Well color me shocked.
This morning Bloomberg News reported that according to anonymous sources “familiar with the matter”, the NSA has known about the hole in OpenSSL for two years now, and has been abusing it in a special kind of way that only the US government could.
Much like anyone else who stumbled upon the bug since it first went into covert action December 31st of 2012, the NSA has been using the Heartbleed vulnerability to track the communications and credentials of average users who depend on the encryption standard to protect their private information on hundreds of different popular websites.
If the rumors turn out to be true, this would be an absolutely massive blow to the agency and their forcefully assumed positions of “protectors of the internet”. It means that instead of actively hunting down bugs and exploits which could put American citizens and companies at risk for espionage, instead they simply sat back, took advantage of the exact same system they swore to defend us from, and watched as the unencrypted usernames started to roll in by the handful.
Jason Healey, director of the cyber statecraft initiative at the Atlantic Council went into this concept in detail:
“It flies in the face of the agency’s comments that defense comes first. They are going to be completely shredded by the computer security community for this.”
Since the report was published, the NSA has taken to their official Twitter page to state they were “not aware” of the bug until it was made public earlier this week.
Of course, the statement comes to us courtesy of the same agency that has been lying and cheating us out of our tax dollars for about the past 15 years, so anything they say (especially on a forum as informal and inadmissible in High Court as Twitter), should be taken with just about the smallest grain of salt you can think of at this point.