It's true. After days of speculation over whether the NSA knew about the Heartbleed vulnerability that affected as many as two thirds of the websites on the internet, two anonymous sources tell Bloomberg that the NSA didn't just know about it, they used it to gather intelligence.
Well, you may be wondering, why wouldn't they? In the past year, we've learned how the spy agency used every trick in the book, from impersonating Facebook servers to using radio waves to monitor computers that aren't connected to the internet, really has stopped at nothing to collect as much information as possible in recent years. The NSA declined to comment on the Heartbleed issue, but the Bloomberg report hits at a time when the agency is undergoing intense scrutiny. It's also unclear if this news will affect President Obama's plans to reform the country's surveillance practices.
Heartbleed, in case you haven't heard, refers to a flaw in OpenSSL, the security protocol that protects countless websites and web services. What's especially frustrating about the weakness is the fact that it was caused by a stupid coding mistake and then left unnoticed for years. Well, unnoticed by everyone except the NSA, evidently.
But wait, there's more. Heartbleed is apparently not the only vulnerability the NSA's been exploiting. Bloomberg reports:
Currently, the NSA has a trove of thousands of such vulnerabilities that can be used to breach some of the world's most sensitive computers, according to a person briefed on the matter. Intelligence chiefs have said the country's ability to spot terrorist threats and understand the intent of hostile leaders would be vastly diminished if their use were prohibited.
It's hard not to be upset at this sort of news. While it's the NSA's job to gather intelligence in the name of national security, the fact that any leg of the government know that we were (and maybe still are) so vulnerable on so many levels is pretty damn shady. Never mind the fact that, while the NSA was exploiting the Heartbleed vulnerability and not telling anybody about it, plenty of other, less friendly parties had chance to exploit it as well.
So what will it be? As the government presents the situation, we can either deal with the NSA poking holes in the internet so that it can see into everyone's lives — nevermind whether or not the bad hackers can squeeze through those holes — or we can face the imminent threat of terrorism. Surely, there's a better balance than that. [Bloomberg]
Update: Surprise, surprise! The National Security Council says that the reports are "wrong". It's unclear why the NSC used a nondescript Google doc to do so though. The NSA decided to make its own denial on Twitter.