Re: comment on donations
On 04/11/2014 23:50, Kyle Hamilton aerow...@gmail.com wrote: Teach me to ask a question without reading the entire thread. At what point would the break-even cost make sense to form a non-profit entity? -Kyle H It costs $500-$750 to file for tax-exempt status (501c3); then you have to file a return every year. There's no filing fee, but you do have to have someone willing to do it, or you have to pay an accountant. There might be a cost for submitting 1099-MISC for programmers that receive more than $600 of non-employee income in a calendar year; once you start being official, you have to follow all the rules. I'm not a tax lawyer, and I don't know where OpenSSL is incorporated; I suppose there's a possibility that it should be filing a business tax return, and paying some taxes. In that case, being tax-exempt would be important for OpenSSL. As it stands, I think the benefit would be to the donors, who could then deduct the amount from their personal income taxes. The value of this depends, obviously, on how much they give and what tax bracket they're in. If you save $5 on your $100 donation, are you going to give $105? That covers the $3.20 in PayPal fees, but not much more. The other benefit to OpenSSL would be eligibility for various grants and matching gift programs, many of which are restricted to registered non-profits. I don't know if there are any such grants that would consider OpenSSL. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: comment on donations
On 04/12/2014 07:37 AM, Geoffrey Coram wrote: On 04/11/2014 23:50, Kyle Hamilton aerow...@gmail.com wrote: Teach me to ask a question without reading the entire thread. At what point would the break-even cost make sense to form a non-profit entity? -Kyle H It costs $500-$750 to file for tax-exempt status (501c3); then you have to file a return every year. There's no filing fee, but you do have to have someone willing to do it, or you have to pay an accountant. ... OSF uses a professional accounting and law firm, and spends many thousands a year on their services. That's not a job for amateurs, as I learned three decades ago when I did all the taxes for my first little company myself. The other benefit to OpenSSL would be eligibility for various grants and matching gift programs, many of which are restricted to registered non-profits. I don't know if there are any such grants that would consider OpenSSL. With total annual donations never exceeding (until recently) ~$2K, it clearly didn't make sense to incur the extra expense and hassle of non-profit status. If it did make sense I'd set up a 501(c)(3) in a heartbeat (pun intended); I understand some open source organizations do it both ways, with both a for-profit and non-profit component (Mozilla for instance). And by I'd set up I mean we'd pay our lawyers and accountants to make it happen. Having founded or co-founded five companies in my life, and paid the bills for the associated professional services, I can tell you that you don't just set up a corporation for $500-$750. Not a real functioning entity with real clients and real revenues, insurance, employees, subcontractors, etc. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)
El dÃa Wednesday, April 09, 2014 a las 01:05:22AM -0700, monloi perez escribió: True. Thanks for the quick reply. On Wednesday, April 9, 2014 3:33 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: https://www.openssl.org/news/changelog.html 1.0.1 introduced the heartbeat support. 1.0.0 and earlier are fortunate in that they didnt have it.but then they didnt have things to stop you from being BEASTed so some you win, some you lose. ;) alan Hello, As you can read in the above change log, heartbeat support was introduced in version 1.0.1 of openssl. Does this mean that also the bug was introduced with this version in March 2012, or was it later? What is the exact bug, can someone show a svn/git diff of the first source version having the bug? Is it possible that the bug was introduced with intention (to make use of it later)? Here in Germany in the news we have rumor, that the bug was used by NSA, of course the American Goverment says no. Thanks matthias -- Matthias Apitz | /\ ASCII Ribbon Campaign: E-mail: g...@unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X- No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards | en.wikipedia.org/wiki/ASCII_Ribbon_Campaign __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)
On 12 Apr 2014, at 17:43, Matthias Apitz g...@unixarea.de wrote: El dÃa Wednesday, April 09, 2014 a las 01:05:22AM -0700, monloi perez escribió: True. Thanks for the quick reply. On Wednesday, April 9, 2014 3:33 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: https://www.openssl.org/news/changelog.html 1.0.1 introduced the heartbeat support. 1.0.0 and earlier are fortunate in that they didnt have it.but then they didnt have things to stop you from being BEASTed so some you win, some you lose. ;) alan Hello, As you can read in the above change log, heartbeat support was introduced in version 1.0.1 of openssl. Does this mean that also the bug was introduced with this version in March 2012, or was it later? As the security advisory states, the bug showed up in version 1.0.1 released in March 2012. What is the exact bug, can someone show a svn/git diff of the first source version having the bug? http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1 Is it possible that the bug was introduced with intention (to make use of it later)? Here in Germany in the news we have rumor, that the bug was used by NSA, of course the American Goverment says no. I have read the rumor. It is wrong. I was Robins boss at the time he did the work, he worked in my lab. Neither me personally nor my lab at the university had any cooperations with any security agency (from any country). Robin worked on the OpenSSL code for multiple years. During his work with the DTLS code, he fixed a lot of bugs in that code and implemented some features, like the support of RFC 6520. He worked in the public, all his patches were submitted with his name. The intention was to improve OpenSSL, not to introduce bugs. Unfortunately, the patch above contained a bug which wasn't catched, neither by Robin, nor by the reviewers, nor by the people using the stack. It is a bug. A bug with a huge impact. Nothing more. Nothing less. Best regards Michael Tüxen Thanks matthias -- Matthias Apitz | /\ ASCII Ribbon Campaign: E-mail: g...@unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X- No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards | en.wikipedia.org/wiki/ASCII_Ribbon_Campaign __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)
El día Saturday, April 12, 2014 a las 09:08:15PM +0200, Michael Tuexen escribió: What is the exact bug, can someone show a svn/git diff of the first source version having the bug? http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1 Hi, Thanks for the git diff (and the other statements). Could you please be so kind and point to the exact place of the offending statement (or missing boundary check) in the 19 *.[ch] files? I only want (as a C programmer) to get my own impression of the nature of the issue. Thanks matthias -- Sent from my FreeBSD netbook Matthias Apitz, g...@unixarea.de, http://www.unixarea.de/ f: +49-170-4527211 UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)
On 12 Apr 2014, at 21:30, Matthias Apitz g...@unixarea.de wrote: El día Saturday, April 12, 2014 a las 09:08:15PM +0200, Michael Tuexen escribió: What is the exact bug, can someone show a svn/git diff of the first source version having the bug? http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1 Hi, Thanks for the git diff (and the other statements). Could you please be so kind and point to the exact place of the offending statement (or missing boundary check) in the 19 *.[ch] files? I only want (as a C programmer) to get my own impression of the nature of the issue. Thanks Here is the commit of the fix: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=731f431497f463f3a2a97236fe0187b11c44aead Best regards Michael matthias -- Sent from my FreeBSD netbook Matthias Apitz, g...@unixarea.de, http://www.unixarea.de/ f: +49-170-4527211 UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)
El día Saturday, April 12, 2014 a las 09:30:22PM +0200, Matthias Apitz escribió: El día Saturday, April 12, 2014 a las 09:08:15PM +0200, Michael Tuexen escribió: What is the exact bug, can someone show a svn/git diff of the first source version having the bug? http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1 Hi, Thanks for the git diff (and the other statements). Could you please be so kind and point to the exact place of the offending statement (or missing boundary check) in the 19 *.[ch] files? I only want (as a C programmer) to get my own impression of the nature of the issue. Thanks ah, I see it in ssl/d1_both.c, the memcpy for the payload is done regardless if payload length and payload fit; forget my request. Thx matthias -- Sent from my FreeBSD netbook Matthias Apitz, g...@unixarea.de, http://www.unixarea.de/ f: +49-170-4527211 UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)
On Apr 12, 2014, at 3:08 PM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: I have read the rumor. It is wrong. Introduced with intent vs. known to the NSA -- two different things, right? I don't have any direct knowledge of what goes on in the NSA, but if they don't have a whole cubicle farm full of people looking for vulnerabilities, I'd be surprised. OpenSSL would be an obvious high-value target for scrutiny just because of its ubiquity. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)
On 12/04/14 21:30, Matthias Apitz wrote: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1 Thanks for the git diff (and the other statements). Could you please be so kind and point to the exact place of the offending statement (or missing boundary check) in the 19 *.[ch] files? I only want (as a C programmer) to get my own impression of the nature of the issue. Thanks Check ssl/d1_both.c /Jan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)
El día Saturday, April 12, 2014 a las 03:43:29PM -0400, Michael Smith escribió: On Apr 12, 2014, at 3:08 PM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: I have read the rumor. It is wrong. Introduced with intent vs. known to the NSA -- two different things, right? I don't have any direct knowledge of what goes on in the NSA, but if they don't have a whole cubicle farm full of people looking for vulnerabilities, I'd be surprised. OpenSSL would be an obvious high-value target for scrutiny just because of its ubiquity. agreed; and this bug wasn't hard to see (even for me, sitting in a restaurant with a netbook); in my company we do code review face to face, i.e. two persons (the coder and the reviewer) wade through the new code; one target of always questioning are copies in memory: do the amount of data fit into target location and is the source amount a valid space... matthias -- Sent from my FreeBSD netbook Matthias Apitz, g...@unixarea.de, http://www.unixarea.de/ f: +49-170-4527211 UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)
El día Saturday, April 12, 2014 a las 03:43:29PM -0400, Michael Smith escribió: On Apr 12, 2014, at 3:08 PM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: I have read the rumor. It is wrong. Introduced with intent vs. known to the NSA -- two different things, right? I don't have any direct knowledge of what goes on in the NSA, but if they don't have a whole cubicle farm full of people looking for vulnerabilities, I'd be surprised. OpenSSL would be an obvious high-value target for scrutiny just because of its ubiquity. and one comment more: the bug works in both directions; when a client with an openssl lib/DLL with this bug connects to a well prepared SSL server, the server can fetch up to 64 kbyte of memory from the client, for example the stored saved passwords in your browser... matthias -- Sent from my FreeBSD netbook Matthias Apitz, g...@unixarea.de, http://www.unixarea.de/ f: +49-170-4527211 UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)
On 12 Apr 2014, at 21:43, Michael Smith m...@smithbowen.net wrote: On Apr 12, 2014, at 3:08 PM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: I have read the rumor. It is wrong. Introduced with intent vs. known to the NSA -- two different things, right? My statement was referring to the Introduced with intend. I personally don't know anything about known to the NSA. Best regards Michael I don't have any direct knowledge of what goes on in the NSA, but if they don't have a whole cubicle farm full of people looking for vulnerabilities, I'd be surprised. OpenSSL would be an obvious high-value target for scrutiny just because of its ubiquity. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)
On Apr 12, 2014, at 5:40 PM, Michael Tuexen michael.tue...@lurchi.franken.de wrote: Introduced with intent vs. known to the NSA -- two different things, right? My statement was referring to the Introduced with intend. Understood. I'm personally quite sure it *wasn't* introduced with intent, which is why I thought it was important to note the distinction. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org