Lavabit case undermines claims NSA had Heartbleed early

Summary:If the NSA really did have Heartbleed "for years" as was claimed recently by Bloomberg news, they wouldn't need to go after Lavabit. They wouldn't even want to.

When I first read the claims by Bloomberg News that the NSA had access to the Heartbleed bug "for years" I was immediately suspicious. It had only been two years since the code had been released as part of OpenSSL. Yes, the NSA might have had it from earlier builds but it all sounded fishy, not least because it would have made them way more knowledgeable than they appear to be.

Today I feel even more confident in my skepticism having been reminded of the case of Lavabit, which was served a subpoena for its SSL keys when the government found out it was Edward Snowden's email service. Lavabit refused, was fined and ordered to produce the keys, but didn't do so until they shut down their service. Today  they just lost their appeal to the Fourth Circuit Court of Appeals  for reasons unrelated to technology or even the arguments they made on appeal, but basically for bad lawyering.

If the NSA already had Heartbleed they wouldn't need Lavabit's cooperation. They would have the keys and would be able to decrypt all Lavabit email. The government wouldn't want to cause any legal troubles for Lavabit but to allow it to continue functioning and its users to continue communicating, comfortable in their illusion of privacy.

Another suspicious point now is that none of the journalists with whom Snowden worked, the ones who have access to the data he dumped, have made this claim yet. This is surprising since it would be an order of magnitude more spectacular than any other claim they have made so far. In fact, it would make many of their other practices, which have caused so much controversy, unnecessary.

Because it's relevant, I should point out that this Ars Technica interview with Lavabit owner Lars Levison specifically states that he used OpenSSL for his cryptography.

I'm sure Bloomberg didn't make it up which means either their two anonymous sources were making it up or were mistaken. Either way it's pretty embarrassing.

The moral of the story, as I see it, is that you shouldn't assume that the NSA (or any other agency of government) is particularly omniscient or that it has powers beyond what is reasonable. They certainly want to be omniscient, but even their budget is inadequate to the task. Further proof of this is that we know that the security at Lavabit was, in fact, poor . They didn't even need Heartbleed to get at Lavabit, they just needed to look at it critically. How all-powerful can they really be?

Topics: Security, Government : US

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.