– Did the Department of Homeland Security Just Admit that the Government Knew about the Heartbleed Bug? (Washington’s Blog, April 14, 2014):
Bloomberg reported that the NSA knew about – and exploited – the Heartbleed bug for years.
The NSA has denied it knew about the bug.
And the White House spokesman claims:
This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet.
If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
(OpenSSL is the library infected by Heartbleed.)
But the Department of Homeland Security says:
The Federal government’s core citizen-facing websites are not exposed to risks from this cybersecurity threat.
Matt Stoller tweets:
DHS says #Heartbleed didn’t affect government websites. That is… peculiar.
Perhaps there is an innocent explanation … The government doesn’t use OpenSSL on its websites?
Nope … Security firm Codenomicon – which discovered the Heartbleed virus – reports:
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL.
Did DHS just unintentionally admit that the government knew about Heartbleed years ago and patched its own websites … without telling the tech community about it?
Mother Jones points out that – whether or not the NSA knew about the bug – the Heartbleed episode makes it look bad:
I’m honestly not sure which would be worse. That the NSA knew about this massive bug that threatened havoc for millions of Americans and did nothing about it for two years. Or that the NSA’s vaunted—and lavishly funded—cybersecurity team was completely in the dark about a gaping and highly-exploitable hole in the operational security of the internet for two years. It’s frankly hard to see any way the NSA comes out of this episode looking good.