Vladis is %100 on the money here. Lets take this a step farther and ask
is there a criminal liability for the person who checked that code in -
Oh you bet there is...
Todd
On 4/11/2014 5:49 PM, valdis.kletni...@vt.edu wrote:
On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said:
The interesting thing to me is that the article claims the NSA have been
using this for "over two years", but 1.0.1 (the first vulnerable version)
was only released on 14 Mar 2012. That means that either:
* The NSA found it *amazingly* quickly (they're very good at what they do,
but I don't believe them have superhuman talents); or
You seriously think the NSA *isn't* watching the commits to security-relevant
open source? Remember - it was a bonehead bug, it's *not* unreasonable for
somebody who was auditing the code to spot it. Heck, there's a good chance that
automated tools could have spotted it.
--
-------------
Personal Email - Disclaimers Apply
