[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

grarpamp grarpamp at gmail.com
Thu Apr 10 00:46:44 PDT 2014


On Wed, Apr 9, 2014 at 2:29 PM, Christopher J. Walters <cwal989 at comcast.net> >
> It makes me wonder if the NSA was involved in inserting this bug into
> OpenSSL clients and servers.

That would be 2+ years of amazing win on NSA part [1]. Any unlikely
impropriety would come out soon. More likely reality... opensource
people are busy and good humans and coding mistakes happen.
Hopefully the general buzz around NSA/security/crypto/decentral will
result dedicating more permanent resource to things like protocol devel
and replacements, and auditing of key underlying software code.
You really need to be asking if and how the giant for-profit corps
that use opensource for free are giving back. $50k a year donated to
fund an independant developer pool from the OSS community to sit on
the teams of your favorite code projects of choice as auditors is nothing
to a companies like that, a dream gig for the dev, a win for project, and
good company PR.

How often do you see @ge.com @chase.com @ibm.com, etc
on developer/donation lists... you need to ask those type of
@'s if, how, and why not.

[1] And pretty dumb of any attacker to not simply quietly watch,
analyse and exploit the committed output of any critical project...
no insertion, cost, or risk necessary to do that.



More information about the cypherpunks mailing list