nanog mailing list archives
Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
From: Scott Howard <scott () doc net au>
Date: Mon, 14 Apr 2014 14:00:12 -0700
On Mon, Apr 14, 2014 at 12:59 PM, Patrick W. Gilmore <patrick () ianai net> wrote: I applaud Akamai for trying, for being courageous enough to post code, and
for bucking the trend so many other companies are following by being more secretive every year.
Just to be clear, so do I! As I said, the end result was net positive - within hours the fact they made this code snippet "open source" resulted in it be available to many more eyeballs, and bugs in it being found. By releasing the code, Akamai has not only helped the community (at least as a starting point - even if their actual code had issues the concept is good and no doubt will be improved upon by the wider community), but helped themselves by discovering that they were operating under the mistaken impression that their SSL keys were safe when potentially they were not. On Mon, Apr 14, 2014 at 1:07 PM, Doug Barton <dougb () dougbarton us> wrote:
Agreed ... review is good, comments on needed fixes are good, but saying that Akamai, "should not be sending out non-functional, bug ridden patches to the OpenSSL community" as Pinckaers did is not constructive.
Especially when the release specifically stated "*This should really be considered more of a proof of concept than something that you want to put directly into production*" and "*do not just take this patch and put it into production without careful review*." Akamai made mistakes here, but releasing what they obviously believed to be workable code in the way that they did wasn't one of them. Scott
Current thread:
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years], (continued)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Michael Thomas (Apr 13)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] John Levine (Apr 13)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Niels Bakker (Apr 13)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Warren Bailey (Apr 13)
- RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Thijs Stuurman (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Scott Howard (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Patrick W. Gilmore (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] William Herrin (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Doug Barton (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] bmanning (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Scott Howard (Apr 14)
- Message not available
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Larry Sheldon (Apr 14)
- Message not available
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Larry Sheldon (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Mark Seiden (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Randy Bush (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Michael Thomas (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Nathan Angelacos (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Michael Thomas (Apr 14)
- RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Matthew Black (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Simon Perreault (Apr 14)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] TGLASSEY (Apr 14)