[GPSCC-chat] Heartbleed is real. Do something real.
Cameron L. Spitzer
cls at truffula.us
Sat Apr 12 18:27:13 PDT 2014
>"It is believed that Heartbleed originates from the same organisation
as stuxnet and duqu."
That's just silly, of course. OpenSSL is developed in the open using a
collaboration tool called Git that was invented for Linux kernel
development.
OpenSSL's Git instance is online where anyone can fetch any version any
time.
To see the fix, just google "heartbleed git commits" and follow the
first link
<http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3#patch2>.
That's the fix (bug code in red, fix code in green, in two files) being
introduced to the code line.
The bug was introduced with the heartbeat feature. That commit is here
<http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1>.
Robin Segglemann is not mysterious. He's given interviews about it by
now. It's a dumb error (missing bounds check, shouldn't trust the
remote system) that was all too common in networking software a decade
ago but reviewers usually look for these days.
A stealthy intelligence agency introducing a secret back door would have
made some effort to hide it or sneak it in. It would be much more subtle.
>"the United States National Security Agency was aware of the flaw
since shortly after its introduction"
Of Course. OpenSSL is open source security software. NSA reviews that
more carefully and faster than anybody else does. We'd all be amazed if
they, of all reviewers, /didn't/ spot a missing bounds check. (More
disappointed than amazed it got past everybody else.) Discovering the
bug and not promptly informing OpenSSL's maintainers was evil.
On 04/12/2014 12:58 PM, Spencer Graves wrote:
> Hi, Cameron:
>
>
> [...] Example: 17:12 today (5:12 PM, UTC), an anonymous user
> added a comment that, "It is believed that Heartbleed originates from
> the same organisation as stuxnet and duqu." This comment included a
> reference to an article that mentioned neither stuxnet nor duqu. It
> was undone 49 minutes later. The article also includes comments that,
> "According to two insider sources speaking to Bloomberg.com, the
> United States National Security Agency was aware of the flaw since
> shortly after its introduction, but chose to keep it secret, instead
> of reporting it, in order to exploit it for their own purposes." [...]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140412/0b5fe83e/attachment.html>
More information about the sosfbay-discuss
mailing list