"The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services."
This is my big point from the other thread. If NSA knew then not disclosing this type of serious bug should get someone's head to roll as it could imperil the security of other important USG communications.
That still leaves open the question of why NSA wasn't able to find this bug themselves though -- you'd think they'd be looking for bugs related to the introduction of new features into OpenSSL.
That's such a weak argument from them at this point. "Hey, we're the NSA - we're entrusted to protect US infrastructure. We'd never do something like that!"
Has this actually verified? It was only newish versions of OpenSSL that were vulnerable. Websites that ran on IIS and other platforms were not vulnerable.
Does anyone have a historical list of critical government websites and their web server versions? An old nmap list would suffice to show that high-priority sites were vulnerable or not.
Many parts of government run Linux, including NSA themselves, other military platforms, and advanced research/development labs. Certainly there's tons of MS, but govvy is just so big that even OpenSSL being rare would still be highly concerning for USG security.
This is my big point from the other thread. If NSA knew then not disclosing this type of serious bug should get someone's head to roll as it could imperil the security of other important USG communications.
That still leaves open the question of why NSA wasn't able to find this bug themselves though -- you'd think they'd be looking for bugs related to the introduction of new features into OpenSSL.