<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><br>
>"It is believed that Heartbleed originates from the same
organisation as stuxnet and duqu."<br>
<br>
That's just silly, of course. OpenSSL is developed in the open
using a collaboration tool called Git that was invented for Linux
kernel development.<br>
OpenSSL's Git instance is online where anyone can fetch any
version any time.<br>
To see the fix, just google "heartbleed git commits" and follow
the <a
href="http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3#patch2">first
link</a>. That's the fix (bug code in red, fix code in green,
in two files) being introduced to the code line.<br>
<br>
The bug was introduced with the heartbeat feature. That commit is
<a
href="http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1">here</a>.<br>
Robin Segglemann is not mysterious. He's given interviews about
it by now. It's a dumb error (missing bounds check, shouldn't
trust the remote system) that was all too common in networking
software a decade ago but reviewers usually look for these days.<br>
A stealthy intelligence agency introducing a secret back door
would have made some effort to hide it or sneak it in. It would
be much more subtle.<br>
<br>
<br>
>"the United States National Security Agency was aware of the
flaw since shortly after its introduction"<br>
<br>
Of Course. OpenSSL is open source security software. NSA reviews
that more carefully and faster than anybody else does. We'd all
be amazed if they, of all reviewers, <i>didn't</i> spot a missing
bounds check. (More disappointed than amazed it got past
everybody else.) Discovering the bug and not promptly informing
OpenSSL's maintainers was evil.<br>
<br>
<br>
<br>
On 04/12/2014 12:58 PM, Spencer Graves wrote:<br>
</div>
<blockquote cite="mid:53499B03.9090409@prodsyse.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hi, Cameron: <br>
<br>
<br>
[...] Example: 17:12 today (5:12 PM, UTC), an anonymous
user added a comment that, "It is believed that Heartbleed
originates from the same organisation as stuxnet and duqu."
This comment included a reference to an article that mentioned
neither stuxnet nor duqu. It was undone 49 minutes later. The
article also includes comments that, "According to two insider
sources speaking to Bloomberg.com, the United States National
Security Agency was aware of the flaw since shortly after its
introduction, but chose to keep it secret, instead of reporting
it, in order to exploit it for their own purposes." [...]</div>
</blockquote>
<br>
<br>
</body>
</html>