I like this denial, in that it is pretty solid and clear that the NSA did not know about Heartbleed and therefore did not exploit it. I tend to believe the statement too, for two reasons:

  1. It passes my smell test, as I do believe the NSA thinks it would be more of a threat than an asset to leave the security hole open.
  2. The statement doesn't leave room for weaseling out of legal repercussions for the agency. The winds are shifting and “national security” is no longer a statement that is reason enough alone.

Posted by Ben Brooks