Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

[Warren Bailey <wbailey () satelliteintelligencegroup com>]

And their Level 3 to 4 accomplished what exactly?? They were owned the
same way the own others, from the inside.

On 4/11/14, 4:27 PM, "Peter Kristolaitis" <alter3d () alter3d ca> wrote:

> On 4/11/2014 4:03 PM, William Herrin wrote:
> > > > The U.S. National Security Agency knew for at least two years about a
> > > > flaw
> > > > in the way that many websites send sensitive information, now dubbed
> > > > the
> > > > Heartbleed bug, and regularly used it to gather critical intelligence,
> > > > two people familiar with the matter said.
> > > >
> > > > The NSA's decision to keep the bug secret in pursuit of national
> > > > security
> > > > interests threatens to renew the rancorous debate over the role of the
> > > > government's top computer experts.
> > I call B.S. Do you have any idea how many thousands of impacted NSA
> > servers run by contractors hung out on the Internet with sensitive NSA
> > data? If you told me they used it against the targets of the day while
> > putting out the word to patch I could buy it, but intentionally
> > leaving a certain bodily extension hanging in the breeze in the hopes
> > of gaining more valuable data than they lose would have been an
> > unusually gutsy move.
> >
> > These two unnamed sources are liars. Bet on it.
> >
> > Regards,
> > Bill Herrin
>
> I would imagine that federal contractors have to adhere to FIPS 140-2
> standards (or some similar requirement) for sensitive environments, and
> none of the affected OpenSSL versions were certified to any FIPS
> standard... the last version that WAS certified (0.9.8j) is only rated
> to Level 1, which, being the lowest possible rating, I suspect is not
> permitted for use by NSA contractors -- they're probably required to use
> level 3 or 4 for everything.