NSA Knew All About Heartbleed, Didn't Want to Spoil the Surprise for You
From the How Is This Not Front Page News In Every Paper In The Country? Files, Bloomberg brings us the tale of how our good friends at the National Security Agency (hi guys!) have known about Heartbleed — a critical Internet security flaw that affects "the basic security of as many as two-thirds of the world’s websites"—for "at least two years."
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
Good work, NSA, way to see the threat before anyone else, our tax Bitcoins at work! Except, whoops, instead of telling anyone about it or how to fix it, the NSA just sat on it and gobbled up everyone's passwords and personal information. The better to make leet haxx, my pretty.
Now, Yr Wonket will lay out the appropriate caveats on a story like this, after which we will tickle your rage buttons until you squeal with anger-glee:
Bloomberg's source is anonymous—"two people familiar with the matter." This could be just about anyone: Congressional staffers, NSA whistleblowers, other members of the intelligence community looking to dirty up a sister agency, or your uncle Merle. Probably Merle, he can't keep anything secret.
The NSA says it ain't so: "Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong" is their story, and they're stickin' to it. Here, have some more grains of salt, they'll make this taste better.
It is highly unlikely, given the way that we classify information in U.S. America, that you'll ever be able to know what's actually going on here if you don't have super-duper Top Secret security clearances. But that should not stop us from speculating wildly and feeling all the feels!
Ok! We have successfully caveated, and now it is time for the Argle Bargle portion of our write-up.
THE NSA DID WHAT!?! YOU GUYS KNEW ABOUT HEARTBLEED, AND YOU TOLD NO ONE ABOUT IT???
Throw us a frickin' bone here, NSA. Look, you guys are really, really good at what you do, and you're really, really good at what you do in part because you get a whole bunch of money from the taxpayers who you hung out to dry with this Heartbleed thing. You used to be cool, NSA.
Yr Wonket is not a wild-eyed civil libertarian type. When International Man of Mystery Edward Snowden told everyone about the NSA's PRISM program, Yr Wonket truly did not understand why everyone was so surprised, since almost everything except the program's name had been reported back in 2006 in a little-known leftist rag called USA Today. "Old news," we yawned, and then we shook our canes in the direction of Zuccotti Park.
We get it, NSA: to execute your mission, you can't tell every American about every single thing you're doing. Before all of you awful people start screaming in the comments about NOT IN OUR NAME, consider your family's Thanksgiving dinner arguments, or the fact that one-third of the country believes the FDA has cures for cancer and it's just withholding them from sick people for shits and giggles. Consider the number of Americans who believe that Barack Hussein Obama is exactly like Hitler -- we get it, we are dum-dums, NSA, we get why you have to keep some things secret.
But it would also be really, really nice of you to, like, act in good faith maybe? Y'know, since you're part of our country's national security apparatus, and exploiting a security vulnerability for your own use without actually helping to protect the information security of the citizenry doesn't exactly sound like something we give you money for?
Imagine the headlines you could have generated if you hadn't been such dicks about:
"Hero NSA Finds Internet Security Thingy Before Everyone Else, Saves the Dick Pics in Your Dropbox Account"
"Consumers Continue Shopping on Amazon in Safety Thanks to Selfless Actions of Career Civil Servants"
"American People's Conspiracy Theories Challenged by Government Objectively Doing the Right Thing"
Instead, we have this. Combined with the deliberately misleading actions of the CIA , it almost looks like agencies with black budgets get to operate with zero oversight! Must be pretty cool, guys. SUCH POWER.
And then stuff like this happens, and all we can think to do is aim for the bottom of a bottle of cheap whiskey and dive, dive, dive.
[ Bloomberg ]
There is no way the NSA does not have a team of coders that know the OpenSSL code by heart. They've definitely known about it.
"... attempt to exploit would stick out like a sore thumb"
How? None of those TLS heartbeat requests are logged anywhere, you would never know. You can definitely target someone - you only need know what websites they tend to visit. Granted, it's more useful to an identity thief / fraud type than the NSA, but in no way is it a "weak" exploit - it's rather devastating.