If this is true, and the NSA knew about the Heartbleed vulnerability, then how come the EFF hasn't been getting more log data showing the vulnerability being exploited against sites?
How come, so far, only one person has thus far come forward with ANY evidence that might demonstrate a knowledge of this bug before it was discovered?
I just find it depressing how ready the media is to jump on the NSA for things they may not have done. There's plenty to work with in the realm of things they did do, why draw conclusions before there's evidence? So far I've yet to see a static analysis tool that would have caught this, and I don't have any reason to believe the NSA is hand-searching code for vulnerabilities.
> If this is true, and the NSA knew about the Heartbleed vulnerability, then how come the EFF hasn't been getting more log data showing the vulnerability being exploited against sites?
I don't know how common the "extensive TLS-layer traffic logs" the EFF is soliciting are. I know I don't collect these.
I'd imagine the NSA would use such things fairly sparingly so as to not blunt their swords. Using it willy-nilly increases the chances of someone going "huh, that's odd traffic" and discovering it.
> I just find it depressing how ready the media is to jump on the NSA for things they may not have done.
I don't like journalism and such, but I think it's OK in this case and I don't find it a bit depressing, maybe even otherwise. Why? Because we should be aware. Always. There's no sense in blaming NSA for something. It's stupid to blame spies for spying. There's no sense in saying something they do is immoral, because it couldn't stop them from doing it. So if you care about them doing something wrong the only way to stop it is to make it impossible. If you don't want NSA to know some data that belong to you — you are enemies, because NSA wants to know anything. And it's OK. It's what they are for.
You obviously cannot prevent what already happened, you can only try to fix the consequences and be more careful in the future. So it's always sensible to assume NSA knew about any single security bug discovered for a long time. And nobody can possibly know if something is true about NSA's knowledge (maybe even not NSA themselves). So even if it's not true — spreading rumors about it is completely fine I guess.
>>If this is true, and the NSA knew about the Heartbleed vulnerability, then how come the EFF hasn't been getting more log data showing the vulnerability being exploited against sites?
So, I have no idea if the NSA knew about this before or not but your typically configured webserver won't store these in access.log. Also, all the network stuff in between typically won't log SSL traffic(since it's just binary blobs without the private key)
How come, so far, only one person has thus far come forward with ANY evidence that might demonstrate a knowledge of this bug before it was discovered?
I just find it depressing how ready the media is to jump on the NSA for things they may not have done. There's plenty to work with in the realm of things they did do, why draw conclusions before there's evidence? So far I've yet to see a static analysis tool that would have caught this, and I don't have any reason to believe the NSA is hand-searching code for vulnerabilities.