Update: An account associated with the NSA tweeted out a quick denial: “Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.” So, either Bloomberg was misled, misunderstood their information, or the NSA is lying. [A caveat: The Twitter account in question is being treated by the larger world as legitimate, but remains unverified by Twitter itself.]
This afternoon Bloomberg reported that the National Security Agency (NSA) knew about the now infamous Heartbleed flaw in OpenSSL, and that it used the weakness to collect intelligence.
It is not clear if the NSA used Heartbleed to collect information regarding citizens in the United States, so this issue may not concern privacy like so many other revelations regarding the agency have. Instead, the idea is that the NSA was reportedly aware of the issue, and chose to exploit the exploit rather than helping the larger technology community quickly.
In short, The NSA essentially decided that its own intelligence efforts were more important than the security of your information.
In the ensuing few days since the Heartbleed weakness has been exposed, companies and services large and small have rushed to patch their systems, change their cryptographic protections, and alert their users to change their passwords. This situation could have been ameliorated, if not avoided altogether.
The NSA’s reputation inside of the technology world has been long-suffering, especially in the wake of efforts to weaken encryption by inserting back doors, and its efforts to tap the cables between data centers of large, popular technology firms. This will not help.
Making the average person understand the extent of the NSA’s actions has been difficult — some don’t get, or simply don’t care, about their digital privacy — but to deliberately ignore a known flaw that could put every member of your family at risk? That’s easier to grasp.
Update 2, continued: