Loading ...
Sorry, an error occurred while loading the content.

64238[Fwd: Re: HeartBleed perpetrator identified]

Expand Messages
  • Thad Floryan
    Apr 11, 2014
    • 0 Attachment
      FYI

      -------- Original Message --------
      Subject: Re: HeartBleed perpetrator identified
      Date: Fri, 11 Apr 2014 13:30:14 -0700
      From: Thad Floryan <thad@...>
      Organization: ThadLABS
      Newsgroups: ba.internet
      References: <5348447B.9040204@...>

      On 4/11/2014 12:37 PM, Thad Floryan wrote:
      > Found the following on the 'Net yesterday:
      >
      > " Actually, it was Robin Seggelmann (seggelmann at fh-muenster.de) who
      > " provided Dr. Stephen Henson (steve at openssl.org) this single line
      > " of code, which "is" the heartbleed bug, in a heartbeat:
      > "
      > " buffer = OPENSSL_malloc(1 + 2 + payload + padding);
      > "
      > " The problem is that our Dr. Steve dutifully committed this code
      > " on Sat, 31 Dec 2011 at the ripe time of an hour before the new year:
      > " 15:59:57 -0700 (22:59 +0000).
      > "
      > " Of course Steve didn't check the code, and, one wonders, why was
      > " Steve checking in someone elses' submitted code (which is a basic
      > " no no in security software practices)?
      > "
      > " The result is that now, all encrypted data to two million servers
      > " that someone bothered to archive in the past two years (*cough*
      > " MPS, *cough* NSA, *cough* FIS) is/was wide-open cleartext!

      What's interesting is that another ba.internet subscriber sent me an
      email citing a Slashdot reference at the same time I was reading the
      same Slashdot reference today:

      http://article.gmane.org/gmane.os.openbsd.misc/211963

      which concludes:

      "OpenSSL is not developed by a responsible team."

      Thad
    • Show all 4 messages in this topic