[tor-relays] NSA knew about Heartbleed

Scott Bennett bennett at sdf.org
Sun Apr 13 05:54:35 UTC 2014 

Roger Dingledine <arma at mit.edu> wrote:

> On Sat, Apr 12, 2014 at 08:45:23PM +0000, Delton Barnes wrote:
> > "Two sources familiar with matter" could merely be two computer security
> > experts who have an unsubstantiated opinion that the NSA was exploiting
> > this beforehand.  We have no idea how credible these sources are.
>
> I agree.
>
> I'm assuming that particular article is nonsense until somebody shows up
> with some actual details. I guess it's hot to point at NSA conspiracies
> these days. But doing it in this case undermines the *actual* NSA
> conspiracies that we should indeed be upset about.
>
     Roger, I'll grant you that the article remains unproven.  However, any
claims made by NSC or NSA spokespersons also remain not credible by default
without sufficient, verifiable proof ever since both Clapper and Alexander
committed the felonies of perjury under oath on high-fidelity audio and video,
still available for public viewing from the C-SPAN web site AFAIK, especially
given that nary a hint of either an inquiry of impeachment or a criminal
investigation for either perp has been detected to date.  When the members of
the nobility know that they remain untouchable for crimes they commit, why
should their underlings following their orders be thought to be acting any
differently or with any less impunity?  The starting position under such
circumstances should be that if those people say anything at all that they
are lying or attempting to mislead.  Sufficient, verifiable proof must be
provided to counter that initial presumption.  In contrast, the initial
presumptions regarding the journalists, while waiting for evidence, might
properly be correlated with the past performance of the same journalists
w.r.t. accuracy of claims made.


> Maybe there *is* yet another NSA conspiracy here, but I don't believe
> in one any more after reading the article than before it.
>
> > That said, if you carefully parse the statement from DNI, it seems to me
> > to imply they were aware of the Heartbleed vulnerability in 2014.  Why
> > would they say "before 2014" instead of "before its disclosure Monday"
> > or something?
>
> Careful here -- the article is selectively quoting, maybe to stir things
> up more. The actual phrase from the DNI denial is "before April 2014".
>
> In any case, the conclusion ("oh crap, upgrade and throw out your
> old keys") is still accurate.
>
     I concur completely.
     BTW, so far I'm seeing only a slight dip in the number of relays assigned
the "Named" flag, which suggests to me that not many relay operators have
changed signing keys yet.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:   bennett at sdf.org   *or*   bennett at freeshell.org   *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

More information about the tor-relays mailing list