ZDNet: When I first read the claims by Bloomberg News that the NSA had access to the Heartbleed bug “for years” I was immediately suspicious. It had only been two years since the code had been released as part of OpenSSL. Yes, the NSA might have had it from earlier builds but it all sounded fishy, not least because it would have made them way more knowledgeable than they appear to be.
Today I feel even more confident in my skepticism having been reminded of the case of Lavabit, which was served a subpoena for its SSL keys when the government found out it was Edward Snowden’s email service. Lavabit refused, was fined and ordered to produce the keys, but didn’t do so until they shut down their service. Today they just lost their appeal to the Fourth Circuit Court of Appeals for reasons unrelated to technology or even the arguments they made on appeal, but basically for bad lawyering.