Many have probably heard about what is being called the Heartbleed bug in the OpenSSL cryptographic software library, which is the Internet’s most popular security technology and is used by millions of websites. An estimated two-thirds of all servers on the public Internet use the software that has been vulnerable for the last two years, including such websites as Yahoo, Google and Amazon.
Among those who discovered the bug was a Google employee, which enabled Google to patch the vulnerable software before the bug was made public. The bug allows those who exploit it to read portions of the affected server’s memory, which would potentially reveal usernames, passwords and credit card numbers of individuals that use the site. The bug also left open the possibility that attackers could extract the private keys used in the Secure Sockets Layer (SSL), which would allow them to decrypt Internet traffic. With this private key, the attacker could steal data from the targeted website for months or even years after the Heartbleed bug has already been patched in the system.
Security Analyst Bruce Schneier has claimed that the odds are almost 100 percent that “every target has had its private keys extracted by multiple intelligence agencies,” including the NSA. The man responsible for the bug’s creation, Robin Seggelmen, says that he missed the necessary validation by an oversight. He claims that it was unintentional and denies that he has any ties to intelligence organizations or government agencies.
The NSA has denied that it knew about the bug before it was made public, and a spokesperson from the White House stated that no federal agency was aware of the bug. These claims have been disputed by Bloomberg News, which had two sources claim that the NSA knew about and exploited the bug for some time over the past two years without letting anyone know about the vulnerability.
This is a serious claim, seeing as the NSA has stated that defense and security is always their first priority. If they knew about the bug and failed to bring it to the public’s attention, this means they deliberately left citizens vulnerable to attack from foreign nation’s intelligence agencies as well as criminal hackers, just so they could continue to gather information it has no business collecting.
This is just the latest information about NSA practices that question their true intentions. If they were truly serious about protecting United States citizens, the Heartbleed bug should have been made public and fixed as soon as the agency found out about it. The NSA denying their knowledge of the bug should not be taken as definitive proof, as other government agencies have recently been proven to have lied about their practices (like the CIA regarding their use of enhanced interrogation and torture).
Without transparency from our government about both its intentions and its practices, their different agencies cannot be held accountable for actions that are questionable in the eyes of the public. If they have done nothing wrong, then they should have no need to hide anything that it does. Ever since Snowden leaked information about the NSA’s practices, it has become increasingly apparent that the agency needs to be reined in and not have the power to invade citizen’s privacy without justification.