> 2. Score another 1 up for interpreted languages that handle array
> allocation cleanly. This is more or less a buffer overflow, in a wider
> sense.
Virtually the same bug can occur (and has occurred) in memory-safe
languages due to buffer reuse.
Go was mentioned elsewhere in this thread, so l
On 04/12/2014 08:59 AM, d...@geer.org wrote:
> I'm guessing open source just makes it more likely the bug will
> eventually be published.
If one assumes that failures will happen, then open source is to
be preferred insofar as in that case (the collective) we can learn
something from said f
On 04/12/2014 08:33 AM, ianG wrote:
Open source makes this *everyone at risk*.
I would argue that a single closed-source operating system has
done more damage, cumulatively, over the last 20 years than all
FOSS combined (no hard evidence, just gut-instinct and personal
observations).
But the
> I'm guessing open source just makes it more likely the bug will
> eventually be published.
If one assumes that failures will happen, then open source is to
be preferred insofar as in that case (the collective) we can learn
something from said failures. That being so, then the more one
depend
On 11/04/2014 19:36 pm, Arshad Noor wrote:
> On 04/11/2014 03:51 PM, ianG wrote:
>> On 11/04/2014 17:50 pm, Jeffrey Walton wrote:
>>> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
>>>
>>>
>>> The U.S. National Security Agency knew for at least
On 4/11/14, ianG wrote:
> On 11/04/2014 17:50 pm, Jeffrey Walton wrote:
>> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
>>
>> The U.S. National Security Agency knew for at least two years about a
>> flaw in the way that many websites send se
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 11/04/14 23:51, ianG wrote:
> 2. Score another 1 up for interpreted languages that handle array
> allocation cleanly. This is more or less a buffer overflow, in a
> wider sense.
Not just interpreted languages - a modern compiled language such
On Fri, Apr 11, 2014 at 04:36:13PM -0700, Arshad Noor wrote:
> Isn't that a naive assumption? Every US-based company that has anything
> to do with crypto has to send in their source-code to a special address
> before you can be granted a License Exception (US BIS rules) to export
> to foreign cus
On 04/11/2014 03:51 PM, ianG wrote:
On 11/04/2014 17:50 pm, Jeffrey Walton wrote:
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
The U.S. National Security Agency knew for at least two years about a
flaw in the way that many websites send s
On 11/04/2014 17:50 pm, Jeffrey Walton wrote:
> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
>
> The U.S. National Security Agency knew for at least two years about a
> flaw in the way that many websites send sensitive information, now
> dub
So I trust EFF's analysis more here. However this is newer than the latest
article I've seen from EFF. So, where's Bloomberg's technical analysis on
the subject?
On Apr 11, 2014 5:50 PM, "Jeffrey Walton" wrote:
>
> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-expo
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
The U.S. National Security Agency knew for at least two years about a
flaw in the way that many websites send sensitive information, now
dubbed the Heartbleed bug, and regularly used it to gather
12 matches
Mail list logo