Linked by Thom Holwerda on Fri 11th Apr 2014 20:21 UTC
Privacy, Security, Encryption

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

I'm so surprised.

Update: NSA denies.

Thread beginning with comment 586998
To read all comments associated with this story, please click here.
The source...
by grat on Sat 12th Apr 2014 19:51 UTC
Member since:

"Two people familiar with the matter", which is twice as good as "I read it on the interwebz!".

As an admin who spent last week finding all of his vulnerable machines, and patching them, and having watched some of the presentations on the NSA's activities, I'm a bit skeptical of this claim.

First, the likelihood of getting an SSL key, or a password, or any bit of useful information via heartbleed requires many, many, many efforts at retrieving the desired data (or luck), because you're grabbing semi-random 64kb chunks of memory.

The NSA isn't interested in tools that only give them randomly useful information. They want specific information and lots of it.

More importantly, with the sophistication of their known, documented, man-in-the-middle attacks, they don't NEED the heartbleed bug. It's like putting gas in your car with a teaspoon, when you've got a 5 gallon gas can available.

They've already hijacked the network near you, and the network at the service you're connecting to (and possibly your router), and they've got the equipment installed to not only hijack your connection, but intercept the data being sent back to you, alter it, and make sure the altered packets get back to you first.

Or, using this vulnerability, they could spend hundreds of computer hours trying to randomly steal and assemble information they've already got.

I suggest anyone interested track down Jacob Applebaum's presentation "To Protect and Infect", and watch it. It's somewhat depressing, but enlightening.

Reply Score: 4