Re: [cryptography] NSA Said to Exploit Heartbleed Bug for Intelligence for Years
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11/04/14 23:51, ianG wrote: 2. Score another 1 up for interpreted languages that handle array allocation cleanly. This is more or less a buffer overflow, in a wider sense. Not just interpreted languages - a modern compiled language such as D or Go would also have caught this. I'm curious - does anyone on this list still use C or C++ for new projects? If so, what's the advantage that outweighs the enormous, repeatedly demonstrated disadvantage of memory handling bugs? 4. This should put to rest any silly claims that the NSA put the bug into play themselves. The programmer and the reviewer missed it. I don't see how a claim that the NSA exploited the bug is evidence that the NSA didn't plant the bug. (Not that I believe they did - but this isn't evidence that they didn't.) Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBCAAGBQJTSUvjAAoJEBEET9GfxSfMG9cH/Ak2acQG13WyP5HwOzWsTr7u T2sX8rtKpy51jPb6OWZudrq6CpqBm3ofsMTIkxYXu5vX/Roz/5Q+G+btikWO34NT Gz5Fl6iz1yF68TT23VtG79PNhl5zwDmZvpeESyOkb0tXOFSuK/Wu139nIOFCMJkg S4fvbDEuLteYSNOiAWjxDP9Xa4vT8kAvVxME8UaQIcMYFF0dbiTaIujto99WOBv0 JfoprZbfhd/Xw05iJWwsbF0NInfN4nRWnIvqEKxjQOhziLrDRZlepKhA0z9sE3Bi d+sRytwoF3pqDgouLARwKjBfsBWgjaS+uMLHQ4Gg7/i/HbRVntcwXGBtY78PCd8= =sftN -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NSA Said to Exploit Heartbleed Bug for Intelligence for Years
On 4/11/14, ianG i...@iang.org wrote: On 11/04/2014 17:50 pm, Jeffrey Walton wrote: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. Bingo! What lessons are we picking up from this? Here's what I'm feeling so far, flame away: 1. score 1 up for closed source. Although this bug would as equally exist in closed source, the likelihood of discovery, publication and exploitation is much lower. Yes, but what's the likelihood of discovery and exploitation in closed source? I'm guessing open source just makes it more likely the bug will eventually be published. Regards, Lee ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NSA Said to Exploit Heartbleed Bug for Intelligence for Years
On 11/04/2014 19:36 pm, Arshad Noor wrote: On 04/11/2014 03:51 PM, ianG wrote: On 11/04/2014 17:50 pm, Jeffrey Walton wrote: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. 1. score 1 up for closed source. Although this bug would as equally exist in closed source, the likelihood of discovery, publication and exploitation is much lower. Isn't that a naive assumption? Every US-based company that has anything to do with crypto has to send in their source-code to a special address before you can be granted a License Exception (US BIS rules) to export to foreign customers. (The only exception is open-source - whose creators must still notify a special e-mail address about the new FOSS). In either case, NSA knows about it. Well, 1. the whole world isn't the USA. 2. we have to differentiate between NSA-as-existential-threat and the other one which is hackers-as-people-who-steal-money. Is it any less worse that only the NSA might have exploited unknown loopholes than random attackers after your money? They're undermining trust in the internet - which is now a multi-billion - perhaps even a trillion - dollar industry involving millions of jobs. Given that the US is probably the largest creator of technology products, the end result is likely to be a boon for technology companies around the world as US jobs are lost due to lost exports. Right. Can you put a number on that? And can you put a number on the things that the other crooks do? The latter is certainly true, there is a big body of evidence that shows that money is being raided from the Internet in a big way. Nobody's ever put a number of any credibility on the NSA damage. Heartbleed is a big issue because it opens the door for massive robbery, not because it gives the NSA 1 more trick to add to their other 100. If it was *just the NSA* then I'd recommend not re-rolling keys, because only a tiny proportion of the public are targets, and they should know who they are. Open source makes this *everyone at risk*. As I see it, only open-source software has a chance to be trusted since users can see what they're deploying; of course, it has to be verified, but that was always true. That's why I said score 1 and not this is the end of the debate. It's complicated, there are many factors involved. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NSA Said to Exploit Heartbleed Bug for Intelligence for Years
I'm guessing open source just makes it more likely the bug will eventually be published. If one assumes that failures will happen, then open source is to be preferred insofar as in that case (the collective) we can learn something from said failures. That being so, then the more one depends on XYZ the more one needs XYZ to be open source, along with the build environment through which it passes. --dan [ It is impossible to ascertain at the time of introduction whether something new will or will not go to scale. ] ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NSA Said to Exploit Heartbleed Bug for Intelligence for Years
On 04/12/2014 08:33 AM, ianG wrote: Open source makes this *everyone at risk*. I would argue that a single closed-source operating system has done more damage, cumulatively, over the last 20 years than all FOSS combined (no hard evidence, just gut-instinct and personal observations). But there is an important benefit to FOSS not often mentioned: transparency. As some have already said it on this thread, FOSS enables transparency, eventually resulting in disclosure. Without threat of disclosure, short-term profit-margins are likely to take precedence over customer well-being in closed environments. Arshad Noor StrongAuth, Inc. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NSA Said to Exploit Heartbleed Bug for Intelligence for Years
On 04/12/2014 08:59 AM, d...@geer.org wrote: I'm guessing open source just makes it more likely the bug will eventually be published. If one assumes that failures will happen, then open source is to be preferred insofar as in that case (the collective) we can learn something from said failures. That being so, then the more one depends on XYZ the more one needs XYZ to be open source, along with the build environment through which it passes. +1 I have personally compared FOSS to laissez-faire capitalism in the past - I also now believe that FOSS is equivalent to a democratic form of government. It requires engagement, personal responsibility, a deeper understanding of the pros and cons, and can be messy at times, but in the end, is better than any other political system around because it can be improved through transparency. Arshad Noor StrongAuth, Inc. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] If not StartSSL, the next best CA for individuals?
On 2014-04-12, at 12:40 PM, Eric Mill e...@konklone.com wrote: (Setting aside how awful the CA system is generally…) I try to limit my use of profanity in writing, so have to put that aside. Even if not free, I'm looking to recommend[3] something priced attractively for individuals and non-commercial uses. The friendlier the interface, and the more reliable and principled the customer service, the better. I like GlobalSign. https://www.globalsign.com/ They are well priced for the small customer, every interaction I’ve had with them has been great, and they’ve been saying all the right things. http://blog.globalsignblog.com/blog/important-security-advisory-blog-heartbleed-bug They also had a really nice statement about transparency back in September, but I can’t find it now. I have not systematically (or even unsystematically) reviewed various CAs. Once I found one that I liked, I stopped looking around. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
