Heartbleed was a big friggin’ deal. And, unlike many vulnerabilities, it actually got a lot of press coverage. The press coverage was almost universally awful, but Sturgeon’s Law and the nature of modern journalism means that it couldn’t be any other way. But the high visibility and the much-discussed fact that Heartbleed had been in the code base for many years lead some to speculate that the NSA either knew of or were behind Heartbleed.

But I can almost guarantee that, whether or not they knew of it, they weren’t behind it. See, Heartbleed was too random and unreliable to be an effective tool of espionage. Anyone trying to gather targeted data from a single target or to reliably gather data on an entire population wouldn’t have any use for something that provided random chunks of server memory. They might get what they want, but it’s unlikely.

No, Heartbleed is of much more use to criminals who win no matter how much sensitive data they collect. The more the better, but they don’t care whose it is, or about ensuring that they get all of it.

Allow me an analogy. Let’s talk about fishing.

Criminals are poachers. They’re the ones that go to protected rivers and leave out baited lines at night. They collect whatever they happen to catch before morning and hope they don’t get caught. They don’t care what fish they catch, just that they get some and get away. Heartbleed is perfect for that. You’re guaranteed, with enough time and enough connections, to get some sensitive data you can use to turn a quick buck.

The NSA serves one of two roles: Captain Ahab or a commercial trawler. They either want to nail one particular fish, or want to gather up as many fish as possible. In either case, randomly distributed lines don’t do them much good. They’re not going to catch nearly enough fish and they’re probably going to miss the one or two they care about. Heartbleed doesn’t really serve their purposes.

They need either a spear or a dragnet.

They need something like CVE-2014-0224.

I know, I know, it can’t be that important. It doesn’t have a sexy name or a fancy website or a cool logo or nuffin’. Bummer. But it allows for reliable, undetectable SSL interception to anyone with a man-in-the-middle position between two affected computers.

And essentially every computer that uses OpenSSL was effected until today.

To continue the analogy, CVE-2014-0224 is dragnet that allows whoever operates it to catch all the fish in a particular river. So it’s good for getting information on an entire population. And if you’re sure that the particular fish you care about will swim through that one river, then it serves the Captain Ahab use case as well.

But you need a privileged place on the network. Something like, oh, I don’t know an active intercept facility run by a major telecommunications provider. That would do.

Of course, OpenSSL isn’t the only game in town, just the biggest. There are other SSL implementations. The real litmus test will be to see if other, similar bugs are found in, e.g., GnuTLS. So far none have, that I’m aware of.

Now I should include a caveat here, that I’m not saying the NSA is behind or was aware of CVE-2014-0224. I actually think it’s highly unlikely to be their handy work, and any assertion that they did or didn’t know about it is functionally unfalsifiable and therefore not worth considering.

My point, rather, is that if the NSA does, indeed, have backdoors in major security software, this is likely the sort of thing they are: subtle bugs that they can exploit to reliably and silently neutralize the security. They have no use for the random, the detectable, or the high profile.

The NSA has no use for Heartbleed, but would kill for something like CVE-2014-0224.