NSA knew about Heartbleed, exploited it for two years

As predicted, the huge Internet security vulnerability was used by the NSA. We should not be surprised, but furious

Published April 11, 2014 7:45PM (EDT)

 (AP Photo/Patrick Semansky, File)
(AP Photo/Patrick Semansky, File)

As soon as Heartbleed -- the grave and widespread vulnerability which has for two years plagued Internet security -- was discovered this week, skeptical and speculating eyes looked to the NSA. Some corners of the crytpography community even wondered if the bug had been purposefully planted at the bidding of spy agencies in the notoriously inscrutable OpenSSL code for mass surveillance purposes.

This was no tinfoil hat theorizing. The NSA may not have caused the critical flaw (thought to be born of human error with complicated cryptogaphy), but they certainly knew about it and exploited it. As Bloomberg News reported  Friday, the NSA "knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said."

Sadly, it should come as no surprise that the spy agency willingly let a flaw in the very security infrastructure of the Internet persist without offering this information to the public. Edward Snowden's leaks have already revealed that the NSA, working with both coerced and compliant technologists, weakened the security of standard online encryption for mass surveillance purposes. We now well know that the corporate-government surveillance nexus has ensured the Internet is no safe haven for free communication -- the cybernetic dreams have turned to nightmares; there is no power symmetry where privacy and information are concerned.

As Bloomberg reported, "The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks." It is a chilling fact: that the government has kept secret an encryption flaw that makes our nearly every online interaction -- our very lives, played out online -- vulnerable to total surveillance (the fact that parties other than the NSA could have exploited the flaw and stolen personal information including passwords and credit card data is worth reiterating here too).

The revelation that the NSA knew and used the Heartbleed flaw, while keeping the public in the dark, is profoundly, chillingly reflective of our political now. Our paranoid national security acts in the shadows with impunity and puts every one of us at risk. We have, again and again, been lied to and shrouded from information pertinent to how we live and interract. The time for outrage is done; these techniques of governmentality are deserving of our rage.

By Natasha Lennard

Natasha Lennard is an assistant news editor at Salon, covering non-electoral politics, general news and rabble-rousing. Follow her on Twitter @natashalennard, email nlennard@salon.com.

MORE FROM Natasha Lennard

Related Topics ------------------------------------------

Cryptography Encryption Heartbleed National Security Agency Nsa Openssl Privacy Spying Surveillance