Source?
But also, straight from the mouth of a USCYBERCOM strategist speaking to our class the other week.
And also, just plain logic. I pointed out here on HN even before the ODNI released the statement I linked above that Heartbleed is far more damaging to the USG itself than any intel value NSA could have hoped to achieve from it.
With the other vulns NSA would have stockpiled they don't need Heartbleed, and leaving Heartbleed open would have hurt a lot of USG (and just as importantly, private US) infrastructure, so even going by crazy USG logic the right thing to do would have been to disclose it, just as NSA has fixed other open source security flaws over the years.
> When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.
> This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
Nothing about this statement makes me believe that they were unaware of Heartbleed, specifically because it seems to imply that they don't stockpile vulns that they find, which we know that they do.
> The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services.
The only damage that seems to be claimed specifically in their report is that not fixing Heartbleed would compromise public interface security, and not necessarily any government internal security.
> I pointed out here on HN even before the ODNI released the statement I linked above that Heartbleed is far more damaging to the USG itself than any intel value NSA could have hoped to achieve from it.
I suspect that this isn't true, especially if the US government isn't using OpenSSL for their internal security.
> would have hurt a lot of USG (and just as importantly, private US) infrastructure, so even going by crazy USG logic the right thing to do would have been to disclose it
This didn't seem to be a paramount concern with their other spying activities, which have hurt the security of the US infrastructure and compromised us tech companies (both hardware and internet services) trying to compete internationally.
> But also, straight from the mouth of a USCYBERCOM strategist speaking to our class the other week.
If we're going with anecdotes, I've met a couple of military contractors who claimed to have known of Heartbleed ahead of the public disclosure by non-trivial periods of time.
> Nothing about this statement makes me believe that they were unaware of Heartbleed, specifically because it seems to imply that they don't stockpile vulns that they find, which we know that they do.
Are you just trying to be obtuse here? The very paragraph you quoted says they are biased towards disclosing, not 100% committed to disclosing. They admit right there that it's possible they would discover a vulnerability and not disclose it.
But the part of the statement you left out is that Heartbleed in particular would only have met their criteria for disclosure due to the great danger to USG systems and systems used by private U.S. persons and entities.
> I suspect that this isn't true, especially if the US government isn't using OpenSSL for their internal security.
The USG uses OpenSSL everywhere. Even USG can't run MS everywhere, and there's not exactly a ton of options for their many Linux, BSD and UNIX-based systems.
Even worse, they likely use OpenSSL in places that no one in particular knows about. It wouldn't surprise me one bit to find out that some of those 300,000 systems still vulnerable belong to government agencies.
> If we're going with anecdotes, I've met a couple of military contractors who claimed to have known of Heartbleed ahead of the public disclosure by non-trivial periods of time.
Non-trivial as in? If they hear about it while Google is developing a fix (and logo) as you seem to be implying, that's preferential disclosure, not NSA holding onto a vuln from the day it came out.
