nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

From: Warren Bailey <wbailey () satelliteintelligencegroup com>
Date: Sun, 13 Apr 2014 17:26:39 +0000
Doesn't OpenSSL even fundraise? Based on the number of dollars they've taken in (what I could find online) most of them 
are better off taking side jobs as psychics to pay for audits. I know of at least one thing they could have predicted 
in the future. ;)



Sent from my T-Mobile 4G LTE Device



-------- Original message --------
From: Niels Bakker <niels=nanog () bakker net>
Date: 04/13/2014 10:55 AM (GMT-07:00)
To: nanog () nanog org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]


* randy () psg com (Randy Bush) [Sun 13 Apr 2014, 16:52 CEST]:

the point of open source is that the community is supposed to be
doing this.  we failed.

Versus all of the closed source bugs that nobody can know of or do
anything about?

for those you can blame the vendor.


BSAFE is almost worse if you go by the recent advisories that have
been released about it.  Many vendors incorporated OpenSSL into their
products and sold the result for commercial profit without doing
(in retrospect) enough due diligence.  Besides, having a third party
to blame doesn't make our data safer...

At least one vendor, Akamai is helping out now:
http://marc.info/?l=openssl-users&m=139723710923076&w=2
I hope other vendors will follow suit.



this one is owned by the community. it falls on us to try to lower
the probability of a next one by actively auditing source as our
civic duty.


I donated some money to the OpenSSL project and hope others will do,
or have already done, the same.  It's clear that they are internet
infrastructure and need more support.


        -- Niels.
Previous By Date Next
Previous By Thread Next

Current thread: