Monday, April 14, 2014

The NSA's Heartbleed Problem Is the Problem with the NSA | Cato Institute

The NSA's Heartbleed Problem Is the Problem with the NSA | Cato Institute: "The agency’s recently-disclosed minimization procedures permit “retention of all communications that are enciphered.” In other words, when NSA encounters encryption it can’t crack, it’s allowed to — and apparently does — vacuum up all that scrambled traffic and store it indefinitely, in hopes of finding a way to break into it months or years in the future. As security experts recently confirmed, Heartbleed can be used to steal a site’s master encryption keys — keys that would suddenly enable anyone with a huge database of encrypted traffic to unlock it, at least for the vast majority of sites that don’t practice what’s known as “forward security”, regularly generating new keys as a safeguard against retroactive exposure."



"That creates a huge dilemma for private sector security experts. Normally, when they discover a vulnerability of this magnitude, they want to give their colleagues a discreet heads-up before going public, ensuring that the techies at major sites have a few days to patch the hole before the whole world learns about it.



The geeks at NSA’s massive Information Assurance Directorate — the part of the agency tasked with protecting secrets and improving security — very much want to be in that loop. But they’re part of an organization that’s also dedicated to stealing secrets and breaking security. And security companies have been burned by cooperation with NSA before: the influential firm RSA trusted the agency to help them improve one of their popular security tools, only to discover via another set of Snowden documents that the spies had schemed to weaken the software instead.



Giving NSA advance warning of Heartbleed could help the agency protect all those government systems that were relying on OpenSSL to protect user data — but it also would aid them in exploiting the bug to compromise privacy and security on a massive scale in the window before the fix was widely deployed."

Another Phony Budget Debate :: The Mises Economics Blog: The Circle Bastiat

Another Phony Budget Debate :: The Mises Economics Blog: The Circle Bastiat: " Only in DC could a budget that increases spending by 3.5 percent per year instead of by 5.2 percent per year be attacked as a “slash-and-burn” plan."