Of Course the NSA Knew About Heartbleed Two Years Ago and Did Nothing

The Citizen's Guide to the Future
April 11 2014 5:33 PM

Report: The NSA Knew About Heartbleed and Exploited It Because Of Course


Screencap of NSA.gov. Heartbleed logo from Codenomicon.

It just doesn't end. Bloomberg is reporting that, according to “two people familiar with the matter,” the NSA has known about the Heartbleed vulnerability for at least two years—and was using it to collect information about people instead of, you know, telling someone about it and getting it fixed.

With millions of websites compromised, people all over the world changing their passwords for protection, the Canadian government suspending electronic tax filing, and people speculating about whether Heartbleed is the “worst vulnerability ever,” this could end up looking pretty bad for the agency. Good thing it already has a sparkly-clean public image, or it might be in trouble.


According to Bloomberg, it doesn’t seem that the NSA created Heartbleed—it just  found the bug and used it. An NSA spokesperson declined to comment about the agency's knowledge or use of Heartbleed. But Jason Healey, director of the Cyber Statecraft Initiative and a former Air Force cyber officer, told Bloomberg, “It flies in the face of the agency’s comments that defense comes first. They are going to be completely shredded by the computer security community for this.”

In early 2012 Heartbleed was mistakenly introduced into the code for OpenSSL, an open-source software component for certain popular types of encryption. It would make sense if the NSA found it soon after, because—in addition to using its influence to weaken new or existing encryption—the agency also spends millions of dollars looking for software vulnerabilities that already exist around the Web, especially in open-source code that is more likely to have inconsistent oversight, and therefore bigger errors.

The big question is: Who else knew about it? If the NSA found it, other international intelligence agencies or criminals could also have been dipping in to the flow of usernames, passwords, and other personal details. But as Bloomberg points out, it took two years for anyone reviewing OpenSSL code to spot it, and there is no evidence so far that hackers found the flaw. The full extent of the damage remains to be seen, though.

The incident raises questions about the NSA, of course, but also about the trust people place in software developers to produce secure code. These questions have lingered in the cybersecurity and cryptography communities for years, but are only now coming to the fore consumers are becoming increasingly aware that their personal privacy is on the line. Settle in, because this won't be the last news story about the NSA exploiting a vulnerability instead of reporting it.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.



Slate Plus Early Read: The Self-Made Man

The story of America’s most pliable, pernicious, irrepressible myth.

Rehtaeh Parsons Was the Most Famous Victim in Canada. Now, Journalists Can’t Even Say Her Name.

Mitt Romney May Be Weighing a 2016 Run. That Would Be a Big Mistake.

Amazing Photos From Hong Kong’s Umbrella Revolution

Transparent Is the Fall’s Only Great New Show

The XX Factor

Rehtaeh Parsons Was the Most Famous Victim in Canada

Now, journalists can't even say her name.


Lena Dunham, the Book

More shtick than honesty in Not That Kind of Girl.

What a Juicy New Book About Diane Sawyer and Katie Couric Fails to Tell Us About the TV News Business

Does Your Child Have Sluggish Cognitive Tempo? Or Is That Just a Disorder Made Up to Scare You?

  News & Politics
Sept. 29 2014 10:00 PM “Everything Must Change in Italy” An interview with Italian Prime Minster Matteo Renzi.
Sept. 29 2014 7:01 PM We May Never Know If Larry Ellison Flew a Fighter Jet Under the Golden Gate Bridge
Dear Prudence
Sept. 29 2014 3:10 PM The Lonely Teetotaler Prudie counsels a letter writer who doesn’t drink alcohol—and is constantly harassed by others for it.
  Double X
The XX Factor
Sept. 29 2014 1:52 PM Do Not Fear California’s New Affirmative Consent Law
  Slate Plus
Slate Fare
Sept. 29 2014 8:45 AM Slate Isn’t Too Liberal, but … What readers said about the magazine’s bias and balance.
Brow Beat
Sept. 29 2014 9:06 PM Paul Thomas Anderson’s Inherent Vice Looks Like a Comic Masterpiece
Future Tense
Sept. 29 2014 11:56 PM Innovation Starvation, the Next Generation Humankind has lots of great ideas for the future. We need people to carry them out.
  Health & Science
Bad Astronomy
Sept. 29 2014 12:01 PM This Is Your MOM’s Mars
Sports Nut
Sept. 28 2014 8:30 PM NFL Players Die Young. Or Maybe They Live Long Lives. Why it’s so hard to pin down the effects of football on players’ lives.