Tuesday, April 15, 2014

Last Call For Heartbleeding Liberals

If anonymous sources are enough to convict the NSA in the court of public opinion over the Heartbleed bug, what does that mean for news that Google knew about it and didn't tell users or the government?

On purpose, mind you.

Google knew about a critical flaw in Internet security, but it didn't alert anyone in the government.

Neel Mehta, a Google engineer, first discovered "Heartbleed"—a bug that undermines the widely used encryption technology OpenSSL—some time in March. A team at the Finnish security firm Codenomicon discovered the flaw around the same time. Google was able to patch most of its services—such as email, search, and YouTube—before the companies publicized the bug on April 7.

The researchers also notified a handful of other companies about the bug before going public. The security firm CloudFlare, for example, said it fixed the flaw on March 31.

This is not an anonymous source, but a named Google employee admitting to this.

Asked whether Google discussed Heartbleed with the government, a company spokeswoman said only that the "security of our users' information is a top priority" and that Google users do not need to change their passwords.

Companies often wait to publicize a security flaw so they can have time to patch their own services. But keeping the bug secret from the U.S. government may have left federal systems vulnerable to hackers. The IRS said it's not aware of any vulnerabilities in its system, but other agencies that use OpenSSL could have been leaking private information to hackers.

The government encourages companies to report cybersecurity issues to the U.S. Computer Emergency Readiness Team, which is housed in the Homeland Security Department. US-CERT has a 24-hour operations center that responds to security threats and vulnerabilities.

Why would Google tell the government or competitors and not keep this to themselves, so they could fix the bug on their servers while other internet giants were vulnerable?  Then they could say "Hey, we fixed the problem, these other guys were the ones that exposed your password info."

Of course that only works if people don't find out Google is a bunch of bastards.

But let's blame the NSA and Obama some more.  They're the real bad guys, right?  I mean hey, if the Electronic Frontier Foundation has finally decided to back the Tea Party since the unsourced NSA accusations made last week, this isn't a mass effort to depress Democratic voter turnout, right?

Right?

No comments:

Post a Comment