[[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
Doug Barton
dougb at dougbarton.us
Mon Apr 14 20:07:25 UTC 2014
On 04/14/2014 12:59 PM, Patrick W. Gilmore wrote:
> On Apr 14, 2014, at 15:47 , Scott Howard <scott at doc.net.au> wrote:
>> �On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker <niels=nanog at bakker.net>wrote:
>
>>> At least one vendor, Akamai is helping out now:
>>> http://marc.info/?l=openssl-users&m=139723710923076&w=2
>>> I hope other vendors will follow suit.
>>
>>
>> Although it appears they may now be regretting doing so...
>>
>> http://www.techworld.com.au/article/542813/akamai_admits_its_openssl_patch_faulty_reissues_keys/
>>
>> (Of course, the end result is positive, but...)
>
> [NOTE: I'll just remind everyone up front that I worked at Akamai for a very long time, so take my comments with however many grains of salt you feel appropriate.]
>
> If the only thing that happens when a large company steps up to help the open source community is ridicule and/or derision, one should probably not in the same breath ask why no companies are publishing any code.
>
> I applaud Akamai for trying, for being courageous enough to post code, and for bucking the trend so many other companies are following by being more secretive every year.
>
> Or we can flame anyone who tries, then wonder why no one is trying.
Agreed ... review is good, comments on needed fixes are good, but saying
that Akamai, "should not be sending out non-functional, bug ridden
patches to the OpenSSL community" as Pinckaers did is not constructive.
Part of the problem here is the whole "You can't play in my sandbox!"
attitude.
Doug
More information about the NANOG
mailing list