The United States Government Thinks Heartbleed Is Okay!
That the market didn’t report a surge in pitchfork sales shocks the hell out of me.
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.
Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.
That is via Bloomberg.
The National Security Administration of the United States of America (allegedly) thought that not saying a word about a flaw in open source software in several locations around the Internet FOR TWO YEARS was just fine. This is your government, one that doesn’t respect you or privacy. This isn’t some Edward Snowden stuff, either. This is a pretty big deal.
The Heartbleed bug, in its simplest form, is a flaw that leaves some websites using a specific open source software vulnerable to queries for data. The data that gets pulled out can be virtually anything – usernames, passwords, etc. It’s become a big issue on the Internet, with some pretty big sites like Yahoo! being left open to attack in this way.
Now, unlike the phone metadata scandal, this is something we should really, really be worried about. This is an exploit that anyone with malicious intent could use. The metadata was something phone companies handed over to the government. It wasn’t exactly exploitable by hackers. The NSA took the opportunity provided by the Heartbleed bug, a bug that explicitly puts consumer personal information in danger, and said nothing about it because… well, for an agency filled with smart people, the NSA doesn’t seem to be filled with smart people.
This is the world we live in, where the government, in an effort to control your life via information gathering, has stooped to some pretty gruesome lows.
EDIT: The NSA is totally denying it because… well, duh.
“If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” said National Security Council spokesperson Caitlin Hayden.
The denials are unusually forceful for an agency that has historically deployed evasive language when referring to its intelligence programs.