 |
| "NSA Eagle" (Illustration by EFF) |
When I wrote about the Heartbleed bug last week, and how it means that much of the web has been insecure for the last two years, I found myself thinking: “if I was the NSA, or some other intelligence agency, this is exactly how I would go about gathering sensitive data.” It’s very nearly the perfect hack: Subvert a piece of open-source code that almost everyone uses without question, and then use that vulnerability to extract sensitive information until it’s publicly discovered — at which point, you create or find another security hole in another open-source project, rinse, repeat. Now, according to Bloomberg, citing two people familiar with the matter, it appears the NSA did just that.
According to Bloomberg, the USA’s National Security Agency knew about the Heartbleed bug “for at least two years.” Robin Seggelmann, who introduced the bug around two years ago, claims he did so unintentionally. It’s entirely possible that he’s telling the truth — but it’s also possible that the NSA paid him to create the bug, or more nefariously, hacked his computer and introduced the bug without his knowledge.
Read More
No comments:
Post a Comment