All they did was issue a statement denying all knowledge. And Bill Clinton didn’t have sexual relations with “that woman” either.
I don’t really get the Heartbleed thing, on a technical level. Is the NSA exposed to any vulnerability from it?
The nature of the bug is explained in this xkcd cartoon.
I believe everything I read.
More seriously, if their statement is accurate this is a major intelligence failure by a multibillion dollar agency. The Snowden papers reveal that they had an active interest in OpenSSL, so if they didn’t know of this bug they really should have. I’ll leave it to the reader to apply Occam’s Razor.
This is my take on it. People will be checking logs and tracking down IP addresses. If the NSA was using the bug, there will be tell-tale signs in logs. (I wonder if the NSA has hacked machines in China it can use as probes to throw off trackers? Hmm.)
Of course, even better would be the situation if there was a government body keeping extensive logs of Internet traffic. Searching thru those logs would be easy for such a body. No doubt they’d helpfully tell us what they found. 
Yeah, what we need is a governmental agency in charge of security. But what we would call it? ::Think, think::
Actually they have 1 full time employee: “Since OpenSSL is established to prevent hacker theft with internet data, it seems to be an important endeavor; yet and still, you wouldn’t recognize this right away. There are only eleven people currently that work in OpenSSL: 46-year-old British cryptographer Dr. Stephen Henson, volunteer Geoffrey Thorpe, two other British volunteers, a German developer, and a few others. Stephen Henson is the only full-time employee on the OpenSSL project. What started as a project committed to data encryption has now become standard on two-thirds of all websites on the Internet.” http://www.inferse.com/14435/heartbleed-bug-openssl-everything-need-know/ I suspect that the NSA has more than 11 employees studying OpenSSL.
If the NSA knew about it … why didn’t that tattle tell that took off to Russia tell us ahead of time?
Actually Snowden did IIRC, at least on a general level. There were related stories on encryption. While encryption codes are very safe the implementation of them is a matter for speculation. The possibility of sabotage by intelligence agencies on OpenSSL has been discussed. Ditto for the version provided by Microsoft. (Brrrrrrr)
It’s also interesting the way the modern mind works. OpenSSL was used by numerous financial service companies and web platforms which arguably did not conduct adequate due diligence. Shouldn’t the Conference Board have had something to say about this? Yet big biz gets a free pass while the NSA receives brickbats. The NSA, you see, is part of the guvment.
Today’s NYT has a decent article on the subject. There is no evidence that the N.S.A. had any role in creating Heartbleed, or even that it made use of it. When the White House denied prior knowledge of Heartbleed on Friday afternoon, it appeared to be the first time that the N.S.A. had ever said whether a particular flaw in the Internet was — or was not — in the secret library it keeps at Fort Meade, Md., the headquarters of the agency and Cyber Command.
But documents released by Edward J. Snowden, the former N.S.A. contractor, make it clear that two years before Heartbleed became known, the N.S.A. was looking at ways to accomplish exactly what the flaw did by accident. A program code-named Bullrun… was part of a decade-long effort to crack or circumvent encryption on the web. The documents do not make clear how well it succeeded, but it may well have been more effective than exploiting Heartbleed would be at enabling access to secret data. The article discusses the Obama administration’s weighing of policy options considering the extent to which the NSA should create or expose zero day exploits. There’s been a fair amount of such internal review subsequent to the Snowden revelations.
“Free pass” – such a charming use of the word, to describe a gov’t that hands out up to $700 billion with zero strings attached, to the very banks who crashed our economy in the first place! :mad:
It should be kept in mind that Snowden’s leaks are nearly a year old, and his access to “sensitive NSA material” lasted only from early 2009 to April 2012. (Cite.) The OpenSSL exploit has only existed for a year or two, so it’s reasonable to assume that Snowden never knew it existed.
If the agency is actually innocent this time, they’re still hosed because they’ve put their own credibility so far into the toilet.
The underlying problem is an institutional conflict of interest created by having security (e.g. discovering and fixing vulnerabilities) and surveillance (e.g. discovering and exploiting vulnerabilities) under one roof.
So if I heard correctly a tech type person discovered this loophole and when he discovered it no one had yet taken advantage of the loophole.
Is this just talking points?
One more question what if someone with a large research facility had of know about this backdoor into people in the banking and investing industries offering access to company email’s and private company data information …
Would the profit from such information be unlimited?
The problem is that there’s no way to tell after the fact whether the bug was used to leak sensitive data.
[QUOTE=TriPolar]
I don’t think the NSA is that good at hacking…
[/QUOTE]
Go take a look at what their Tailored Access Operations group has been doing over the past 15 or so years. They’re quite good at hacking. Scary good.
Did the NSA start actively targeting specific systems as soon as the vulnerability was announced? I’d bet real money on that.
I’m also willing to bet they were not involved in creating it.
If they wrote Heartbleed, an encrypted email service called Lavabit would probably still be in business. They knew Edward Snowden was using it, so they desperately wanted to get in. Lavabit said “Uh-uh!” then revoked its keys and shut down last August rather than allow government access. Another encrypted email service called Silent Circle pre-emptively shut down and destroyed its servers after seeing the government’s efforts at getting access to Lavabit’s customer mail.
Here’s an interview with the OpenSSL developer who fessed up to accidentally creating the error.
Awesome reply/username combo, btw. 