14 DAY TRIAL // Heartbleed is changing things around in Washington and not in a way that anyone would actually want. Barack Obama has reportedly decided that when it comes to major flaws in Internet security, the NSA must reveal them to the general public unless it’s a matter of national security or law enforcement need.
Basically, Obama has just given the intelligence agency enough room to use this as an excuse whenever it finds any security bugs, the New York Times reports.
After all, it’s not like the NSA hasn’t used the words “national security” as a justification for its blatant overreach and mass surveillance practices. The intelligence agency has done the same thing with the Patriot Act, twisting the meaning of some of its sections to make sure that its spying methods are completely within the law.
The news comes just days after the Heartbleed OpenSSL bug was revealed to the world, along with the fact that most of the sites dubbed as secure have not, in fact, been safe over the past two years.
The NSA has also denied having any prior knowledge about Heartbleed or exploiting it for years as everyone assumed. The statement came after a news report indicated that the NSA had known about this major security flaw for years and had simply chosen not to share the information with the world.
The White House has been working towards announcing a series of reforms for the agency’s programs, which apparently includes what to do when discovering bugs in massively used online tools that affect the security of billions of Internet users.
While the Administration hasn’t exactly shared whether it will follow the recommendations made by several panels so far – namely to put an end to mass surveillance, including the metadata collection program, to stop spying on world leaders and to mind the privacy rights of non-US citizens – the stance on this particular topic has been revealed due to the extreme focus on Heartbleed.
The OpenSSL bug is particularly dangerous since attacks leave absolutely no traces on the affected servers. This means that there’s absolutely no way of knowing if the bug was discovered prior to the announcement last week or if data had been mined for months, or worse, years.
Some two thirds of the world’s websites have used the affected OpenSSL versions to protect their sites, and most of them have already upgraded to the new version that patches up Heartbleed.