On 4/11/2014 4:03 PM, William Herrin wrote:
The U.S. National Security Agency knew for at least two years about a flaw
in the way that many websites send sensitive information, now dubbed the
Heartbleed bug, and regularly used it to gather critical intelligence,
two people familiar with the matter said.
The NSA's decision to keep the bug secret in pursuit of national security
interests threatens to renew the rancorous debate over the role of the
government's top computer experts.
I call B.S. Do you have any idea how many thousands of impacted NSA
servers run by contractors hung out on the Internet with sensitive NSA
data? If you told me they used it against the targets of the day while
putting out the word to patch I could buy it, but intentionally
leaving a certain bodily extension hanging in the breeze in the hopes
of gaining more valuable data than they lose would have been an
unusually gutsy move.
These two unnamed sources are liars. Bet on it.
Regards,
Bill Herrin
I would imagine that federal contractors have to adhere to FIPS 140-2
standards (or some similar requirement) for sensitive environments, and
none of the affected OpenSSL versions were certified to any FIPS
standard... the last version that WAS certified (0.9.8j) is only rated
to Level 1, which, being the lowest possible rating, I suspect is not
permitted for use by NSA contractors -- they're probably required to use
level 3 or 4 for everything.
