OpenSSL is not a "company" -- nor would it be influenced by an anti-malware company. It is developed under the "bazaar" model like most free (as in freedom) software. The source code is downloadable for review and/or modifcation, under the theory that "many eyes make bugs shallow". Most times, bugs are caught and squashed quickly. This is one that got away. Nobody's perfect.Sometimes, I think those damned bugs, viruses, trojans; are created by the software anti-malware companies.
You make a great leap of faith that those that download it fully vetted the module prior to activation, including finding any malware.The source code is downloadable for review and/or modifcation, under the theory that "many eyes make bugs shallow". Most times, bugs are caught and squashed quickly. This is one that got away. Nobody's perfect.
The process works more often than it doesn't. Free software has a far better record regarding vulnerabilities than proprietary software.You make a great leap of faith that those that download it fully vetted the module prior to activation...
Who said anything about malware? This was a buffer overflow...a programming mistake. And it was caught, eventually. And the author of the "malware"? Had this been intentional, he could easily be tracked down from the code commits....including finding any malware. Obviously, the application wasn't fully vetted. This malware worked as fully intended by the author.
Me thinks thou doth protest too much.How many "experts" used this "as is" without vetting? We will never know.
This incident "stained the soul" of OpenSource with respect to SSL.
As opposed to large closed-source companies and " " who actually protect our privacy.This incident "stained the soul" of OpenSource with respect to SSL.
How many stolen identities is required for you to acknowledge the scale of this screw up? More often or not is not a very good metric.The process works more often than it doesn't.
On a scale from 1 to 10 it's a 8 from the standpoint of a possible security leak but none of the closed-source vendors has a great track record either and the US government has not been helpful in the past when they find problems that they can use.How many stolen identities is required for you to acknowledge the scale of this screw up? More often or not is not a very good metric.
Not to mention Russia, China, etc.the US government has not been helpful in the past when they find problems that they can use.
http://www.nytimes.com/2014/04/13/u...xploit-some-internet-flaws-officials-say.html
Cyber as an offensive weapon will become bigger and bigger,” said Michael DeCesare, who runs the McAfee computer security operations of Intel Corporation. “I don’t think any amount of policy alone will stop them” from doing what they are doing, he said of the Russians, the Chinese and others. “That’s why effective command and control strategies are absolutely imperative on our side.”
Which is why we need to know about and fix vulnerabilities that effect our countries users instead of just putting them in the quiver of arrows to shoot at other nations. Intentionally keeping holes open in software security functions is the reason large segments of users don't really trust big business/big government anymore with computer security and would rather trust some random 'guy' who does it for fun to keep their computer safe instead.Not to mention Russia, China, etc.
Now it's the governments responsibility to keep holes out of software? Wow! That's a new one on me. Of course, as soon as gov does, it'll be seen as some sort of over-reach and government conspiracy. People well never be satisfied.Intentionally keeping holes open in software security functions is the reason large segments of users don't really trust big business/big government anymore with computer security and would rather trust some random 'guy' who does it for fun to keep their computer safe instead.
Which is why we need to know about and fix vulnerabilities that effect our countries users instead of just putting them in the quiver of arrows to shoot at other nations. Intentionally keeping holes open in software security functions is the reason large segments of users don't really trust big business/big government anymore with computer security and would rather trust some random 'guy' who does it for fun to keep their computer safe instead.
No, No, NO. It's not their responsibility to keep them out. But I think it should be their responsibility to inform us of known hazards so we can take proper action to fix them ourselves like we see in government testing reports on safety defects in cars.Now it's the governments responsibility to keep holes out of software? Wow! That's a new one on me. Of course, as soon as gov does, it'll be seen as some sort of over-reach and government conspiracy. People well never be satisfied.
Yes. http://en.wikipedia.org/wiki/Operation_Olympic_GamesDon't forget how well "Stuxnet" worked.
That's classic excuse for most things that turn out to be wrong headed in the long run. "The best interest of the public".I do hear you, nsaspook. However, it's also their responsibility to act in the best interest of public security. It's a tight-rope walk, and can't be all one way or the other.
Thread starter | Similar threads | Forum | Replies | Date |
---|---|---|---|---|
Critical OPENSSL bug found! | Off-Topic | 0 | ||
M | openssh , openssl , and openvpn ? | General Electronics Chat | 3 |
Similar threads |
---|
Critical OPENSSL bug found! |
openssh , openssl , and openvpn ? |