On 4/11/14, 4:26 PM, Gregory Foster wrote: > Bloomberg (Apr 11) - "NSA Said to Have Used Heartbleed Bug, Exposing > Consumers": > http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html > >> The U.S. National Security Agency knew for at least two years about a flaw >> in the way that many websites send sensitive information, now dubbed the >> Heartbleed bug, and regularly used it to gather critical intelligence, two >> people familiar with the matter said.
> On 4/11/14, 2:33 PM, Gregory Foster wrote: > Denials: > https://twitter.com/NSA_PAO/status/454720059156754434 > https://twitter.com/csoghoian/status/454725375332192256 > > I couldn't find the primary source for the White House NSC statement > Christopher posted. The "Vulnerabilities Equities Process" used to > ascertain whether or not to report 0-days sounds FOIA-worthy. NYT (Apr 12) - "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say" by David @SangerNYT: http://www.nytimes.com/2014/04/13/us/politics/after-heartbleed-bug-obama-decides-us-should-reveal-internet-security-flaws.html > Caitlin Hayden, the spokeswoman for the National Security Council, said the > review of the recommendations [by a presidential advisory committee] was now > complete, and it had resulted in a “reinvigorated” process to weigh the value > of disclosure when a security flaw is discovered, against the value of > keeping the discovery secret for later use by the intelligence community. > > “This process is biased toward responsibly disclosing such vulnerabilities,” > she said. gf -- Gregory Foster || [email protected] @gregoryfoster <> http://entersection.com/
