A look into Corporate fraud in Australia, Stranglehold of Monopolies, Telecommunications Oppression, Biased Law System, Corporate influence in politics, Industrial Relations disadvantaging workers, Outsourcing Australian Jobs, Offshore Banking, Petrochemical company domination, Invisibly Visible.
It's not what you see, it's what goes on behind the scenes.
COMMONWEALTH OF AUSTRALIA (ABN: 122 104 616)
Australia's Prime Minister (CEO) Tony Abbott : "Australia is Open for Business"
17 April 2014
Google kept Heartbleed bug hidden from the government
Reuters / Mal Langsdon
The Heartbleed security bug disclosed last week may
be among the most wide-reaching vulnerabilities on the web to ever be
discovered, but the researchers who detected the glitch didn’t exactly
rush to reveal it to the world.
While the days between the discovery of the bug sometime last
month and the public disclosure on April 9 are documented
to have included intense discussions between security experts
searching for a proper patch and a way to push the news forward,
the United States government may have been left in the darks for
days, according to recent reports.
On Monday this week, Brendan Sasso wrote for the National Journal that it’s unclear when,
exactly, the US government did in fact find out about the flaw.
But if it wasn’t ahead of last month’s discovery by security
experts and the announcement on April 9 that followed, then
Google, cyber firm CloudFlare and certain Linux-based developers
were familiar with the exploit well ahead of the feds for once.
“Companies often wait to publicize a security flaw so they
can have time to patch their own services,” Sasso wrote.
“But keeping the bug secret from the US government could have
left federal systems vulnerable to hackers.”
Indeed, just this week Canada’s federal tax agency admitted that
it had fallen victim to Heartbleed, and some of the biggest
websites on the internet have issued warnings to their customers
about the potential effects of the exploit. Sources told Sasso,
however, that security experts may have purposely waited to keep
government agencies from getting on the same page.
According to a recent report published by Sydney Morning
Herald, any ignorance about the exploit on the part of the US
government ahead of last week’s disclosure would have put the
feds way behind certain tech firms when it came time to patch up
the exploit. Ever since the NSA was accused on April 11 last week by Bloomberg
News reporter Michael Riley of having relied on Heartbleed to
hack high-value intelligence targets for at least two years prior
to the official disclosure of the exploit, the government has
insisted it only recently became aware of the bug.
Moments after the Bloomberg article was published last week,
agency spokesperson Vanee’ Vines told TIME magazine that the
“NSA was not aware of the recently identified vulnerability
in OpenSSL, the so-called Heartbleed vulnerability, until it was
made public in a private-sector cybersecurity report. Reports
that say otherwise are wrong.” The Office of the Director of
National Intelligence and a White House spokesperson have both
made similar claims.
Google security researcher Neel Mehta first discovered Heartbleed
on March 21 or before, the SMH reported, and by that evening the
Mountain View, California-based company had committed a patch for
the flaw. CloudFlare found out by March 31, OpenSSL was informed
the following day and soon after certain tech firms were told
under embargo that the exploit had been discovered and needed to
be processed as efficiently as possible in order to disclose it
to the public quickly.
"If the federal government, including the intelligence
community, had discovered this vulnerability prior to last week,
it would have been disclosed to the community responsible for
OpenSSL," White House spokeswoman Caitlin Hayden said in a
Regardless of when the NSA actually did discover the
vulnerability, recent reports certainly did not help the agency
claim ignorance this time around. In the midst of the ongoing
NSA disclosures first published to the web
last year by journalists working with former contractor Edward Snowden,
the US intelligence community has been accused of exploiting other security vulnerabilities to hack
the computers and correspondence of targets. RT has previously
linked the NSA to French exploit-merchants Vupen, and last December a review
panel assembled to assess the agency’s abilities said that the
NSA must avoid stockpiling so-called “zero-day” exploits and
instead disclose them to the security community to be promptly
“Eliminating the vulnerabilities — ‘patching’ them —
strengthens the security of US government, critical
infrastructure, and other computer systems,” the group
urged President Barack Obama.
But in the statement released by the White House after word of
the exploit surfaced last week and copied by the ODNI, the US
government said it would have apparently handled Heartbleed
differently than the other exploits it’s been accused of
implementing in cyberattacks.
Nevertheless, some now say that the NSA is the only one to blame
if the US government was, in fact, in the dark ahead of the April
9 announcement. According to Sasso, American Civil Liberties
Union technologist Chris Soghoian said that American cyber firms
are likely hesitant to share information with the NSA after it
became clear in the wake of the first Snowden leaks that the
agency will risk undermining the security of the entire internet
if it means it can use an exploit to hone in on a high-value
"I suspect that over the past eight months, many companies
have taken a real hard look at their existing policies about
tipping off the US government," he said. "That's the
price you pay when you're acting like an out-of-control offensive
Soghoian’s comments mirror remarks made in late 2012 by computer
hacker Andrew Auernheimer, who shortly after was sentenced to
spend 41 months in prison after disclosing a security
vulnerability on the servers of AT&T that allowed him to
access the email addresses of 114,000 Apple iPad owners. Last
week, the Third Circuit Court of Appeals vacated that conviction.
“It’s not unheard of for governments, including that of the
US, to use exploits to gather both foreign and
domestic intelligence,” he wrote at the time for an
op-ed published in Wired. “In an age of rampant cyber
espionage and crackdowns on dissidents, the only ethical place to
take your zero-day is to someone who will use it in the interests
of social justice. And that’s not the vendor, the governments, or
the corporations — it’s the individuals.”