[saurik]

One point that sometimes comes up in these conversations--but frankly I think not often enough--is that the NSA does not have a monopoly on the world's brightest engineers and mathematicians: if the NSA knows of a bug, one has to wonder if China, or Russia, also has access to the same bug. The ramifications of this would be the NSA not only being able to see other people's secure traffic, but the potential for our traffic to be intercepted and decoded: this is not, as far as I understand, a win condition for the NSA. I could see the FBI being all for "the world has no secrets anymore", but the NSA has a different agenda.

This is a fundamentally different situation than a backdoor in a parameterized encryption standard, such as ECDSA (which is often referenced in these discussions): there, only the people who built the backdoor can use the backdoor. Here, the backdoor exists in a shared resource, waiting for others--including your enemies--to take advantage of; that's quite a risk, and unless you've been seeing some weird behavior--such as the NSA distributing heartbeat-disabled builds of OpenSSL for any potential government usage--I think it is a horrible stretch to believe that they've been sitting on this bug (or even having themselves planted the bug), using it as the long-term surveillance means that some people seem to be want to believe.

Frankly, the fact that they've been logging SSL traffic is enough: for systems without perfect forward security, if they don't already have the keys through other means, they just wait for an opportunity like yesterday and then attempt to quickly get the keys they want. I would almost go so far as to claim the NSA was being negligent in their strategy (not that I like this strategy, mind you) if they didn't follow through to that point. But I just don't see it as being rational to believe the NSA is willing to make our own country's secrets less secure if they are seeing benefits using the bug against others; if anything, I could see them trying to secretly (so as not to tip their hand as having had any advanced notice) fix the bug (after using it for a short time period to pull a bunch of keys, of course ;P).

[antocv]

Uhm, as NSA and other agencies are responsible for "secure" internal comm, they have methods for that. Sometimes they get broken, probably, but thats their mission to find out, and sometimes let the enemy continue thinking their breakin is effective.

Its the same methods as in 1940, that is, classic intel methods.

Security does not just mean strong crypto algorithms.

If you find your enemy has found a flaw in openssl or some other methods which you are using to communicate - the best way forward is to continue using that - keep the enemy thinking its all good information when its in fact worthless, and move to another method for the real secure stuff, such as steganography or pidgeons.

Anyway, there probably isnt much "really highly, this kills the cat"-type of information goin on the internets, I guess one point of NSA would also be to keep highly classified information to a minimum. Think thats one reason why Navy and others have their own networks parallel to the internet. Where much secrets flow - isolate.

[001sky]

These are fair points, but I think the GP comment above was referring as much to political economy type espionage.

Say, for example, china wants to spy on a military contractor. Unless the NSA is sharing its secure pigeon network with every US defense contractor (and many of them, large and small) some pretty important US national security assets might be in play. So, perhaps not "state secrets" but things like technology inside of some tactical weapons guidance systems, or similar. The downside for the NSA of sharing any secret-pigeon networks would op-sec goes down as info dispersal goes up.

* Also for companies like a tesla or a space-x who may have purely industrial know how.

[antocv]

Tactical weapons guidance systems, tesla and space-x, I believe those are in the category of "NSA will secure this with a bit more tools than given to the public as recommendations".

It could be methods like increasing security for those companies gmail accounts - on the Google internal network and all, closing all normal backdoors on Tesla employee computers, installing NSAs own intrusion detection system on them and such.

And to top it off, feed any Chinese and Russian hackers misinformation through honeypots and "accidents".

In Sweden for example during cold war it was quite popular to install extra instrumentation on jets and provide "just for the soviets" technical documentation - seed confusion and such.

[dllthomas]

I mostly agree with this analysis - "this hole is too big for them to have sat on". Though it just occurred to me - it's possible to pick out exploit of this hole in captured encrypted traffic by examining sizes of inbound vs outbound heartbeat packets, right? In that case, with the NSA eavesdropping on everything they could possibly have been using it themselves while listening for examples of anyone else using it, which I still don't like (in terms of approval or likelihoods) but seems less flagrantly unacceptable than sitting on this and just leaving everyone's traffic and keys exposed to the world.