Many of you may have heard of the “Heartbleed” bug, which may allow people to access passwords of users and the crypto keys of for websites using the most popular SSL program, OpenSSL.
It now appears that the NSA knew about Heartbleedfor 2 years, and kept it a secret so that they could use the exploit:
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The agency’s reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. The NSA, after declining to comment on the report, subsequently denied that it was aware of Heartbleed until the vulnerability was made public by a private security report earlier this month.
“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” according to an e-mailed statement from the Office of the Director of National Intelligence.
Heartbleed appears to be one of the biggest flaws in the Internet’s history, affecting the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
This bug is, to Bowlderize Joe Biden, “A big f%$#ing deal.”
It basically completely breaks internet security, and the NSA sat on it, because they wanted to use the exploit.
The idea that anyone would allow the NSA in on any discussion of computer security is truly troubling. It is like like allowing a young Willie Sutton to consult on bank security.*
* Later in life, after he got out of prison, Willie Sutton did actually consult on bank security.