--On Thursday, April 10, 2014 3:46 AM -0400 grarpamp <[email protected]> wrote:
> On Wed, Apr 9, 2014 at 2:29 PM, Christopher J. Walters > <[email protected]> > >> It makes me wonder if the NSA was involved in inserting this bug into >> OpenSSL clients and servers. > > That would be 2+ years of amazing win on NSA part [1]. Any unlikely > impropriety would come out soon. More likely reality... opensource > people are busy and good humans and coding mistakes happen. Oh. And what about the constant babbling stating that open source is oh-so-great security-wise because lots of people can look at the code bla bla bla bla bla. Bla! > Hopefully the general buzz around NSA/security/crypto/decentral will > result dedicating more permanent resource to things like protocol devel > and replacements, and auditing of key underlying software code. > You really need to be asking if and how the giant for-profit corps > that use opensource for free are giving back. $50k a year donated to > fund an independant developer pool from the OSS community to sit on > the teams of your favorite code projects of choice as auditors is nothing > to a companies like that, a dream gig for the dev, a win for project, and > good company PR. > > How often do you see @ge.com @chase.com @ibm.com, etc > on developer/donation lists... you need to ask those type of > @'s if, how, and why not. > > [1] And pretty dumb of any attacker to not simply quietly watch, > analyse and exploit the committed output of any critical project... > no insertion, cost, or risk necessary to do that. >
