Of Course the NSA Knew About Heartbleed Two Years Ago and Did Nothing

The Citizen's Guide to the Future
April 11 2014 5:33 PM

Report: The NSA Knew About Heartbleed and Exploited It Because Of Course


Screencap of NSA.gov. Heartbleed logo from Codenomicon.

It just doesn't end. Bloomberg is reporting that, according to “two people familiar with the matter,” the NSA has known about the Heartbleed vulnerability for at least two years—and was using it to collect information about people instead of, you know, telling someone about it and getting it fixed.

With millions of websites compromised, people all over the world changing their passwords for protection, the Canadian government suspending electronic tax filing, and people speculating about whether Heartbleed is the “worst vulnerability ever,” this could end up looking pretty bad for the agency. Good thing it already has a sparkly-clean public image, or it might be in trouble.


According to Bloomberg, it doesn’t seem that the NSA created Heartbleed—it just  found the bug and used it. An NSA spokesperson declined to comment about the agency's knowledge or use of Heartbleed. But Jason Healey, director of the Cyber Statecraft Initiative and a former Air Force cyber officer, told Bloomberg, “It flies in the face of the agency’s comments that defense comes first. They are going to be completely shredded by the computer security community for this.”

In early 2012 Heartbleed was mistakenly introduced into the code for OpenSSL, an open-source software component for certain popular types of encryption. It would make sense if the NSA found it soon after, because—in addition to using its influence to weaken new or existing encryption—the agency also spends millions of dollars looking for software vulnerabilities that already exist around the Web, especially in open-source code that is more likely to have inconsistent oversight, and therefore bigger errors.

The big question is: Who else knew about it? If the NSA found it, other international intelligence agencies or criminals could also have been dipping in to the flow of usernames, passwords, and other personal details. But as Bloomberg points out, it took two years for anyone reviewing OpenSSL code to spot it, and there is no evidence so far that hackers found the flaw. The full extent of the damage remains to be seen, though.

The incident raises questions about the NSA, of course, but also about the trust people place in software developers to produce secure code. These questions have lingered in the cybersecurity and cryptography communities for years, but are only now coming to the fore consumers are becoming increasingly aware that their personal privacy is on the line. Settle in, because this won't be the last news story about the NSA exploiting a vulnerability instead of reporting it.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.


Medical Examiner

Here’s Where We Stand With Ebola

Even experienced international disaster responders are shocked at how bad it’s gotten.

The U.S. Airstrikes on ISIS in Syria Will Probably Benefit America’s Other Enemies

Divestment Is Fine but Mostly Symbolic. There’s a Better Way for Universities to Fight Climate Change.

It’s Not Easy for Me, but I Stand With Emma Watson on Women’s Rights

It Is Very Stupid to Compare Hope Solo to Ray Rice

Building a Better Workplace

In Defense of HR

Startups and small businesses shouldn’t skip over a human resources department.

Why Are Lighter-Skinned Latinos and Asians More Likely to Vote Republican?

How Ted Cruz and Scott Brown Misunderstand What It Means to Be an American Citizen

  News & Politics
The World
Sept. 23 2014 10:55 AM This Isn’t the Syria Intervention Anyone Wanted
Business Insider
Sept. 23 2014 10:03 AM Watch Steve Jobs Tell Michael Dell, "We're Coming After You"
The Vault
Sept. 23 2014 10:24 AM How Bad Are Your Drinking Habits? An 18th-Century Temperance Thermometer Has the Verdict.
  Double X
The XX Factor
Sept. 23 2014 11:13 AM Why Is This Mother in Prison for Helping Her Daughter Get an Abortion?
  Slate Plus
Slate Plus
Sept. 22 2014 1:52 PM Tell Us What You Think About Slate Plus Help us improve our new membership program.
Brow Beat
Sept. 23 2014 9:42 AM Listen to the Surprising New Single From Kendrick Lamar
Future Tense
Sept. 23 2014 10:51 AM Is Apple Picking a Fight With the U.S. Government? Not exactly.
  Health & Science
Bad Astronomy
Sept. 23 2014 11:00 AM Google CEO: Climate Change Deniers Are “Just Literally Lying”
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.