On Fri, Apr 11, 2014 at 4:37 PM, Rich Shepard <rshep...@appl-ecosys.com>wrote:
> On Fri, 11 Apr 2014, Richard Hector wrote:
>
> > Heartbleed isn't a problem with the encryption though; the encryption
> > didn't get broken. Any protocol could probably potentially suffer from a
> > buffer overflow due to a bug in the software. Given this one leaked info
> > from the server process, who's to say it wouldn't leak your one-time pad?
>
> Today's Washington Post has an article where the author of the bug
> admits
> he missed validating a variable that holds a length when he submitted a new
> feature to OpenSSL along with some bug fixes. The other devs who reviewed
> his code missed that, too. It was an oversight, not a deliberate action.
>
> We all have these senior moments when coding, regardless of our age. :-)
>
Given the type of bug this was and the other places similar problems have
occurred, it's a remarkably common sort of mistake to make (anyone remember
Teardrop against NT4 caused by a variation of this same mistake, allowing a
kernel-level buffer overflow?) and so while it is almost a perfect
deliberate bug for this sort, good money is always on it being a mistake.
C as a programming language is full of very subtle pitfalls like this
because it functions as a sort of hardware-neutral assembly language. This
is an advantage in many areas (particularly where you have to be close to
the hardware) but that also comes at a significant cost.
>
> Rich
>
> --
> Richard B. Shepard, Ph.D. | Have knowledge, will travel.
> Applied Ecosystem Services, Inc. |
> www.appl-ecosys.com Voice: 503-667-4517 Fax: 503-667-8863
>
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> Ledger-smb-users mailing list
> Ledger-smb-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
>
--
Best Wishes,
Chris Travers
Efficito: Hosted Accounting and ERP. Robust and Flexible. No vendor
lock-in.
http://www.efficito.com/learn_more
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Ledger-smb-users mailing list
Ledger-smb-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
