[[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
Warren Bailey
wbailey at satelliteintelligencegroup.com
Fri Apr 11 23:08:19 UTC 2014
And their Level 3 to 4 accomplished what exactly?? They were owned the
same way the own others, from the inside.
On 4/11/14, 4:27 PM, "Peter Kristolaitis" <alter3d at alter3d.ca> wrote:
>
>On 4/11/2014 4:03 PM, William Herrin wrote:
>>>> The U.S. National Security Agency knew for at least two years about a
>>>>flaw
>>>> in the way that many websites send sensitive information, now dubbed
>>>>the
>>>> Heartbleed bug, and regularly used it to gather critical intelligence,
>>>> two people familiar with the matter said.
>>>>
>>>> The NSA's decision to keep the bug secret in pursuit of national
>>>>security
>>>> interests threatens to renew the rancorous debate over the role of the
>>>> government's top computer experts.
>> I call B.S. Do you have any idea how many thousands of impacted NSA
>> servers run by contractors hung out on the Internet with sensitive NSA
>> data? If you told me they used it against the targets of the day while
>> putting out the word to patch I could buy it, but intentionally
>> leaving a certain bodily extension hanging in the breeze in the hopes
>> of gaining more valuable data than they lose would have been an
>> unusually gutsy move.
>>
>> These two unnamed sources are liars. Bet on it.
>>
>> Regards,
>> Bill Herrin
>
>I would imagine that federal contractors have to adhere to FIPS 140-2
>standards (or some similar requirement) for sensitive environments, and
>none of the affected OpenSSL versions were certified to any FIPS
>standard... the last version that WAS certified (0.9.8j) is only rated
>to Level 1, which, being the lowest possible rating, I suspect is not
>permitted for use by NSA contractors -- they're probably required to use
>level 3 or 4 for everything.
>
More information about the NANOG
mailing list