szielins 1 day ago
Heartbleed was too weak an exploit for NSA to BOTHER to keep to itself. It's impossible to target against an individual, difficult to get anything out of in the first place, and at ~100K - 2.6M requests per private SSL key retrieved (against NGINX on Linux), the attempt to exploit it would stand out like a sore thumb. More importantly, as of 2008, NSA had a laundry list of exploits that don't have these flaws-- and there's no reason to believe they haven't added to the list since. For NSA, going public with Heartbleed would have been a fine propaganda move to make them look more like white hats, while reducing the effectiveness of their surveillance efforts not at all.
Cites to Bruce Schneier, who combines knowing what he's talking about with being a good explainer: Heartbleed's low exploitability demonstrated: More on Heartbleed. NSA had lots of good exploits, and is likely to have better now: Postmortem: NSA Exploits of the Day.
Someone at the NSA may have known about it, but they may not have been in a position to do anything about it. Or they may have known about it and decided to let sleeping dogs lie. Who knows. We all know there are likely similar coding errors out there...
The NSA isn't all powerful. They have limited time and resources, too.
I've been wondering why the IETF or similar group hasn't been more involved in this - e.g. http://www.ietf.org/...asive-monitoring/
FWIW.
Cheers,
Scott.