Loading ...
Sorry, an error occurred while loading the content.
 

[Fwd: Re: HeartBleed perpetrator identified]

Expand Messages
  • Thad Floryan
    FYI ... Subject: Re: HeartBleed perpetrator identified Date: Fri, 11 Apr 2014 13:30:14 -0700 From: Thad Floryan Organization: ThadLABS
    Message 1 of 4 , Apr 11 1:31 PM
      FYI

      -------- Original Message --------
      Subject: Re: HeartBleed perpetrator identified
      Date: Fri, 11 Apr 2014 13:30:14 -0700
      From: Thad Floryan <thad@...>
      Organization: ThadLABS
      Newsgroups: ba.internet
      References: <5348447B.9040204@...>

      On 4/11/2014 12:37 PM, Thad Floryan wrote:
      > Found the following on the 'Net yesterday:
      >
      > " Actually, it was Robin Seggelmann (seggelmann at fh-muenster.de) who
      > " provided Dr. Stephen Henson (steve at openssl.org) this single line
      > " of code, which "is" the heartbleed bug, in a heartbeat:
      > "
      > " buffer = OPENSSL_malloc(1 + 2 + payload + padding);
      > "
      > " The problem is that our Dr. Steve dutifully committed this code
      > " on Sat, 31 Dec 2011 at the ripe time of an hour before the new year:
      > " 15:59:57 -0700 (22:59 +0000).
      > "
      > " Of course Steve didn't check the code, and, one wonders, why was
      > " Steve checking in someone elses' submitted code (which is a basic
      > " no no in security software practices)?
      > "
      > " The result is that now, all encrypted data to two million servers
      > " that someone bothered to archive in the past two years (*cough*
      > " MPS, *cough* NSA, *cough* FIS) is/was wide-open cleartext!

      What's interesting is that another ba.internet subscriber sent me an
      email citing a Slashdot reference at the same time I was reading the
      same Slashdot reference today:

      http://article.gmane.org/gmane.os.openbsd.misc/211963

      which concludes:

      "OpenSSL is not developed by a responsible team."

      Thad
    • Scott
      ... It is probably good to point out that the statement was made by Theo DeRadt, who tends to, when criticizing anything his team hasn t written, be rather
      Message 2 of 4 , Apr 11 1:43 PM
        On Fri, Apr 11, 2014 at 01:31:41PM -0700, Thad Floryan wrote:
        > FYI
        >
        >
        > which concludes:
        >
        > "OpenSSL is not developed by a responsible team."
        >
        It is probably good to point out that the statement was made by Theo
        DeRadt, who tends to, when criticizing anything his team hasn't written, be
        rather nasty.


        --
        Scott Robbins
        PGP keyID EB3467D6
        ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
        gpg --keyserver pgp.mit.edu --recv-keys EB3467D6
      • Thad Floryan
        ... { hmmm, your article was easy to scrape from Yahoo noting I haven t been loggedin for ages since Neo waiting for my account to expire } No more nastier
        Message 3 of 4 , Apr 11 3:21 PM
          Scott wrote:
          > On Fri, Apr 11, 2014 at 01:31:41PM -0700, Thad Floryan wrote:
          > > FYI
          > > [...]
          > > which concludes:
          > >
          > > "OpenSSL is not developed by a responsible team."
          >
          > It is probably good to point out that the statement was made by Theo
          > DeRadt, who tends to, when criticizing anything his team hasn't
          > written, be rather nasty.

          { hmmm, your article was easy to scrape from Yahoo noting I haven't
          been loggedin for ages since Neo waiting for my account to expire }

          No more nastier than when I refer to Yahoo's indiocies especially
          the NEO fiasco -- group messages are still hosed 8 months later and
          not one person in this group shared/shares my concern for the loss of
          this group's message archives beginning January 1998.

          As I discovered during a NEO glitch in October 2013, the "raw" message
          archives are still OK, it's just that NEO is not fetching and displaying
          them in any sane manner due to Yahoo's incompetence.

          I posted the HeartBleed perpetrators' names so people would know wbo
          the clowns are who caused the problem should they ever seek employment
          in the computer or IT job sectors ever again. What they did, as I
          posted previously, was inexcusable and unconscionable and they should
          suffer lifelong shunning as a minimum punishment.

          I do NOT abide PC (Political Correctness crapola) and will call a spade
          a spade and Theo's comment

          "OpenSSL is not developed by a responsible team."

          is spot on and NOT a nasty comment.

          I just looked at the latest source fixes this week from here:

          http://www.openssl.org/source/openssl-1.0.1g.tar.gz 4.3MB

          and randomly examining the source code shows a dearth of comments which
          is a sign of shoddy design and thinking resulting in crap software much
          like the systemd crapola from Poettering and Sievers.

          Thad
        • ed
          ... Depends, from his point of view he produced a nice new way to do string handling but people don t bother to use it.
          Message 4 of 4 , Apr 12 4:25 AM
            On Fri, Apr 11, 2014 at 03:21:00PM -0700, Thad Floryan wrote:
            > Scott wrote:
            > > It is probably good to point out that the statement was made by Theo
            > > DeRadt, who tends to, when criticizing anything his team hasn't
            > > written, be rather nasty.

            Depends, from his point of view he produced a nice new way to do string
            handling but people don't bother to use it.

            http://www.courtesan.com/todd/papers/strlcpy.html

            > { hmmm, your article was easy to scrape from Yahoo noting I haven't
            > been loggedin for ages since Neo waiting for my account to expire }

            Nor have I. Do you remember our discussion about the other YahooGroups
            that you're a member of, I've not logged in since around then. You'll
            still be able to use YahooGroups despite your account expiring, mail
            will still turn up in your mailbox, you'll just not be able to make
            modifications to your account until you "recover" it.

            > No more nastier than when I refer to Yahoo's indiocies especially
            > the NEO fiasco -- group messages are still hosed 8 months later and
            > not one person in this group shared/shares my concern for the loss of
            > this group's message archives beginning January 1998.

            We're all quite pissed off with the filter, when we found there was back
            door in via the beta site that still hosted the older interface we
            wanted the use that and recover the archive. I'd have gladly imported it
            and hosted it along with any new messages. If you're reading this and
            you did get a copy then please forward that to me, I'll host it.

            Thinking about it, I wonder what archive.org has (goes to look) ah
            not much:

            https://web.archive.org/web/*/http://tech.dir.groups.yahoo.com/group/linux/message/*

            Shame.

            > As I discovered during a NEO glitch in October 2013, the "raw" message
            > archives are still OK, it's just that NEO is not fetching and displaying
            > them in any sane manner due to Yahoo's incompetence.

            Some mail lists support a message retrieval commands, I can't find
            anything to back this up for yahoogroups though.

            > I posted the HeartBleed perpetrators' names so people would know wbo
            > the clowns are who caused the problem should they ever seek employment
            > in the computer or IT job sectors ever again. What they did, as I
            > posted previously, was inexcusable and unconscionable and they should
            > suffer lifelong shunning as a minimum punishment.

            Instead they will probably get to write a book about it and make
            millions.

            > I do NOT abide PC (Political Correctness crapola) and will call a spade
            > a spade and Theo's comment
            >
            > "OpenSSL is not developed by a responsible team."
            >
            > is spot on and NOT a nasty comment.
            >
            > I just looked at the latest source fixes this week from here:
            >
            > http://www.openssl.org/source/openssl-1.0.1g.tar.gz 4.3MB
            >
            > and randomly examining the source code shows a dearth of comments which
            > is a sign of shoddy design and thinking resulting in crap software much
            > like the systemd crapola from Poettering and Sievers.

            There are alternatives out there

            http://en.wikipedia.org/wiki/Comparison_of_TLS_implementations

            Now, if we could just get a nice secure set of wrapper functions to
            allow end users to decide which to use...

            --
            Best regards,
            Ed http://www.s5h.net/
          Your message has been successfully submitted and would be delivered to recipients shortly.