We needed a way to get everyone to weaken the SSL they were using, and what better target than OpenSSL, which handles SSL for millions of companies worldwide. Until recently we were not able to infiltrate the OpenSSL team, and with the recent Snowden leaks, we needed to increase the vulnerability of systems across the board as quickly as possible.
In the end, all it took was a story about how there was a bug in the current implementation, with a couple of trusted and verified sources, and leak the story to the press—the rest will be done by system administrators around the globe. We wouldn't need to penetrate systems, the system administrators would do it for us--if they believed they were compromised.
The real story is that all the updates is where the security hole is, but nobody is looking for it because they are comforted by the fact that they acted so fast with the rest of the sheep in the systems administration field. Heardbleed was a successful test of a new approach to making systems vulnerable by playing on the fears of the masses.
In the future we won’t need to infiltrate systems, we’ll just people to do it for us.
