[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] NSA knew about Heartbleed



Jesse Victors:
> "The U.S. National Security Agency knew for at least two years about a
> flaw in the way that many websites send sensitive information, now
> dubbed the Heartbleed bug, and regularly used it to gather critical
> intelligence, two people familiar with the matter said. The NSA said in
> response to a Bloomberg News article that it wasn?t aware of Heartbleed
> until the vulnerability was made public by a private security report.
> The agency?s reported decision to keep the bug secret in pursuit of
> national security interests threatens to renew the rancorous debate over
> the role of the government?s top computer experts."

I'm skeptical of this report.  The Office of the Director of National
Intelligence responded to the story by saying:

"Reports that NSA or any other part of the government were aware of the
so-called Heartbleed vulnerability before 2014 are wrong"

This is believable because if it were a lie, they would risk an outright
contradiction from a leak or Snowden document, which would further
damage their already terrible credibility and reputation.

"Two sources familiar with matter" could merely be two computer security
experts who have an unsubstantiated opinion that the NSA was exploiting
this beforehand.  We have no idea how credible these sources are.

One thing I am sure of is this generated a lot of clicks for Bloomberg.
 NSA rumors involving hot technology topics seems like a good way to
make money for a news website.

That said, if you carefully parse the statement from DNI, it seems to me
to imply they were aware of the Heartbleed vulnerability in 2014.  Why
would they say "before 2014" instead of "before its disclosure Monday"
or something?  They may have known about it weeks or months in advance,
and been exploiting it or patching their systems.  But that is not as
egregious as it would be to conceal this flaw for years.

Delton
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays