[GPSCC-chat] Heartbleed is real. Do something real.
Spencer Graves
spencer.graves at prodsyse.com
Sun Apr 13 14:46:20 PDT 2014
Hi, Cameron, et al.:
Might anyone have a source to back up Cameron's discussion about
Heartbleed and identity theft operations of some criminal organizations?
I'd like to add a discussion of that to the Wikipedia article on
"Heartbleed", but I'm concerned that my comments on that would be
removed if I don't cite a credible source.
Thanks,
Spencer
On 4/12/2014 6:27 PM, Cameron L. Spitzer wrote:
>
> >"It is believed that Heartbleed originates from the same organisation
> as stuxnet and duqu."
>
> That's just silly, of course. OpenSSL is developed in the open using
> a collaboration tool called Git that was invented for Linux kernel
> development.
> OpenSSL's Git instance is online where anyone can fetch any version
> any time.
> To see the fix, just google "heartbleed git commits" and follow the
> first link
> <http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3#patch2>.
> That's the fix (bug code in red, fix code in green, in two files)
> being introduced to the code line.
>
> The bug was introduced with the heartbeat feature. That commit is
> here
> <http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1>.
> Robin Segglemann is not mysterious. He's given interviews about it by
> now. It's a dumb error (missing bounds check, shouldn't trust the
> remote system) that was all too common in networking software a decade
> ago but reviewers usually look for these days.
> A stealthy intelligence agency introducing a secret back door would
> have made some effort to hide it or sneak it in. It would be much
> more subtle.
>
>
> >"the United States National Security Agency was aware of the flaw
> since shortly after its introduction"
>
> Of Course. OpenSSL is open source security software. NSA reviews
> that more carefully and faster than anybody else does. We'd all be
> amazed if they, of all reviewers, /didn't/ spot a missing bounds
> check. (More disappointed than amazed it got past everybody else.)
> Discovering the bug and not promptly informing OpenSSL's maintainers
> was evil.
>
>
>
> On 04/12/2014 12:58 PM, Spencer Graves wrote:
>> Hi, Cameron:
>>
>>
>> [...] Example: 17:12 today (5:12 PM, UTC), an anonymous user
>> added a comment that, "It is believed that Heartbleed originates from
>> the same organisation as stuxnet and duqu." This comment included a
>> reference to an article that mentioned neither stuxnet nor duqu. It
>> was undone 49 minutes later. The article also includes comments that,
>> "According to two insider sources speaking to Bloomberg.com, the
>> United States National Security Agency was aware of the flaw since
>> shortly after its introduction, but chose to keep it secret, instead
>> of reporting it, in order to exploit it for their own purposes." [...]
>
>
>
>
> _______________________________________________
> sosfbay-discuss mailing list
> sosfbay-discuss at cagreens.org
> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
--
Spencer Graves, PE, PhD
President and Chief Technology Officer
Structure Inspection and Monitoring, Inc.
751 Emerson Ct.
San José, CA 95126
ph: 408-655-4567
web: www.structuremonitoring.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140413/b521096a/attachment.html>
More information about the sosfbay-discuss
mailing list