NSA alleged to have known & used Heartbleed for 2 years

grarpamp grarpamp at gmail.com
Fri Apr 11 15:13:04 PDT 2014


On Fri, Apr 11, 2014 at 5:26 PM, Gregory Foster
<gfoster at entersection.org> wrote:
>> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
>>> The U.S. National Security Agency knew for at least two years

> Denials:
> https://twitter.com/NSA_PAO/status/454720059156754434
> https://twitter.com/csoghoian/status/454725375332192256

Uncharacteristically little weasel room in the pao link.

> I couldn't find the primary source for the White House NSC statement
> Christopher posted.  The "Vulnerabilities Equities Process" used to
> ascertain whether or not to report 0-days sounds FOIA-worthy.

They mention first knowledge in April but...
Note the create date (at MITRE, ahem) in the second link.
And packets (whether attributable to, or perhaps reasonably
thought to be capable of detection, classification, and later use
by a large and capable monitoring net) in the third link.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013



More information about the cypherpunks mailing list