Welcome to the MacNN Forums.

NewsPoster · 06:08 AM

As reports of the severity of the Heartbleed OpenSSL bug has spread, so have the rumors. A report from Bloomberg has claimed that the US National Security Agency exploited the flaw for years. In its own defense, the NSA issued an unusually specific statement saying that not only did it not use the exploit, but it didn't even know about it until news of it went public a few days ago.

According to the report, two sources close to the matter claimed that the NSA found out about the bug in 2012 when the code changes were first committed, and had been using it in secret since then, keeping it under wraps as a matter of national security.

Heartbleed appears in the widely-available OpenSSL version 1.0.1, as well as the beta of 1.0.2, with the former version being used in a large proportion of servers. The affects of the bug are varied and wide-ranging, with ZDNet reporting it as allowing attackers to potentially reveal credit card details in a transaction over HTTPS, normally considered secure.

The severity of the issue potentially allows for the SSL keys to be used to enter a server without leaving any sign of an intrusion. The Heartbleed site dedicated to the bug, created by Codenomicon Defensics, describes Heartbleed as allowing attackers to potentially "eavesdrop on communications, steal data directly from the services and users, and to impersonate services and users."

Apple was unaffected by the bug. Yahoo, Gmail, and Amazon Web Services were all affected by it, which could have been the basis of the initial email surveillance reports leaked by Edward Snowden in 2013. The Bloomberg report suggests that the NSA has a database of exploits similar to Heartbleed hundreds of items long.

The governing body of the NSA, the National Security Council issued an oddly adamant denial regarding it. In its statement, the council claims that "reports that NSA, or any other part of the government, were aware of the so-called Heartbleed vulnerability before April 2014 are wrong." The statement goes on to say that "if the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL." The NSA does not usually couch its statements or denials in such direct and unequivocal language.

afaby · Apr 12, 2014, 03:47 PM

Suuuuure. We believe you.

ricardogf · Apr 12, 2014, 04:03 PM

Of course, NSA - we trust every single word you utter 150%...NOT.

iBricking.com · Apr 12, 2014, 08:35 PM

America has destroyed itself, in the name of terrorism.

apostle · Apr 13, 2014, 04:55 AM

America. Where the inmates run the asylum. Voting in an election should be a privilege granted the educated and informed. Not a "right" granted every miscreant with a bone to pick.

Mike Wuerthele · Apr 13, 2014, 12:52 PM

Originally Posted by apostle

America. Where the inmates run the asylum. Voting in an election should be a privilege granted the educated and informed. Not a "right" granted every miscreant with a bone to pick.

I think its got more to do with our "sucks less than the other guy" choices we have to make.

DiabloConQueso · Apr 13, 2014, 03:45 PM

"Voting in an election should be a privilege granted the educated and informed. Not a 'right' granted every miscreant with a bone to pick."

If ever there was a slope, this would be the slipperiest of them.

Flying Meat · Apr 14, 2014, 12:46 PM

It's a stupid slope too. Having to pass someone's test in order to vote is a simple minded approach to presumably your desired end, an educated and informed public. It couldn't be much less supportive.
I can tell you for certain that there are tons of educated informed people making the dumbest decisions on a regular basis. ...much like floating this very idea. Your idea doesn't help in any way. Period.
Maybe you could get some buy in by adding a test for benevolent and moral grounding. I still think it's a stupid idea.