Lavabit case undermines claims NSA had Heartbleed early

If the NSA really did have Heartbleed "for years" as was claimed recently by Bloomberg news, they wouldn't need to go after Lavabit. They wouldn't even want to.
Written by Larry Seltzer, Contributor

When I first read the claims by Bloomberg News that the NSA had access to the Heartbleed bug "for years" I was immediately suspicious. It had only been two years since the code had been released as part of OpenSSL. Yes, the NSA might have had it from earlier builds but it all sounded fishy, not least because it would have made them way more knowledgeable than they appear to be.

Today I feel even more confident in my skepticism having been reminded of the case of Lavabit, which was served a subpoena for its SSL keys when the government found out it was Edward Snowden's email service. Lavabit refused, was fined and ordered to produce the keys, but didn't do so until they shut down their service. Today they just lost their appeal to the Fourth Circuit Court of Appeals for reasons unrelated to technology or even the arguments they made on appeal, but basically for bad lawyering.

If the NSA already had Heartbleed they wouldn't need Lavabit's cooperation. They would have the keys and would be able to decrypt all Lavabit email. The government wouldn't want to cause any legal troubles for Lavabit but to allow it to continue functioning and its users to continue communicating, comfortable in their illusion of privacy.

Another suspicious point now is that none of the journalists with whom Snowden worked, the ones who have access to the data he dumped, have made this claim yet. This is surprising since it would be an order of magnitude more spectacular than any other claim they have made so far. In fact, it would make many of their other practices, which have caused so much controversy, unnecessary.

Because it's relevant, I should point out that this Ars Technica interview with Lavabit owner Lars Levison specifically states that he used OpenSSL for his cryptography.

I'm sure Bloomberg didn't make it up which means either their two anonymous sources were making it up or were mistaken. Either way it's pretty embarrassing.

The moral of the story, as I see it, is that you shouldn't assume that the NSA (or any other agency of government) is particularly omniscient or that it has powers beyond what is reasonable. They certainly want to be omniscient, but even their budget is inadequate to the task. Further proof of this is that we know that the security at Lavabit was, in fact, poor. They didn't even need Heartbleed to get at Lavabit, they just needed to look at it critically. How all-powerful can they really be?

Editorial standards