People really want to make something out of this, but it's very simple: the NSA found the "goto fail" bug and exploited it. (We know they also exploited heartbleed.)

We know they have active programs looking for holes in open source code and fuzzing commercial services looking for vulnerabilities. How is that so hard to believe?