It touched off quite a reaction, as Winkler’s memo noted, pulling in more than 378,000 hits on the Internet, as well as nearly 6,000 hits on Bloomberg’s famous data terminals. Winkler documented all the news organizations that had followed the story: “WSJ, NYT, Washington Post, Huffington Post, Politico, NBCNews.com, CNET, USA Today, Fox News, CNN’s The Lead with Jake Tapper, Business Insider, National Journal, Forbes, New York Magazine’s Daily Intel Blog, TechCrunch, The Week, Mashable, ZeroHedge, Gizmodo, The Wire, The Verge, Engadget, NPR’s The Two-Way. Drudge Report also linked.”
The irony here is that some of that followership was debunking the Bloomberg story. Take the New York Times. In a piece titled “U.S. Denies It Knew of Heartbleed Bug on the Web,” reporters David E. Sanger and Nicole Perlroth seize on official denials of the Bloomberg article that followed its publication. The Office of the Director of National Intelligence appeared to leave little breathing room for the Heartbleed story: “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.” As the Winkler missive noted proudly, the White House also issued a denial.
The New York Times piled on the denials by citing a familiar species in Beltway journalism: “Outside experts expressed strong doubts about the report, noting that the information that could be gleaned from the Heartbleed bug was somewhat random, meaning it probably would be a clumsy intelligence tool.” One of those experts later changed his opinion on this clumsiness.
So where does Bloomberg stand in the face of the challenges? “We stand by the reporting,” said company spokesman Ty Trippet.
The company declined to provide many details on the process, but the published trail speaks to the difficulties of landing a scoop on the National Security Agency these days. As Riley’s stories on Heartbleed make clear, he contacted the NSA prior to publication in an effort to vet the information that he got from his sources. No comment, came the reply from the NSA. So Bloomberg hit the “publish” button and prompted a full-on roar in the world of Internet security.
Then came the official denials.
Herewith an ethical question for the government: How to justify silence on a set of facts before publication, only to turn around and deny them post facto? Shawn Turner, spokesman for Director of National Intelligence James Clapper, tells the Erik Wemple Blog that the turnabout has to do with timing: “NSA is an agency of thousands of employees and dozens of divisions. We were given a little under two hours to answer the question. When we are going to make a flat out denial, we have a responsibility to make sure that we are 100% certain of the facts. While we were busy ensuring that no one in the agency was aware of the Heartbleed vulnerability, Bloomberg published the article with the false claim,” Turner wrote in an e-mail.
Bloomberg’s Trippet took issue with that: “We received an e-mail from the NSA prior to publication on April 11 saying the NSA declined to comment, and there was no request for more time for them to gather more information.”
Asked how frequently such denials come out of the intelligence community, Turner replied, “Whenever a claim is just flat out wrong, we say as much.”
Despite the intelligence community’s denial that it had used Heartbleed, Riley calls upon his unnamed sources to note that the “NSA has more than one way to circumvent the security of SSL and OpenSSL, a free version of the protocol.” Have a look:
One work-around involves not defeating the SSL software itself but breaking into a different system on the targeted computer on which the software depends, according to one of the people. While disclosing that method might increase computer security generally, the NSA might consider that a hacking technique instead of an SSL vulnerability.
The suggestion here is that perhaps terminology is all that separates Riley’s story from the denial issued by Clapper’s outfit. More details from Riley:
The matter is further complicated because a bug like Heartbleed has to be turned into a specific exploit, a process that can branch out quickly, creating a class of vulnerabilities rather than just a single one. Small differences in the way a platform like OpenSSL is exploited could lead to differing conclusions about whether the exploits are the same.
“Maybe it’s not Heartbleed, maybe it’s what they call alpha green, and alpha green is something that sends a packet to OpenSSL and creates an information leak,” said [cyberwar expert Jason] Syversen. “It’s going to be challenging to conclude whether it’s the exact same technique or not.”
“Alpha green” and other imagined NSA code names are way beyond the scope of this blog.
No matter how sturdy Riley’s scoop ends up, it at least smoked out a revelation from the intelligence community. Along with its denial of the Bloomberg article, the director of national intelligence’s office disclosed a governmental “bias” toward revealing bugs: “When Federal agencies discover a new vulnerability in commercial and open source software . . . it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.” A big loophole is available, of course, for “a clear national security or law enforcement need.”