[GPSCC-chat] Heartbleed is real. Do something real.

Spencer Graves spencer.graves at prodsyse.com
Sun Apr 13 14:46:20 PDT 2014 

Hi, Cameron, et al.:


       Might anyone have a source to back up Cameron's discussion about 
Heartbleed and identity theft operations  of some criminal organizations?


       I'd like to add a discussion of that to the Wikipedia article on 
"Heartbleed", but I'm concerned that my comments on that would be 
removed if I don't cite a credible source.


       Thanks,
       Spencer


On 4/12/2014 6:27 PM, Cameron L. Spitzer wrote:
>
> >"It is believed that Heartbleed originates from the same organisation 
> as stuxnet and duqu."
>
> That's just silly, of course.  OpenSSL is developed in the open using 
> a collaboration tool called Git that was invented for Linux kernel 
> development.
> OpenSSL's Git instance is online where anyone can fetch any version 
> any time.
> To see the fix, just google "heartbleed git commits" and follow the 
> first link 
> <http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3#patch2>.  
> That's the fix (bug code in red, fix code in green, in two files) 
> being introduced to the code line.
>
> The bug was introduced with the heartbeat feature.  That commit is 
> here 
> <http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1>.
> Robin Segglemann is not mysterious.  He's given interviews about it by 
> now.  It's a dumb error (missing bounds check, shouldn't trust the 
> remote system) that was all too common in networking software a decade 
> ago but reviewers usually look for these days.
> A stealthy intelligence agency introducing a secret back door would 
> have made some effort to hide it or sneak it in.  It would be much 
> more subtle.
>
>
> >"the United States National Security Agency was aware of the flaw 
> since shortly after its introduction"
>
> Of Course.  OpenSSL is open source security software.  NSA reviews 
> that more carefully and faster than anybody else does. We'd all be 
> amazed if they, of all reviewers, /didn't/ spot a missing bounds 
> check.  (More disappointed than amazed it got past everybody else.)  
> Discovering the bug and not promptly informing OpenSSL's maintainers 
> was evil.
>
>
>
> On 04/12/2014 12:58 PM, Spencer Graves wrote:
>> Hi, Cameron:
>>
>>
>> [...]     Example:  17:12 today (5:12 PM, UTC), an anonymous user 
>> added a comment that, "It is believed that Heartbleed originates from 
>> the same organisation as stuxnet and duqu." This comment included a 
>> reference to an article that mentioned neither stuxnet nor duqu.  It 
>> was undone 49 minutes later. The article also includes comments that, 
>> "According to two insider sources speaking to Bloomberg.com, the 
>> United States National Security Agency was aware of the flaw since 
>> shortly after its introduction, but chose to keep it secret, instead 
>> of reporting it, in order to exploit it for their own purposes." [...]
>
>
>
>
> _______________________________________________
> sosfbay-discuss mailing list
> sosfbay-discuss at cagreens.org
> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss


-- 
Spencer Graves, PE, PhD
President and Chief Technology Officer
Structure Inspection and Monitoring, Inc.
751 Emerson Ct.
San José, CA 95126
ph:  408-655-4567
web:  www.structuremonitoring.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140413/b521096a/attachment.html>

More information about the sosfbay-discuss mailing list