On 11/04/2014 19:36 pm, Arshad Noor wrote: > On 04/11/2014 03:51 PM, ianG wrote: >> On 11/04/2014 17:50 pm, Jeffrey Walton wrote: >>> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html >>> >>> >>> The U.S. National Security Agency knew for at least two years about a >>> flaw in the way that many websites send sensitive information, now >>> dubbed the Heartbleed bug, and regularly used it to gather critical >>> intelligence, two people familiar with the matter said. >> >> 1. score 1 up for closed source. Although this bug would as equally >> exist in closed source, the likelihood of discovery, publication and >> exploitation is much lower. > > Isn't that a naive assumption? Every US-based company that has anything > to do with crypto has to send in their source-code to a special address > before you can be granted a License Exception (US BIS rules) to export > to foreign customers. (The only exception is open-source - whose > creators must still notify a special e-mail address about the new FOSS). > In either case, NSA knows about it.
Well, 1. the whole world isn't the USA. 2. we have to differentiate between NSA-as-existential-threat and the other one which is hackers-as-people-who-steal-money. > Is it any less worse that only the NSA might have exploited unknown > loopholes than random attackers after your money? They're undermining > trust in the internet - which is now a multi-billion - perhaps even a > trillion - dollar industry involving millions of jobs. Given that the > US is probably the largest creator of technology products, the end > result is likely to be a boon for technology companies around the world > as US jobs are lost due to lost exports. Right. Can you put a number on that? And can you put a number on the things that the other crooks do? The latter is certainly true, there is a big body of evidence that shows that money is being raided from the Internet in a big way. Nobody's ever put a number of any credibility on the NSA damage. Heartbleed is a big issue because it opens the door for massive robbery, not because it gives the NSA 1 more trick to add to their other 100. If it was *just the NSA* then I'd recommend not re-rolling keys, because only a tiny proportion of the public are targets, and they should know who they are. Open source makes this *everyone at risk*. > As I see it, only open-source software has a chance to be trusted since > users can see what they're deploying; of course, it has to be verified, > but that was always true. That's why I said "score 1" and not "this is the end of the debate." It's complicated, there are many factors involved. iang _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
