[[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Matt Palmer mpalmer at hezmatt.org
Fri Apr 11 21:56:01 UTC 2014

On Fri, Apr 11, 2014 at 04:03:36PM -0400, William Herrin wrote:
> >> The U.S. National Security Agency knew for at least two years about a flaw
> >> in the way that many websites send sensitive information, now dubbed the
> >> Heartbleed bug, and regularly used it to gather critical intelligence,
> >> two people familiar with the matter said.
> >>
> >> The NSA's decision to keep the bug secret in pursuit of national security
> >> interests threatens to renew the rancorous debate over the role of the
> >> government's top computer experts.
> I call B.S. Do you have any idea how many thousands of impacted NSA
> servers run by contractors hung out on the Internet with sensitive NSA
> data? If you told me they used it against the targets of the day while
> putting out the word to patch I could buy it, but intentionally
> leaving a certain bodily extension hanging in the breeze in the hopes
> of gaining more valuable data than they lose would have been an
> unusually gutsy move.

You're assuming that the NSA is a single monolithic entity.  IIRC, the
offense team and the defense team don't really talk much, and they
*certainly* have very different motivations.  It wouldn't surprise me at all
if the offense got hold of a juicy bug, and since they're paid to capture
data, and knowing that they wouldn't get in trouble if the defense lost
data, their motivations to keep their little bug to themselves are entirely

The interesting thing to me is that the article claims the NSA have been
using this for "over two years", but 1.0.1 (the first vulnerable version)
was only released on 14 Mar 2012.  That means that either:

 * The NSA put it in there (still a bridge too far for me to believe without
   further evidence, although I can certainly understand why people could
   believe it) and hence were using it from day 1;
 * The NSA found it *amazingly* quickly (they're very good at what they do,
   but I don't believe them have superhuman talents); or
 * The article has got at least one fact wrong, in which case it's entirely
   plausible they've got other things wrong, too.

- Matt

That's why I love VoIP. You don't get people phoning up to complain that the
network is down.
		-- Peter Corlett, in the Monastery

More information about the NANOG mailing list