[[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Warren Bailey wbailey at satelliteintelligencegroup.com
Fri Apr 11 23:08:19 UTC 2014

And their Level 3 to 4 accomplished what exactly?? They were owned the
same way the own others, from the inside.

On 4/11/14, 4:27 PM, "Peter Kristolaitis" <alter3d at alter3d.ca> wrote:

>On 4/11/2014 4:03 PM, William Herrin wrote:
>>>> The U.S. National Security Agency knew for at least two years about a
>>>> in the way that many websites send sensitive information, now dubbed
>>>> Heartbleed bug, and regularly used it to gather critical intelligence,
>>>> two people familiar with the matter said.
>>>> The NSA's decision to keep the bug secret in pursuit of national
>>>> interests threatens to renew the rancorous debate over the role of the
>>>> government's top computer experts.
>> I call B.S. Do you have any idea how many thousands of impacted NSA
>> servers run by contractors hung out on the Internet with sensitive NSA
>> data? If you told me they used it against the targets of the day while
>> putting out the word to patch I could buy it, but intentionally
>> leaving a certain bodily extension hanging in the breeze in the hopes
>> of gaining more valuable data than they lose would have been an
>> unusually gutsy move.
>> These two unnamed sources are liars. Bet on it.
>> Regards,
>> Bill Herrin
>I would imagine that federal contractors have to adhere to FIPS 140-2
>standards (or some similar requirement) for sensitive environments, and
>none of the affected OpenSSL versions were certified to any FIPS
>standard... the last version that WAS certified (0.9.8j) is only rated
>to Level 1, which, being the lowest possible rating, I suspect is not
>permitted for use by NSA contractors -- they're probably required to use
>level 3 or 4 for everything.

More information about the NANOG mailing list