And their Level 3 to 4 accomplished what exactly?? They were owned the same way the own others, from the inside.
On 4/11/14, 4:27 PM, "Peter Kristolaitis" <[email protected]> wrote: > >On 4/11/2014 4:03 PM, William Herrin wrote: >>>> The U.S. National Security Agency knew for at least two years about a >>>>flaw >>>> in the way that many websites send sensitive information, now dubbed >>>>the >>>> Heartbleed bug, and regularly used it to gather critical intelligence, >>>> two people familiar with the matter said. >>>> >>>> The NSA's decision to keep the bug secret in pursuit of national >>>>security >>>> interests threatens to renew the rancorous debate over the role of the >>>> government's top computer experts. >> I call B.S. Do you have any idea how many thousands of impacted NSA >> servers run by contractors hung out on the Internet with sensitive NSA >> data? If you told me they used it against the targets of the day while >> putting out the word to patch I could buy it, but intentionally >> leaving a certain bodily extension hanging in the breeze in the hopes >> of gaining more valuable data than they lose would have been an >> unusually gutsy move. >> >> These two unnamed sources are liars. Bet on it. >> >> Regards, >> Bill Herrin > >I would imagine that federal contractors have to adhere to FIPS 140-2 >standards (or some similar requirement) for sensitive environments, and >none of the affected OpenSSL versions were certified to any FIPS >standard... the last version that WAS certified (0.9.8j) is only rated >to Level 1, which, being the lowest possible rating, I suspect is not >permitted for use by NSA contractors -- they're probably required to use >level 3 or 4 for everything. >
