Of Course the NSA Knew About Heartbleed Two Years Ago and Did Nothing

The Citizen's Guide to the Future
April 11 2014 5:33 PM

Report: The NSA Knew About Heartbleed and Exploited It Because Of Course


Screencap of NSA.gov. Heartbleed logo from Codenomicon.

It just doesn't end. Bloomberg is reporting that, according to “two people familiar with the matter,” the NSA has known about the Heartbleed vulnerability for at least two years—and was using it to collect information about people instead of, you know, telling someone about it and getting it fixed.

With millions of websites compromised, people all over the world changing their passwords for protection, the Canadian government suspending electronic tax filing, and people speculating about whether Heartbleed is the “worst vulnerability ever,” this could end up looking pretty bad for the agency. Good thing it already has a sparkly-clean public image, or it might be in trouble.


According to Bloomberg, it doesn’t seem that the NSA created Heartbleed—it just  found the bug and used it. An NSA spokesperson declined to comment about the agency's knowledge or use of Heartbleed. But Jason Healey, director of the Cyber Statecraft Initiative and a former Air Force cyber officer, told Bloomberg, “It flies in the face of the agency’s comments that defense comes first. They are going to be completely shredded by the computer security community for this.”

In early 2012 Heartbleed was mistakenly introduced into the code for OpenSSL, an open-source software component for certain popular types of encryption. It would make sense if the NSA found it soon after, because—in addition to using its influence to weaken new or existing encryption—the agency also spends millions of dollars looking for software vulnerabilities that already exist around the Web, especially in open-source code that is more likely to have inconsistent oversight, and therefore bigger errors.

The big question is: Who else knew about it? If the NSA found it, other international intelligence agencies or criminals could also have been dipping in to the flow of usernames, passwords, and other personal details. But as Bloomberg points out, it took two years for anyone reviewing OpenSSL code to spot it, and there is no evidence so far that hackers found the flaw. The full extent of the damage remains to be seen, though.

The incident raises questions about the NSA, of course, but also about the trust people place in software developers to produce secure code. These questions have lingered in the cybersecurity and cryptography communities for years, but are only now coming to the fore consumers are becoming increasingly aware that their personal privacy is on the line. Settle in, because this won't be the last news story about the NSA exploiting a vulnerability instead of reporting it.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.


War Stories

The Right Target

Why Obama’s airstrikes against ISIS may be more effective than people expect.

Why Is This Mother in Prison for Helping Her Daughter Get an Abortion?

The XX Factor
Sept. 23 2014 11:13 AM Why Is This Mother in Prison for Helping Her Daughter Get an Abortion?

Divestment Is Fine but Mostly Symbolic. There’s a Better Way for Universities to Fight Climate Change.

I Stand With Emma Watson on Women’s Rights

Even though I know I’m going to get flak for it.

It Is Very Stupid to Compare Hope Solo to Ray Rice

Building a Better Workplace

In Defense of HR

Startups and small businesses shouldn’t skip over a human resources department.

It’s Legal for Obama to Bomb Syria Because He Says It Is

How Ted Cruz and Scott Brown Misunderstand What It Means to Be an American Citizen

  News & Politics
War Stories
Sept. 23 2014 4:04 PM The Right Target Why Obama’s airstrikes against ISIS may be more effective than people expect.
Sept. 23 2014 2:08 PM Home Depot’s Former Lead Security Engineer Had a Legacy of Sabotage
Sept. 23 2014 1:57 PM Would a Second Sarkozy Presidency End Marriage Equality in France?
  Double X
The XX Factor
Sept. 23 2014 2:32 PM Politico Asks: Why Is Gabby Giffords So “Ruthless” on Gun Control?
  Slate Plus
Political Gabfest
Sept. 23 2014 3:04 PM Chicago Gabfest How to get your tickets before anyone else.
Brow Beat
Sept. 23 2014 4:09 PM Vince Vaughn Will Star in True Detective Season 2
Future Tense
Sept. 23 2014 1:50 PM Oh, the Futility! Frogs Try to Catch Worms off of an iPhone Video.
  Health & Science
Sept. 23 2014 1:38 PM Why Is Fall Red in America but Yellow in Europe? A possible explanation, 35 million years in the making.
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.