64238[Fwd: Re: HeartBleed perpetrator identified]
- Apr 11, 2014FYI
-------- Original Message --------
Subject: Re: HeartBleed perpetrator identified
Date: Fri, 11 Apr 2014 13:30:14 -0700
From: Thad Floryan <thad@...>
On 4/11/2014 12:37 PM, Thad Floryan wrote:
> Found the following on the 'Net yesterday:
> " Actually, it was Robin Seggelmann (seggelmann at fh-muenster.de) who
> " provided Dr. Stephen Henson (steve at openssl.org) this single line
> " of code, which "is" the heartbleed bug, in a heartbeat:
> " buffer = OPENSSL_malloc(1 + 2 + payload + padding);
> " The problem is that our Dr. Steve dutifully committed this code
> " on Sat, 31 Dec 2011 at the ripe time of an hour before the new year:
> " 15:59:57 -0700 (22:59 +0000).
> " Of course Steve didn't check the code, and, one wonders, why was
> " Steve checking in someone elses' submitted code (which is a basic
> " no no in security software practices)?
> " The result is that now, all encrypted data to two million servers
> " that someone bothered to archive in the past two years (*cough*
> " MPS, *cough* NSA, *cough* FIS) is/was wide-open cleartext!
What's interesting is that another ba.internet subscriber sent me an
email citing a Slashdot reference at the same time I was reading the
same Slashdot reference today:
"OpenSSL is not developed by a responsible team."
- Next post in topic >>