NSA alleged to have known & used Heartbleed for 2 years

[Gregory Foster]

On 4/11/14, 4:26 PM, Gregory Foster wrote:
> Bloomberg (Apr 11) - "NSA Said to Have Used Heartbleed Bug, Exposing
> Consumers":
> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
>
>> The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

> On 4/11/14, 2:33 PM, Gregory Foster wrote:
> Denials:
> https://twitter.com/NSA_PAO/status/454720059156754434
> https://twitter.com/csoghoian/status/454725375332192256
> 
> I couldn't find the primary source for the White House NSC statement
> Christopher posted.  The "Vulnerabilities Equities Process" used to
> ascertain whether or not to report 0-days sounds FOIA-worthy.


NYT (Apr 12) - "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials
Say" by David @SangerNYT:
http://www.nytimes.com/2014/04/13/us/politics/after-heartbleed-bug-obama-decides-us-should-reveal-internet-security-flaws.html

> Caitlin Hayden, the spokeswoman for the National Security Council, said the review of the recommendations [by a presidential advisory committee] was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosure when a security flaw is discovered, against the value of keeping the discovery secret for later use by the intelligence community.
> 
> “This process is biased toward responsibly disclosing such vulnerabilities,” she said.

gf

-- 
Gregory Foster || gfoster at entersection.org
@gregoryfoster <> http://entersection.com/