NSA knew about and used Heartbleed web exploit

The tech web has been abuzz this week about what has been dubbed “Heartbleed,” a code exploit in the OpenSSL encryption system, which could have allowed hackers and cyberterrorists to access login credentials from some of the biggest websites in the world over the last two years. Lists were quickly constructed to explain to users which sites were affected and which passwords they needed to change immediately.

It turns out the NSA has known about the Heartbleed vulnerability for years, but never warned anyone that millions of Americans’ online identities could be at risk. Indeed, not only did they not sound the alarm, the  NSA used the bug to access those online accounts in its already questionable surveillance activities.

The next question, of course, is who knew? Bloomberg News, who broke the story, received no comment from an NSA spokesperson. Before anyone jumps to blame President Obama, first on the interrogation list should be Director of National Intelligence James Clapper and House and Senate Intelligence Committee chairs Mike Rogers (R-MI) and Dianne Feinstein (D-CA), who oversee the agency and other intelligence operations.

If anyone outside of the NSA itself knew about the Heartbleed exploit and its use in surveillance, it would be those three, the biggest enablers of the embattled agency.

While Bloomberg’s report notes that “the search for flaws is central to NSA’s mission”, one assumes that in a democratic republic, a successful search of that nature would result in a wider awareness of those security flaws and subsequent fixes for them.

Now we know that is not the case. It is unclear now if the NSA knows of other software exploits, bugs, and viruses that leave Americans’ data unsecure, and whether those too are being used for surveillance activities.

Ironically, one of the recommendations of the President’s review board after the initial Edward Snowden revelations was “that the NSA quickly move to fix software flaws rather that exploit them, and that they be used only in ‘rare instances’ and for short periods of time.” Perhaps if any action had been taken on these recommendations instead of just wishcasting, your online identity (yes, yours) would be more secure today.

UPDATE: Apparently understanding the seriousness of this accusation, the White House and NSA have already denied the report.


The views and opinions expressed by individual authors are not necessarily those of other authors, advertisers, developers or editors at United Liberty.