The bigger issue in relation to the heartbleed bug is that either the NSA knew about this years ago, didn’t notify the openSSL folks about it – and used it for spying purposes – or that they didn’t know about it, which calls into question their ability to analyze code properly.
After all, this wasn’t some proprietary code – this was open source code that anyone could download and compile.
Yahoo + Bloomberg imply that NSA knew..
http://finance.yahoo.com/news/nsa-said-used-heartbleed-bug-040000414.html
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The agency’s reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. The NSA, after declining to comment on the report, subsequently denied that it was aware of Heartbleed until the vulnerability was made public by a private security report earlier this month.
of course the NSA deny it…
http://www.usatoday.com/story/tech/2014/04/11/heartbleed-cisco-juniper/7589759/
However, the agency strongly denied the substance of Bloomberg’s report.
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” the agency said in a statement. “Reports that say otherwise are wrong.”
But it’s pretty clear to those in the know that they either *DID* know and they most probably WERE using it… or that their programmer/analysts aren’t that great…
http://www.zdnet.com/institutional-failure-led-to-nsa-missing-the-heartbleed-flaw-7000028366/
Previous leaks have shown that the NSA has spent hundreds of millions of dollars in actively exploiting weaknesses in encryption standards in conjunction with its British electronic eavesdropping counterpart, GCHQ. These activities “undermine the fabric of the Internet,” according to security experts.
It’s not outside the bounds of reason to suggest that the NSA, arguably, should have found the bug within days, weeks, or even months after it was reportedly accidentally introduced into the OpenSSL cryptographic library, more than two years ago.
Knowing how crucial and intrinsically important the library is to the world’s web servers and online operations, the NSA should have downloaded the source code along with other libraries available on the Web, compiled it, poked it within an inch of its limits to find bugs, flaws, and weaknesses, and discovered the Heartbleed bug long before it was disclosed earlier this month.
and
Clapper’s candid statement debut on Friday was further hardened by his closing sentiments.
“When Federal agencies discover a new vulnerability in commercial and open source software β a so-called ‘Zero day’ vulnerability because the developers of the vulnerable software have had zero days to fix it β it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose,” Clapper said.
“Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.”
Reading in between the lines of Clapper’s comments, it’s clear because that the scope and range of this bug was so wide and pervasive, had the NSA have discovered it, there’s a strong hint that it may have not disclosed it β keeping it for itself to dive further into our private lives than the Snowden leaks have shown thus far.
Our take: they knew – and they’re lying to us – as usual!