On Wed, Apr 9, 2014 at 2:29 PM, Christopher J. Walters <cwal989@comcast.net> >
It makes me wonder if the NSA was involved in inserting this bug into OpenSSL clients and servers.
That would be 2+ years of amazing win on NSA part [1]. Any unlikely impropriety would come out soon. More likely reality... opensource people are busy and good humans and coding mistakes happen. Hopefully the general buzz around NSA/security/crypto/decentral will result dedicating more permanent resource to things like protocol devel and replacements, and auditing of key underlying software code. You really need to be asking if and how the giant for-profit corps that use opensource for free are giving back. $50k a year donated to fund an independant developer pool from the OSS community to sit on the teams of your favorite code projects of choice as auditors is nothing to a companies like that, a dream gig for the dev, a win for project, and good company PR. How often do you see @ge.com @chase.com @ibm.com, etc on developer/donation lists... you need to ask those type of @'s if, how, and why not. [1] And pretty dumb of any attacker to not simply quietly watch, analyse and exploit the committed output of any critical project... no insertion, cost, or risk necessary to do that.