[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Juan Garofalo
juan.g71 at gmail.com
Thu Apr 10 12:26:46 PDT 2014
--On Thursday, April 10, 2014 3:46 AM -0400 grarpamp <grarpamp at gmail.com>
wrote:
> On Wed, Apr 9, 2014 at 2:29 PM, Christopher J. Walters
> <cwal989 at comcast.net> >
>> It makes me wonder if the NSA was involved in inserting this bug into
>> OpenSSL clients and servers.
>
> That would be 2+ years of amazing win on NSA part [1]. Any unlikely
> impropriety would come out soon. More likely reality... opensource
> people are busy and good humans and coding mistakes happen.
Oh. And what about the constant babbling stating that open source is
oh-so-great security-wise because lots of people can look at the code bla
bla bla bla bla. Bla!
> Hopefully the general buzz around NSA/security/crypto/decentral will
> result dedicating more permanent resource to things like protocol devel
> and replacements, and auditing of key underlying software code.
> You really need to be asking if and how the giant for-profit corps
> that use opensource for free are giving back. $50k a year donated to
> fund an independant developer pool from the OSS community to sit on
> the teams of your favorite code projects of choice as auditors is nothing
> to a companies like that, a dream gig for the dev, a win for project, and
> good company PR.
>
> How often do you see @ge.com @chase.com @ibm.com, etc
> on developer/donation lists... you need to ask those type of
> @'s if, how, and why not.
>
> [1] And pretty dumb of any attacker to not simply quietly watch,
> analyse and exploit the committed output of any critical project...
> no insertion, cost, or risk necessary to do that.
>
More information about the cypherpunks
mailing list