On Fri, Apr 11, 2014 at 04:03:36PM -0400, William Herrin wrote:
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government's top computer experts.
I call B.S. Do you have any idea how many thousands of impacted NSA servers run by contractors hung out on the Internet with sensitive NSA data? If you told me they used it against the targets of the day while putting out the word to patch I could buy it, but intentionally leaving a certain bodily extension hanging in the breeze in the hopes of gaining more valuable data than they lose would have been an unusually gutsy move.
You're assuming that the NSA is a single monolithic entity. IIRC, the offense team and the defense team don't really talk much, and they *certainly* have very different motivations. It wouldn't surprise me at all if the offense got hold of a juicy bug, and since they're paid to capture data, and knowing that they wouldn't get in trouble if the defense lost data, their motivations to keep their little bug to themselves are entirely understandable. The interesting thing to me is that the article claims the NSA have been using this for "over two years", but 1.0.1 (the first vulnerable version) was only released on 14 Mar 2012. That means that either: * The NSA put it in there (still a bridge too far for me to believe without further evidence, although I can certainly understand why people could believe it) and hence were using it from day 1; * The NSA found it *amazingly* quickly (they're very good at what they do, but I don't believe them have superhuman talents); or * The article has got at least one fact wrong, in which case it's entirely plausible they've got other things wrong, too. - Matt -- That's why I love VoIP. You don't get people phoning up to complain that the network is down. -- Peter Corlett, in the Monastery