More likely reality... opensource people are busy and good humans and coding mistakes happen.
Given that other likely backdoors were also concealed as "mistakes" in normal commits, I wouldn't write it off. But the real villain here is coding security-critical applications in C, when there are memory-safe, more modern alternatives. The Heartbleed bug-door was a failed memory-bounds check, but that's something more modern alternatives just do automatically as a matter of course. If I recall correctly, Rust was designed explicitly to be memory safe. D is likewise memory safe, and is syntactically close enough to C that an OpenSSL rewrite isn't out of the question. On 10/04/14 08:46, grarpamp wrote:
On Wed, Apr 9, 2014 at 2:29 PM, Christopher J. Walters <cwal989@comcast.net> >
It makes me wonder if the NSA was involved in inserting this bug into OpenSSL clients and servers.
That would be 2+ years of amazing win on NSA part [1]. Any unlikely impropriety would come out soon. More likely reality... opensource people are busy and good humans and coding mistakes happen. Hopefully the general buzz around NSA/security/crypto/decentral will result dedicating more permanent resource to things like protocol devel and replacements, and auditing of key underlying software code. You really need to be asking if and how the giant for-profit corps that use opensource for free are giving back. $50k a year donated to fund an independant developer pool from the OSS community to sit on the teams of your favorite code projects of choice as auditors is nothing to a companies like that, a dream gig for the dev, a win for project, and good company PR.
How often do you see @ge.com @chase.com @ibm.com, etc on developer/donation lists... you need to ask those type of @'s if, how, and why not.
[1] And pretty dumb of any attacker to not simply quietly watch, analyse and exploit the committed output of any critical project... no insertion, cost, or risk necessary to do that.
-- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com