A lot has been in the news about the Heartbleed secure website vulnerability problem, which has affected tens of thousands of websites and possibly compromised millions of passwords (Mashable has a good list of what passwords you should change now) but the story has taken a much darker turn as Bloomberg News is reporting that the NSA supposedly knew about the vulnerability two years ago, didn't tell anyone, and exploited the bug to gain information from websites.
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
Now, if this is true the NSA has a lot to answer for, but "two people familiar with the matter"? No names? Pretty big bombshell for anonymous sources, yes? And as far as I can tell, nobody has independently verified this story yet.
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
Again, this represents a huge ethical problem if true, but that's a huge if right now. It's not stopping people I read and respect from assuming this is now gospel truth because of course any story these days claiming the NSA has done X has to be true because the NSA is evil and you can'[t trust them.
And once again, if this story is true and if the NSA did know about this (or as some people have also speculated created the bug in the first place in order to open a nearly universal back door to secure websites) then heads need to roll.
Ironically, if this story is true, shouldn't Edward Snowden's vast treasure trove of stolen documents have contained this information? This is a pretty damning accusation. Something like this would be at the top of the list for his stated goal of exposing unethical, damaging, and illegal practices by the NSA, yes?
This is a bug that affected millions of ordinary people. Right now, there's as much "proof" that Snowden knew about Heartbleed and said nothing as there is that the NSA knew the same and did nothing, i.e. total speculation.
Might want to keep that in mind.