There’s an updated version of that software in the wild now that plugs this security hole (note: not that anything on the server uses secure connections at the moment but I’m running that updated software now anyway), so as people get around to applying it that should be much less of a holy hell what in creation have I done kind of problem. Which is awesome, for guys like you and me. A little less awesome, though, for guys like the NSA.
The internet is still reeling from the discovery of the Heartbleed bug, and yesterday we wondered if the NSA knew about it and for how long. Today, Bloomberg is reporting that the agency did indeed know about Heartbleed for at least the past two years, and made regular use of it to obtain passwords and data.
While it’s not news that the NSA hunts down and utilizes vulnerabilities like this, the extreme nature of Heartbleed is going to draw more scrutiny to the practice than ever before. As others have noted, failing to reveal the bug so it could be fixed is contrary to at least part of the agency’s supposed mission:
Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.
“If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the U.S. Secret Service. “Invariably when this has happened over time, the offensive mission wins.”
So when the smoke clears, the NSA will have at least a little bit less access to John Q. User’s data–at least until they end up mandating another hole in some other layer of security software. But until then, it looks like the fine folks at stalker central will end up being the only ones dealing with a case of heartbleed when it’s all done and dusted. Now if it was only that easy to switch off the exploits they helped introduce.