Report: NSA Knew of Heartbleed Flaw for 2 Years

Bloomberg is out with a report likely to anger all those who have changed their passwords, or plan to, because of the massive Internet security breach called Heartbleed. The story says the NSA discovered the flaw almost as soon as it was introduced in the open-source protocol OpenSSL two years ago, but chose to exploit it rather than fix it. The agency made use of the glitch, and left it in place, to gather passwords and other data. What's more, the story says the NSA "has a trove of thousands of such vulnerabilities" in its arsenal. An outside expert quoted says the decision not to fix Heartbleed "flies in the face of the agency’s comments that defense comes first," and he predicts that the NSA will be "shredded" by those in the computer security field over the revelation.

Some reaction:

• Adam Clark Estes, Gizmodo: "It's hard not to be upset at this sort of news. While it's the NSA's job to gather intelligence in the name of national security, the fact that any leg of the government know that we were (and maybe still are) so vulnerable on so many levels is pretty damn shady."
• Zach Epstein, BGR: Two years? That's "appalling."
• Leigh Beadon, TechDirt: "There is, in fact, a massive hypocrisy here: the default refrain of NSA apologists is that all these questionable things they do are absolutely necessary to protect Americans from outside threats, yet they leave open a huge security hole that is just as easily exploited by foreign entities."
• Alex Wilhelm, TechCrunch: Plenty of people don't much care about the NSA's spying programs, but this could be different. "Some don’t get, or care, about their digital privacy—but an effort to not fix a known flaw for its own gain that could see every member of your family put at risk? That’s easier to get."

(More Heartbleed stories.)