Jesse Victors:
"The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA said in response to a Bloomberg News article that it wasn?t aware of Heartbleed until the vulnerability was made public by a private security report. The agency?s reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government?s top computer experts."
I'm skeptical of this report. The Office of the Director of National Intelligence responded to the story by saying:
"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong"
This is believable because if it were a lie, they would risk an outright contradiction from a leak or Snowden document, which would further damage their already terrible credibility and reputation.
"Two sources familiar with matter" could merely be two computer security experts who have an unsubstantiated opinion that the NSA was exploiting this beforehand. We have no idea how credible these sources are.
One thing I am sure of is this generated a lot of clicks for Bloomberg. NSA rumors involving hot technology topics seems like a good way to make money for a news website.
That said, if you carefully parse the statement from DNI, it seems to me to imply they were aware of the Heartbleed vulnerability in 2014. Why would they say "before 2014" instead of "before its disclosure Monday" or something? They may have known about it weeks or months in advance, and been exploiting it or patching their systems. But that is not as egregious as it would be to conceal this flaw for years.
Delton