[[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
Chris Adams
cma at cmadams.net
Fri Apr 11 20:45:35 UTC 2014
Once upon a time, Niels Bakker <niels=nanog at bakker.net> said:
> but here's the same news from a much more credible source:
Actually, that's the same news _from the same source_ as originally
posted.
That article also has other wonderful bits like:
The Heartbleed flaw, introduced in early 2012 in a minor adjustment
to the OpenSSL protocol, highlights one of the failings of open
source software development.
While many Internet companies rely on the free code, its integrity
depends on a small number of underfunded researchers who devote their
energies to the projects.
This is fairly typical big-business denigration of Open Source, ignoring
the fact that (a) closed source software doesn't get reviewed for things
like this, and (b) code like this isn't just written by "underfunded
researchers".
Red Hat (a billion-dollar company) got their package of OpenSSL through
FIPS certification.
Even the opening of the article:
The U.S. National Security Agency knew for at least two years about a
flaw in the way that many websites send sensitive information,
The flaw has only existed for two years and a couple of weeks (and how
many websites deployed a brand-new OpenSSL the day it came out?). So
unless the patch was authored by the NSA (which the patch author claims
is not the case), they'd have to have known about it before it existed.
I don't even fully buy the "two-thirds of the world's websites". I'm
not sure that 2/3 of the websites I visit even use SSL. Also, many
versions of "enterprise" OSes like Red Hat Enterprise Linux weren't
affected (RHEL 5 was not affected, and RHEL 6 was only affected starting
with 6.5 from last November). There are a lot of web servers that
aren't updated that often (or stay with more "stable" release trains).
--
Chris Adams <cma at cmadams.net>
More information about the NANOG
mailing list