Linked by Thom Holwerda on Fri 11th Apr 2014 20:21 UTC
Privacy, Security, Encryption

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

I'm so surprised.

Update: NSA denies.

Permalink for comment 586936
To read all comments associated with this story, please click here.
I don't think so...
by CapEnt on Fri 11th Apr 2014 21:24 UTC
Member since:

I find doubtful that NSA knew about this bug too long beforehand.

It would create a counter-intelligence nightmare. The NSA is not the only agency in world engaging in cyber espionage. Plenty of very large American companies was using the vulnerable version of this software. And these secrets values a lot for European, South American and Chinese companies. The trade off is just to great to be afforded.

And the bug is too unreliable to get information quickly. To successful get a user access using it would require days, even weeks, sending server requests with malformed heartbeats, and a very keen eye to identify useful information in the middle of all garbage.

A really secure environment, of the type that "American enemies" store critical information, will not simple accept requests from a random IP from nowhere and likely neither be connected on internet, it would take a compromised computer from inside and large chunks of luck that a sysadmin would not take notice.

Reply Score: 9