> More likely reality... opensource > people are busy and good humans and coding mistakes happen.
Given that other likely backdoors were also concealed as "mistakes" in normal commits, I wouldn't write it off. But the real villain here is coding security-critical applications in C, when there are memory-safe, more modern alternatives. The Heartbleed bug-door was a failed memory-bounds check, but that's something more modern alternatives just do automatically as a matter of course. If I recall correctly, Rust was designed explicitly to be memory safe. D is likewise memory safe, and is syntactically close enough to C that an OpenSSL rewrite isn't out of the question. On 10/04/14 08:46, grarpamp wrote: > On Wed, Apr 9, 2014 at 2:29 PM, Christopher J. Walters <[email protected]> > >> It makes me wonder if the NSA was involved in inserting this bug into >> OpenSSL clients and servers. > > That would be 2+ years of amazing win on NSA part [1]. Any unlikely > impropriety would come out soon. More likely reality... opensource > people are busy and good humans and coding mistakes happen. > Hopefully the general buzz around NSA/security/crypto/decentral will > result dedicating more permanent resource to things like protocol devel > and replacements, and auditing of key underlying software code. > You really need to be asking if and how the giant for-profit corps > that use opensource for free are giving back. $50k a year donated to > fund an independant developer pool from the OSS community to sit on > the teams of your favorite code projects of choice as auditors is nothing > to a companies like that, a dream gig for the dev, a win for project, and > good company PR. > > How often do you see @ge.com @chase.com @ibm.com, etc > on developer/donation lists... you need to ask those type of > @'s if, how, and why not. > > [1] And pretty dumb of any attacker to not simply quietly watch, > analyse and exploit the committed output of any critical project... > no insertion, cost, or risk necessary to do that. > -- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com
0x988B9099.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
