Linked by Thom Holwerda on Fri 11th Apr 2014 20:21 UTC
Privacy, Security, Encryption

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

I'm so surprised.

Update: NSA denies.

Thread beginning with comment 586991
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: I don't think so...
by cdude on Sat 12th Apr 2014 16:54 UTC in reply to "RE: I don't think so..."
cdude
Member since:
2008-09-21

Article, written on September 9, 2013 in technologyreview:

http://www.technologyreview.com/news/519171/nsa-leak-leaves-crypto-...

"
Two NSA tactics prominent in Thursday’s report highlight widely known and fixable flaws in the way most online services operate. In one of those tactics, the agency collects encryption keys from online services so it can decode intercepted data at will.
[...]
the new reports appears to confirm long-held suspicions that the agency can overpower a [relatively weak?] form of encryption used by most websites that offer secure SSL connections
[...]
The software that Internet companies use to implement SSL, in particular a widely used open source package called OpenSSL, is one of many pieces of the Internet’s security infrastructure that will be more closely scrutinized after last week’s reports
"

And that, more closely watching OpenSSL, is what Google did, Heartbleed was found and now people question that NSA knew about it while it was in the leaked documents all the time. Humans, denying is so much easier.

Edited 2014-04-12 16:58 UTC

Reply Parent Score: 4