Berkeley Lab and associate professor of electrical engineering and computer science at the University of California, Berkeley.

Study: No Evidence of Heartbleed Attacks before Bug was Exposed

In fairness to the NSA, not one of the high-flying security firms that haunt the enterprise IT consulting circuit discovered the bug either. This despite mere hundreds of millions of dollars spent by businesses on comprehensive penetration testing during the time it was extant. We continued to pay each of these groups (government intelligence and private consulting) real money, and they pretended to work. Given how dependent NSA and the rest of government is on private contractors, it should come as no surprise that they achieved the same ignominious result.

This entry was posted in Editorial, Security on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).