[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

Peter Malone peter at petermalone.org
Fri Apr 11 19:57:42 PDT 2014 

I don't buy into conspiracy theories often but I really can't see how
you can fail to follow your own RFC. If he had a check in there to make
sure the payload_length wasn't too large I would say "hey, he forgot to
make sure it wasn't too small and he never even mentioned checking if it
was too small that in the RFC"... but he actually never checked for
anything.. so maybe it is just a mistake. He definitely failed to follow
his own RFC which never mentioned making sure the length was correct,
just that it wasn't too big, and that's something he never did.

I don't get how the reviewer can miss it too, like it's code for an RFC
the reviewer is COMPLETELY new to... so at first the code looks a bit
mad until you read the RFC, then you realize right away that he's
missing shit. Seems silly, i don't think the reviewer ever read the RFC.



On Sat, 2014-04-12 at 02:48 +0200, tpb-crypto at laposte.net wrote:
> > Message du 11/04/14 20:33
> > De : "Cypher" 
> > 
> > I agree that there is no proof that this bug was introduced on purpose
> > and it might be a simple oversight (no matter what it looks like or
> > could be). We have to keep in mind that one of the things spies do is
> > sow suspicion and doubt - it's a powerful weapon! All these
> > vulnerabilities we're finding in critical software /might just be/
> > mistakes and oversights. Or they might be deliberate attacks by the
> > NSA/GCHQ. Part of the power these agencies wield is that /we'll likely
> > never know/ and so we suspect...everyone. Everything.
> > 
> 
> Too many bugs, in too many convenient places. One or two may be a coincidence, several of them like it appears to be the case, is not. We know who did it and now even if it is a coincidence, the culprit will be pointed at the NSA.
> 
> The timing the code was included in the tree cannot be a coincidence. There's one more thing we have to look at. When nobody is paying attention, someone is trying to sneak bad code.
> 
> The NSA mandate was to protect the people, not to make them vulnerable. Disbanding such a rogue organization would be the right thing to do.

More information about the cypherpunks mailing list