[nikcub]

For the sake of argument, swap out 'NSA' for any large state actor - it's silly to ask this specifically of the NSA and most of the attention is around them because of the Snowden leaks.

Now, would a large state actor involved in offensive black hat hacking have known of heartbleed? I think the answer is likely yes.

Any decently funded team with a dozen good auditors to commit to the project would be watching popular open source projects like openssl, linux, chromium, firefox, apache, nginx, gnupg, openssh, boost, gmp, berkeley db, qt, gtk, etc.

For this part of the project, you only have to grep for low hanging fruit in each new patch that is released for each project, that is usage of: gets, scanf, strncpy, strncat, memcpy etc (or the equivalents for each project that has wrappers or handling functions).

Any large state actor with any decent team running such a project would have discovered heartbleed within days of it being committed. They also would have discovered a lot of other bugs that we either don't know about yet or have fixed.

With heartbleed the state actors are kicking themselves either way: either because they didn't know about the bug and missed it, or they did know about the bug and now can no longer use it as effectively.

"They" (and you can include black hat groups that don't disclose in this as well) combined likely have more resources dedicated to uncovering these bugs than what the open community does, and it might be an order of magnitude larger.

When you think about this further, you realize that the state actors having discovered heartbleed or not doesn't matter - what does matter is that they do have a lot of exploits that we don't know about and it has been confirmed that they are not only looking for these bugs and have a lot of people working on it, but are actively discovering them, using them and purchasing them on the market.

The response to this shouldn't be heartbleed specific - it should be what do "we" do to stop "them" from discovering and using exploits from open source and projects. There needs to be a heck of a lot more effort or a whole new approach to defeat the level resources that are out there dedicated to uncovering and not disclosing these exploits.

The best thing that could have happen did happen: heartbleed was discovered and it was disclosed, and a hell of a lot of people are now more aware of just how frail some of this infrastructure is and what the risks are.

[contingencies]

Excellent response Nik. I write from Laos, where one of the TPB guys apparently lives in exile, next door to where another was extradited, and next door to where lots of exploits apparently get sold (according to certain media reports and personal interactions). This whole thing is invisible to normal people. The bigger question is how can we educate the masses without reliance upon government. I think a global network of free wifi with knowledge libraries people can access on their cellphones would be a good start. Off the internet.