The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. […]
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”
At some point the NSA’s computer security mission should trump their eavesdropping mission. I would have though that point would be have been when the bulk of our networking and finance infrastructure is exposed to every hacker in the world. Since that wasn’t the case in one of the most serious and real security breaches in the history of the Internet, the obvious conclusion is that the NSA puts absolute primacy on their ability to eavesdrop, the security of US citizens and corporations be damned.