Slashdot Mirror
NSA Allegedly Exploited Heartbleed
squiggleslash writes: "One question arose almost immediately upon the exposure of Heartbleed, the now-infamous OpenSSL exploit that can leak confidential information and even private keys to the Internet: Did the NSA know about it, and did they exploit if so? The answer, according to Bloomberg, is 'Yes.' 'The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency's toolkit for stealing account passwords and other common tasks.'"
The NSA has denied this report. Nobody will believe them, but it's still a good idea to take it with a grain of salt until actual evidence is provided. CloudFlare did some testing and found it extremely difficult to extract private SSL keys. In fact, they weren't able to do it, though they stop short of claiming it's impossible. Dan Kaminsky has a post explaining the circumstances that led to Heartbleed, and today's xkcd has the "for dummies" depiction of how it works. Reader Goonie argues that the whole situation was a failure of risk analysis by the OpenSSL developers.
Why even have the same agency responsible for foreign electronic intelligence and put them in charge of "cyberdefence" (how I hate that term..).
It's a massive conflict of interest. You're virtually begging them to find and then sit on dangerous exploits.
YOU SON OF A BITCH
The only bug here is that it wasnt hidden deeply enough.
They're not just exploits, they're "offensive capabilities."
Must have been nontrivial to make patches for their own exploits without being the actual developer.
I can understand this happening. It would make sense that the NSA would have someone or multiple people review every patch and check-in for a package as important as OpenSSH, just looking for exploitable mistakes.
I would not be surprised if they review a great deal of FOSS software they deem important to national security.
Wax on, wax off baby!
Said no one ever.
The basic fact is, if they did not exploit it, then someone working for them is thinking "DAMN, I wish I thought of using that!"
excitingthingstodo.blogspot.com
Why can we not start a class action lawsuit against the Government, NSA and those that allow snooping around in personal data without probable cause?
It's a hugely used cryptographic library, and the NSA has resources galore. Even without having the manpower to manually go through the source (which they totally have) it's a simple enough problem that automated testing would show it up. From their perspective it would have almost been negligent of them to have not known about it since day one
Anonymous likely also exploited this flaw to attack servers in the past including public facing government websites.
Really man! And nothing confirms this story like an official denial. (I think that's how it goes)
“He’s not deformed, he’s just drunk!”
If you know about it and have access to virtually unlimited resources you can afford to attach to your target and do it as many times as you want in order to get what you want.
And, frankly, I don't believe the guy that claims responsibility for the bug.
As well, if something this simple could cause such an issue then clearly it is an issue for lots of other important security programs.
You can lead a man with reason but you can't make him think.
And what are the odds there aren't at least a half dozen other bugs as serious still to be found in the OpenSSL source code ...
We need to find out if the author of this bug is or was on the NSA payroll. It would not be surprising to find out he was paid to put it there.
it's a (NSA) feature...
Even if it's not an NSA feature...of course the knew about it! They would have to be even more incompetent than we think not to. They are HUGE, with something like 40,000 employees. At least of few of those employees must be dedicated to code review of OSS looking for vulnerabilities, and more in general looking for vulnerabilities in any widely used software. And if that's the case, then you'd think OpenSSL would be one of the first things they'd look at. The fact that they didn't tell anyone though shows that the S is NSA is bullshit. They cared more about being able to exploit the vulnerability themselves than making their country's computers more secure. If they cared one shit about their country's security then they'd have big teams dedicated to finding software vulnerabilities and working with vendors to fix them.
The author of this bug and the reviewer of the commit have both been very forthcoming about the mistake. There's little reason to suspect malicious intent in this particular instance.
That doesn't mean the NSA didn't know about it or exploit it, though.
#DeleteChrome
Glad you asked: it happens all the time, ever since the Tort Claims Act of 1948 substantially waived the sovereign immunity doctrine. You can read more about it at Wikipedia.
People sue the government all the time. It's literally an everyday occurrence.
OK guys. We've promoted Open Source for decades. We have to own up to our own problems.
This was a failure in the Open Source process. It is just as likely to happen to closed source software, and more likely to go unrevealed if it does, which is why we aren't already having our heads handed to us.
But we need to look at whether Open Source projects should be providing the world's security without any significant funding to do so.
Bruce Perens.
Fix is here http://www.iis.net/
A "failure of risk analysis" by the OpenSSL team I can buy, but does that really have any bearing on whether the NSA would secretly exploit that failure?
Oh, wait, the NSA has denied it. They always tell the truth.
---
The US Constitution isn't perfect but it's better that what we've got.
It is a common behaviour in communist countries like North Korea or USA. Spying and tracking citizens daily lives is far more important than security.
Who visited USA lately will notice growing Bolshevism. It starts with fingerprinting at airport, stupid questions and shock when tourist enters downtowns of popular cities.
Security forces are everywhere. Not only on street but in school and preschool, grocery stores and movie theatres.
It is terrifying how much in power are now comrades in USA.
Theo de Raadt should fork OpenSSL. He could call it OpenOpenSSL.
.
Trolling is a art,
I think that NSA has good coverage and analysis tools. They probably knew of Heartbleed, and they probably know of dozens more flaws like this.
I will be glad, when they cease to exist.
"Flyin' in just a sweet place,
Never been known to fail..."
When this was supposedly "fixed" in OpenSSL, did the fix just fix this one known bug? A real fix includes fixing the storage allocator to overwrite all released blocks, so no other old-data-in-buffer exploit would work.
We need to find out if the author of this bug is or was on the NSA payroll. It would not be surprising to find out he was paid to put it there.
The author responsible for the bug has already admitted that it was a mistake (and it's not like buffer overflows are unheard of, so it really is plausible). Sure, it's possible that the NSA secretly paid him (or ever coerced him by holding some incriminating evidence over his head), but it would likely take someone with the resources of the NSA to uncover such a secret NSA payout. Something of that nature probably wouldn't even be available in Snowden's document archive.
Does it matter?, its reported the NSA have been using it but who else has who didnt get their fingers caught in the cookie jar has?
Bob Porter: We always like to avoid confrontation, whenever possible. Problem is solved from your end.
Hi NSA!! get the fuck OUT OF MY COMPUTER. kthnxbai.
Bloomberg is the reporting organization, so they can't bee the source. They name no sources, just "two people familiar with the matter", which could mean they asked me twice.
Maybe, of course we cannot just believe them after seeing them repeatedly lying to Congress, but it strikes me likely in this particular case they are telling the truth. This bug, unless I am misunderstanding, essentially lets you read from a small contiguous pseudo-random block of memory. That's obviously not acceptable from a defender point of view - it could potentially expose any and all information so it's a severe flaw - but from an attackers point of view it seems less impressive.
You could probably try this thousands of times without actually obtaining any information of value. Sure, you might luck out and get the keys to the kingdom, but it seems like a crapshoot. From an attackers point of view, this might be better than nothing, but unless they have pretty near nothing to start from, it does not seem exciting.
And we know they have a lot more than nothing to start from. With Total Surveillance in effect on the net, with rootkits and zero-day exploits to deliver them, it's just really hard to see how this would add anything substantial to their toolkit.
No, I suspect this is exactly what it appears to be - a critical bug resulting from too much emphasis on fast and not enough on good. That's hardly unique to OpenSSL, it's a chronic problem across the industry as a whole.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
I imagine we could do that if we stopped with domestic and allied spying. By that I mean searching for vulnerabilities in the software we use and alert the proper companies in order to fix them.
National Spying agency...
They do provide the right companies with expertise on security for securing important technology, and justifying compliance to said recommendation for sale of sensitive products. I don't know how many of the 40000 employees do that, but that's one "Security" feature that they _do_ offer.
When the NSA ceases to exist, it will be because they are adsorbed by something bigger and more powerful.
Look at the KGB. They were adsorbed by the Russian Oligarchy.
Actually I wrote this yesterday but was unable to publish it:
...
I have not yet grasped the full scope of the implications of this bug, but if you take the stance that things that could have been done also has been done (imho the only safe assumption), is this a good characterization? Or are there any limiting factors that makes this impossible? Like for example the amount of memory that could be leaked while the application is running (as servers aren't restarted often) is certain information that is stored statically in memory potentially not reachable?
During the last two years:
1. Any/all certificates used by servers running openssl 1.0.1 might have been compromized and should be revoked (the big cert-reset of 2014?)
2. Because of 1, any/all data sent over a connection to such servers might now be know by a bad MITM (i.e. for large scale: the various security services/hostile ISPs, local scale/targeted attacks: depends on who else happened to know, and this person/organization happened to be your adversary, looks unlikely, but who knows...)
3. Any/all data stored in SSL-based client applications might have been compromised.
From a users perspective - change all passwords/keys that has been used on applications based on openSSL-1.0.1? How to know what services? To be safe, change them all? Consider private data potentially sent over SSL to be open and readable by the security services?
Thinking about the large-scale:
For how long has the NSA been picking up information leaked by Heartbleed (assuming that they have at least since late evening the 7:th or early morning the 8:th seems a given)?
-Not in the Snowden documents that has been revealed so far (absence of proof != proof of absence, but language might give a hint)
-No report of unusual heartbeat streams being spotted in the wild (was anyone looking?)
Let's assume for the sake of argument the NSA does not have people actually writing the OpenSSL code in the first place.
When did they know about it's existence?
time_to_find_bug = budget * complexity_of_bug / size_of_sourcecode * complexity_of_sourcecode * intention_to_find_bugs
Where
budget = manpower * skillset
and
time_to_find_bug < inf.
when
skillset >= complexity_of_bug
Heartbeat bug:
complexity_of_bug = low
OpenSSL:
size_of_sourcecode = 376409 lines of code (1.0.1 beta1)
complexity_of_sourcecode = high
NSA:
intention_to_find_bugs = 1
budget = $20 * 10^9 ?
=> manpower = 30k ?
skillset = high
Guesstimate: one to a few months -> early 2012 to go through the changes made to 1.0.1 building on earlier work already done on the 0.8.9 branch...
...
Or to say it another way, I think it is safe to assume that, given the simplicity of the bug, NSA knew about Heartbleed in early on. The anonymous comments to Bloomberg gives nice confirmation of this.
Heinlein's but don't rule out malice still applies.
Look. I get that the NSA has these incredible resources (thousands of personnel, alone), but they're still all working for the government: the king of big company bullshit with a side of no incentive to work hard. I'll kiss a pimple on your ass if there aren't many hundreds of others' disenfranchised like Snowden who lack either the luxury of being able to leave or the courage to do so.... these folks commitment is plausibly not legendary.
If they can buy a guy in on the production side of the coding, it just saves a lot of work.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
They can't even pass basic SSL security tests on their websites. Nor can FBI.gov, FDIC.gov, IRS.gov, VISA.com, MASTERCARD.com or PCISECURITYSTANDARDS.org
Absolutely amazing that something as basic as their public facing websites all fail with an F
I would expect that Cisco and IBM work hand in hand with the NSA, embedding crypto backdoors and wiretapping capabilities in their products.
What is to say the author wasn't offered $10 million to "accidently" put the bug in the code similiar to what happened at RSA? The NSA probably even coached him on what to say when the bug gets discovered.
Yeah, empires never fade, and always get replaced by bigger ones.
So don't look at dinosaurs, and the tiny mammals that survived them, and surely not at entropy, which is breaking everything down to energy and then smearing that around, slowly, patiently, irreversibly. Do not realize that the universe is a joke at the cost of anyone who likes (to keep) power, that having lots of materials and commanding people around or killing them does not constitute power more than a fart constitutes a solid object, and is but a compensation price born out of delusion. Ignore that a chain binds the master more than the slave, and while it kills the master in an instant, it kills the slave much later or never.
The KGB, the NSA, the Russian Oligarchy, and so on -- all of them already lost, they are but empty husks propped up by smaller empty husks, all life and all reward is taking place in the blind spots, in the wrinkles and niches. The all seeing eye is utterly blind, it does not see the wood for the trees. It will take up last to the joke, and until then it attracts greedy, sadistic, and impotent people, acting as a sinkhole for the weakest humanity has to offer. It's always been thus. Powermongers never experience greatness themselves, but sometimes force their subjects into it. It's a joke at their expense on more than one level.
I'll raise his tinfoil hat concern about "oh no, it's open people might see the open window" with my tinfoil hat concern of "it's hidden in a dark alley, no one will see the crack den in the basement because no one else can see the doors or windows".
The bug seems quite obvious. I would expect they could be a little more clever if they were to write the bug itself. This is failure of the OpenSSL project, period.
The fact that they didn't tell anyone though shows that the S is NSA is bullshit.
Wouldn't that be the NBA? Interesting mashup there.
LeBron James: athlete, sycophant, spy.
More like... nerdular nerdence!
The fact that they didn't tell anyone though shows that the S is NSA is bullshit. They cared more about being able to exploit the vulnerability themselves than making their country's computers more secure.
It's a basic conflict of interest with police/defense/intelligence agencies. They gain power from the existence of threats, so it's in their self interest to favor policies that perpetuate them while pretending to do the opposite. The War on Drugs, Cuban Embargo, etc.
The fact that they didn't tell anyone though shows that the S is NSA is bullshit. They cared more about being able to exploit the vulnerability themselves than making their country's computers more secure. If they cared one shit about their country's security then they'd have big teams dedicated to finding software vulnerabilities and working with vendors to fix them.
You are confused as to what NSA's "defensive" mission is. They aren't there to be the defenders of the internet. They aren't there to be corporate America's QA department. They aren't there to review open source and provide fixes. They aren't there to "make the country's computers more secure".
They are there to protect DoD classified systems. That's the defensive mission, as an agency under the DoD umbrella. Protect DoD classified systems and anything that deals with military activities. All this extraneous whining - none of it is their mission.
It's a simple calculation on their side as far as the defensive mission - does "vulnerability X" involve classified DoD systems or ones that have military information? No? NOT THEIR PROBLEM.
Don't like it? Well too bad, you don't get to gripe when they don't follow their mandate and also gripe when they do.
If you want to complain, take that up with congress or the president to alter their mandate/directive. Or, take it up to congress to provide more funding for the agencies that are actually supposed to be looking out for commercial internet use and regular gov sites - NIST and DHS. Or, lobby congress to create a fully civilian non-DoD agency that's there to provide an extra security layer for the world at large. And in that last case, don't bitch about the government spending money when clearly the free market is failing to provide a solution, since it appears greedy for-profit corporations are happy to use but not contribute any resources towards this critical software infrastructure.
With the constant complaining about them and government in general from all the anti-government libertarian neck beards here, why would they even bother producing a fix? Who would trust code they released? This would not be like the selinux release, which is optional and provided new capabilities - if they produced a fixed openssl nobody would use it until code reviewing for years. They'd spend more time with PR and a ton of bullshit than doing nothing at all which is free from their perspective. If they disclosed the bug, they don't have any power to compel "the internet" to upgrade to a fixed version, so they'd be blamed for exploits and vulnerabilities during the time servers were slowly upgraded.
Whatever they do, somebody would gripe and given it ISN'T THEIR JOB in the first place, doing nothing looks like the game-theory resulting best call.
As a tax paying sheep I fell it's their Job to use everything at their dispose,
In the report they published, it really just says that when trying to exploit Hearbleed on their OWN infrastructure with openssl + modified nginx they could not obtain public keys. That's all.
Welp, that didn't take long. Looks like someone solved CloudFlare's Heartbleed Challenge and got their private server key...
lol...Maybe he was sent a stack of cash with a USB flashdrive and a note "You know what needs to be done. Love, NSA"
some clues might be buried in there somewhere, but until Snowden's "cache" is publicly released we'll never actually know...but I'm guessing The Guardian et al are currently combing through the archive looking for some references.
If the heartbeat message is stored in memory allocated near the top of the heap, then if the bug is being exploited, the server should be reading data beyond the top of the heap. If this bug has been extensively exploited, why have we not seen servers crashing every now and then? Or have we seen it?
There is no substitute for common sense. Especially, no body of rules will do.
The National Security Agency was created to:
1) engage in Espionage,
The Espionage will be used by the President of the United States and or a Department on His Behalf.
2) engage in Blackmail,
The Espionage will be used to Blackmail National and Foreign Governmental and Non-Governmental Persons at the Pleasure of the President
of the United States of America or HIS departmental representatives for the expansion of the United States of America and the Expansion of the wealth of the President of the United States of America.
Sig Heil
Sig Heil
Sig Heil
The first thing I did when I read this story was email my congress person. Not that it will help do anything but let the NSA know where I am...
Just a minor correction - my piece does indeed suggest that the OpenSSL developers have some strange priorities. However, it lays the larger blame at the companies that used OpenSSL, when all the information necessary to suggest that this kind of thing could happen was already available, and the potential consequences for larger companies of a breach are easily enough to justify throwing a little money at the problem (which could have been used any number of ways to help prevent this).
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
I challenge anybody to review it and find (or notice) the bug.
It's actually kind of easy to see. I just use the same trick I use when trying to read almost anyone's code: I assume that some jackass obfuscated all of his variable names and so I rename them as I figure out what they actually represent so that the new names actually describe the variable. Once that's complete, I'm left with "memcpy(pointer_to_the_response_packet_we_are_constructing, pointer_to_some_bytes_in_the_packet_we_received, some_number_we_read_out_of_the_packet_we_received)" and it immediately raises a red flag.
I've read that the reason there's a packet length sent from the remote host is because this data is sent with random padding bytes added to each packet and so the packets need to indicate how much of the data is actually valid. So why isn't the packet size figured out closer to when the data first enters the program? First thing I would do when receiving a packet is read out this packet size, verify that the actual size of received packet is large enough to contain it, and toss the packet if it wasn't large enough since it was obviously corrupted (or malicious). Then I'd write the size into a structure for the packet's meta-data, along with any other data we find in every packet (like a packet type number), and every other part of the entire program would read the data from that structure. That's how you do these things. Everything received is "tainted" and, once you verify it isn't poisonous, you move it out into a data structure that the rest of your program trusts. Otherwise you have every piece of code that needs that data having to verify it every time it accesses it which just creates enormous opportunity for error.
So when you come across code like this which pulls data out of the packet and just uses it, it isn't just wrong, but it doesn't even resemble anything that might be correct. Thus, the poor variable naming just might be why this wasn't noticed. Since the data pulled out of the packet is stored into a variable named "payload" it's easy to imagine it's simply payload data, which doesn't have to be checked as it won't ever be used for anything other than being returned to the remote host, and so the absence of code that checks the validity of that data might be expected. If it were named even something as ambiguous as "payload_size" then you have to immediately wonder if it's a size that needs to be checked against anything when you see it being pulled out of a buffer of untrusted data. ...but then, you don't see that either, since the pointer is named "p" which doesn't scream "this is untrusted data" and, even if you look above to see that "p" was assigned from "&s->s3->rrec.data[0]" you're still left wondering what the fuck that might be. Maybe "rrec" refers to some sort of received record? Fuck, who knows.
I mean, right after the memcpy I see "RAND_pseudo_bytes(p, padding)." Is this even putting the padding bytes in the correct place? Well, "p" could be a pointer to anything so it's pretty easy to assume it could be correct. Hel
CloudFlare has retracted their statement that private key compromise is very hard. They started a challenge and at least 2 people successfully got private keys from their Heartbleed-enabled server with as few as 100K requests. (I am sure that with some optimization, the number could be even lower.)
Sort of related. Seems like multiple independent sources have verified the key leakage. There seems to be article here.
So what does this mean? Assuming NSA has been collecting traffic from teh internet, and meanwhile been harvesting private keys from affected services since 2 years a go, then all that data is readable to them as in there had been no encryption to begin with (assuming no PFS etc). And meanwhile the sites are waiting to get new certs, they still can. And they can set up intercepting proxies with 'real' keys from the website they are masquerading as.
What all this is saying -- heed the warnings. Revoke and update your certs, have users change password. Carry on.
Has there been any cases where the leaked information has been usefull in pointing out flaws which lead to patching security holes?
As I'm too often involved in myself sometimes: :-)
http://www.pdfernhout.net/on-d...
"This approximately 60 page document is a ramble about ways to ensure the CIA (as well as other big organizations) remains (or becomes) accountable to human needs and the needs of healthy, prosperous, joyful, secure, educated communities. The primarily suggestion is to encourage a paradigm shift away from scarcity thinking & competition thinking towards abundance thinking & cooperation thinking within the CIA and other organizations. I suggest that shift could be encouraged in part by providing publicly accessible free "intelligence" tools and other publicly accessible free information that all people (including in the CIA and elsewhere) can, if they want, use to better connect the dots about global issues and see those issues from multiple perspectives, to provide a better context for providing broad policy advice. It links that effort to bigger efforts to transform our global society into a place that works well for (almost) everyone that millions of people are engaged in. A central Haudenosaunee story-related theme is the transformation of Tadodaho through the efforts of the Peacemaker from someone who was evil and hurtful to someone who was good and helpful."
But more seriously, there are a lot of fine dedicated well-meaning people who work at three letter agencies. There are no doubt a lot of not-so-fine ones too. Any big bureaucracy has complex and often self-perpetuating social dynamics. If such places are to improve, IMHO one needs to support and encourage the fine people there and hope their actions can outweigh the not-so-fine ones. For example, IMHO Tom Armour was one of the finer ones:
http://pcast.ideascale.com/a/d...
Saying the KGB, the NSA, the Russian Oligarchy and so on are empty husks is a bit like saying capitalism is full of contradictions and unfairness and so it will fall apart on its own. I've said such things myself sometimes:
http://www.pdfernhout.net/post...
"Wikipedia. GNU/Linux. WordNet. Google. These things were not on the visible horizon to most of us even as little as twenty years ago. Now they have remade huge aspects of how we live. Are these free-to-the-user informational products and services all there is to be on the internet or are they the tip of a metaphorical iceberg of free stuff and free services that is heading our way? Or even, via projects like the RepRap 3D printer under development, are free physical objects someday heading into our homes? If a "post-scarcity" iceberg is coming, are our older scarcity-oriented social institutions prepared to survive it? Or like the Titanic, will these social institutions sink once the full force of the iceberg contacts them? And will they start taking on water even if just dinged by little chunks of sea ice like the cheap $100 laptops that are ahead of the main iceberg?"
Yet capitalism is still here and seemingly stringer than ever (as far as control of the US political machinery). And may well be for some time as the underlying power system morphs into new forms. Ancient China went hundreds of years at a stretch with peasants suffering all sorts of things, especially famine, and not much changing. Yet, something like a "basic income" might be a step towards improving capitalism even if it would not fix everything about it (the worst of consumerism, addictions, waste, short--term planning, systemic risks, externalities, etc.).
Short-term power in human societies also translates itself into sexual access and the spread of genes (e.g. Bill Clinton, theoretically). The best we can perhaps due as a society is structure how the competition for mates plays out in our society, as in what is valued. James P. Hogan wrote about that in his sc
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
"and today's xkcd has the "for dummies" depiction of how it works."
Thank you, thank you, thank you! At last I get it. So simple. So fiendishly simple.
The "forthcomingness" of the bug's author is the thing that makes me the most suspicious. It almost feels like he's gloating, "whoever slipped in such a plausible human mistake as a backdoor must've been brilliant, but hrrhrr I wasn't on the BND's payroll until much later, so it couldn't have been me, could it?"
Bloomberg says, "two people familiar with the matter" and we all buy it? Common, this isn't "proof" of anything.
So let me get this straight. Let's assume the NSA discovered the bug two years ago and has actively been exploiting it. They've also made a decision to "keep quiet" about it, due to "National Security" interests. There are several issues with this theory.
For one, this would mean that they knowingly left US assets vulnerable. That is, the FBI, DOE, CIA (?), State/Local Policy, Military, US companies, infrastructure computer systems, etc. would have been vulnerable to this attack. However, the NSA found the flaw so awesome, that they decided it would be better to just leave the bug out there and _hope_ that nobody discovers it.
The second issue, the NSA found it and _knows_ we're just as vulnerable as anyone else. They now gamble that nobody else is as smart as them to discover it as well. We are all aware that other countries have intelligent agencies, right? The NSA just "hopes" that the Russians doesn't figure it out.
Then a small Finnish security firm discovers the bug.
It is very possible that the NSA might have been exploiting this flaw. However, gut feelings and handwaving about the NSA every single time a software flaw comes up doesn't help the issue. "Two people familiar with the matter" is crap. That just about describes everyone on Slashdot. It's complete nonsense. There is no context for how these "two people" are "familiar with the matter". This is not even journalism.
If the article stated that someone found a packet capture (pcap) PRIOR to Apr 2014, that _WOULD_ be alarming. That would _show_ that some one (criminals? NSA?) had been exploiting the flaw. If the NSA admitted to it, that would be interesting.
In the mean time, keep your "two people familiar with the matter" bullshit to yourselves until you have proof.
The author of the bug probably introduced it accidentally. It's easy to do. The author of the special wrapper code in openSSL that purposely prevents newer versions of malloc from doing memory checking that would have revealed this bug a little more suspicious.
Of course they're telling the truth. They just aren't telling the whole story.
"No, we didn't exploit the Heartbleed bug. You're accusing us of stealing a Ford Focus when we've got garages full of Ferraris and F-16s. Puh-lease! Why would we bother exploiting something that gives such rudimentary and fleeting access to data and could just as easily be used by the Chinese or Russians when we have the espionage skills and resources available to us to install our own secure backdoors that only we can use and give ourselves full, unrestricted access to everything on any system we want access to?"
Since the dawn of man the size of political units has always been increasing.
Family
Band
Tribe
City
State
Nation
World Government(?) (If we don't have nuclear war first)
The thing is, while there is much outrage, not much is being done about those violations either. Just like in 1984, instead of choosing to fight for their rights, the masses instead chose to make the best of things. This is a disappointing path we are taking in our growth as a nation.