15 Apr 2014 @ 12:50 AM 

There has been some growing speculation as to whether the NSA was aware of the Heartbleed vulnerability in advance. The story was raised and reported by Bloomberg, denied in the New York Times, and then sort of questioned again by the New York Times.

But the thing that strikes me the most is a quote from former NSA Head Michael Hayden who is on record as saying:

Some vulnerabilities are such that they marginally (but importantly) weaken a system but exploitation still depended on skills, systems and technologies that few, if any, can match.  If the judgment is what is called NOBUS (nobody but us could do this), the risk management decision is pretty easy.  Of course, that judgment could change over time and still requires continuous due diligence. (Security Current)

Given the ramifications that Heartbleed could potentially have on the fundamental infrastructure of the Internet, if the NSA was involved I think there needs to be some holding of account.

Posted By: Chief Tech
Last Edit: 15 Apr 2014 @ 12:50 AM

EmailPermalinkComments (0)
 11 Apr 2014 @ 6:13 PM 

Reported fairly widely in the press is the story about a 5 year old managing to gain access to his father’s X Box Live account and access otherwise restricted video games.

The reports seem very consistent detailing the steps he went through to gain access to the account. Essentially finding a vulnerability in the password reset feature of the X Box One log on screen.

Microsoft have apparently rewarded the youngster with money, games and recognition; and for a 5 year old it must be a nice little 15 minutes of fame, not to mention free games.

What I am a little concerned about is that with all this coverage, no one seems to be asking how a vulnerability that is simple enough for a 5 year old to discover and exploit managed to get into a production system. Also, where else is the code for authentication used?

Don’t get me wrong, I am all for supporting innovation in security research at any age. But let’s get some perspective and start asking the questions that should really be asked.


For details either Google it, or try this link:


Posted By: Chief Tech
Last Edit: 11 Apr 2014 @ 06:13 PM

EmailPermalinkComments (0)