Tom Metro wrote:
Steve Gibson discusses the timeline of the Heartbleed discovery. Google researchers, presumably examining the code, found the problem several weeks prior, and submitted patches to OpenSSL and fixed their own servers.
I choose not to make such assumptions. Google's methodology has not to my knowledge been publicized.
(Sometimes I wonder why you subscribe to this list. Having a skeptical view of things is good, but you seem to take glee in perceived failings of the open source community, which tends to raise the questions of why
I use tools that work. Some of them are open. Some not. I'm not going to heap praise on something that doesn't work, or works poorly, simply because it's open source. And I'm not afraid to speak my mind about these things.
Source code analysis has the potential to find these, if the code is analyzed. Back-box testing will find them only if you are very lucky.
This is laughably false. If it were even the least bit true then Microsoft Windows would be the most secure operating system on Earth because the code isn't available for scrutiny.
We all know that hiding the code isn't any assurance of security. What you need to get through your head is that displaying the code isn't any assurance of security, either. Seeing the source code means nothing if you don't understand it and the algorithms it implements. This works both ways: you don't need to understand the intricacies of a cipher or PRNG in order to attack it.
-- Rich P. _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
