It's four guys who don't get paid for it. They're all volunteers.
One of them made a mistake in revising a section of code that didn't
cause crashes or even hiccups, so no one was prompted to look
specifically at that bit of code.
You don't fix something if you don't know it's broke.
Another thing I read is that Google, Red Hat and other major players
were already trying to get patches in place before the bad guys could
find out about the bug & exploit it.
But someone had be a blabbermouth & tell all the script-kiddies in the
whole world "HEY GUYS! LOOKY HERE WHAT I FOUND!!" before the patches
were ready.
On 4/10/2014 3:43 PM, Darren Addy wrote:
I agree Gerrit (on the dent in the reputation of the Open Source
peer-reviewed code movement). I think that this is the part of this
story that I haven't SEEN yet? Who/where did the insecure code
addition COME FROM and why was there the failure to catch it at the
time of its being rolled into the official release?
On the other hand, one could successfully argue that the only reason
it was CAUGHT AT ALL was because it was Open Source code. How many
security problems are there in "get what you pay for" proprietary code
that are THERE but simply haven't been discovered or exploited yet (or
at least the exploitation has not been discovered yet).
Even after this "failure" I feel more secure, at the end of the day,
with the Open Source code than the proprietary.
On Thu, Apr 10, 2014 at 1:51 PM, Gerrit Visser <[email protected]> wrote:
Sometimes you get what you pay for. Certainly puts a dent in the
peer-reviewed code is more secure mantra.
Gerrit
-----Original Message-----
From: PDML [mailto:[email protected]] On Behalf Of Darren Addy
Sent: Thursday, April 10, 2014 1:50 PM
To: Pentax-Discuss Mail List
Subject: Re: Heartbleed
I found a local internet service provider (and web host) that was vulnerable
and alerted them.
Interesting that this DOES NOT affect the Windows web server (IIS).
Probably the first time in history that IIS web admins are happy that they
manage a Microsoft product.
On Thu, Apr 10, 2014 at 12:02 PM, Darren Addy <[email protected]> wrote:
That's a very good point Steve. (I generally consider anything that I
haven't already thought of as a Good Point).
: )
Now who in the world do we think might have the resources to store
huge amounts of encrypted internet traffic? [COUGH! nsa COUGH!]
http://www.buzzfeed.com/charliewarzel/the-nsa-and-the-real-problem-beh
ind-the-heartbleed-security
On Thu, Apr 10, 2014 at 11:54 AM, steve harley <[email protected]> wrote:
on 2014-04-10 10:29 Darren Addy wrote
What the HeartBleed Attack Really Means:
http://www.newyorker.com/online/blogs/elements/2014/04/the-internets
-telltale-heartbleed.html
it's amusing to see the media rush to explain Heartbleed; perhaps it
will increase technical literacy and cause an appropriate correction
in the trust we have for internet services
that article is surprisingly good, but it misses slightly on what it
calls a "worst-case scenario" -- the worst case is that some entities
stored huge amounts of encrypted internet traffic, even from before
the date the bug was introduced into OpenSSL, and now Heartbleed has
been used to get the keys to unlock that trove
also unstated is how Heartbleed will encourage more entities to store
as much encrypted traffic as possible on the expectation that there
will be other bugs to get the newer keys
--
PDML Pentax-Discuss Mail List
[email protected]
http://pdml.net/mailman/listinfo/pdml_pdml.net
to UNSUBSCRIBE from the PDML, please visit the link directly above
and follow the directions.
--
Photographers must learn not to be ashamed to have their photographs
look like photographs.
~ Alfred Stieglitz
--
Photographers must learn not to be ashamed to have their photographs look
like photographs.
~ Alfred Stieglitz
--
PDML Pentax-Discuss Mail List
[email protected]
http://pdml.net/mailman/listinfo/pdml_pdml.net
to UNSUBSCRIBE from the PDML, please visit the link directly above and
follow the directions.
--
PDML Pentax-Discuss Mail List
[email protected]
http://pdml.net/mailman/listinfo/pdml_pdml.net
to UNSUBSCRIBE from the PDML, please visit the link directly above and follow
the directions.
--
PDML Pentax-Discuss Mail List
[email protected]
http://pdml.net/mailman/listinfo/pdml_pdml.net
to UNSUBSCRIBE from the PDML, please visit the link directly above and follow
the directions.
