[[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
Peter Kristolaitis
alter3d at alter3d.ca
Fri Apr 11 22:27:16 UTC 2014
On 4/11/2014 4:03 PM, William Herrin wrote:
>>> The U.S. National Security Agency knew for at least two years about a flaw
>>> in the way that many websites send sensitive information, now dubbed the
>>> Heartbleed bug, and regularly used it to gather critical intelligence,
>>> two people familiar with the matter said.
>>>
>>> The NSA's decision to keep the bug secret in pursuit of national security
>>> interests threatens to renew the rancorous debate over the role of the
>>> government's top computer experts.
> I call B.S. Do you have any idea how many thousands of impacted NSA
> servers run by contractors hung out on the Internet with sensitive NSA
> data? If you told me they used it against the targets of the day while
> putting out the word to patch I could buy it, but intentionally
> leaving a certain bodily extension hanging in the breeze in the hopes
> of gaining more valuable data than they lose would have been an
> unusually gutsy move.
>
> These two unnamed sources are liars. Bet on it.
>
> Regards,
> Bill Herrin
I would imagine that federal contractors have to adhere to FIPS 140-2
standards (or some similar requirement) for sensitive environments, and
none of the affected OpenSSL versions were certified to any FIPS
standard... the last version that WAS certified (0.9.8j) is only rated
to Level 1, which, being the lowest possible rating, I suspect is not
permitted for use by NSA contractors -- they're probably required to use
level 3 or 4 for everything.
More information about the NANOG
mailing list