Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

[Scott Howard <scott () doc net au>]

On Mon, Apr 14, 2014 at 12:59 PM, Patrick W. Gilmore <patrick () ianai net>
wrote:

I applaud Akamai for trying, for being courageous enough to post code, and
> for bucking the trend so many other companies are following by being more
> secretive every year.

Just to be clear, so do I!  As I said, the end result was net positive -
within hours the fact they made this code snippet "open source" resulted in
it be available to many more eyeballs, and bugs in it being found.

By releasing the code, Akamai has not only helped the community (at least
as a starting point - even if their actual code had issues the concept is
good and no doubt will be improved upon by the wider community), but helped
themselves by discovering that they were operating under the mistaken
impression that their SSL keys were safe when potentially they were not.


On Mon, Apr 14, 2014 at 1:07 PM, Doug Barton <dougb () dougbarton us> wrote:
> Agreed ... review is good, comments on needed fixes are good, but saying
> that Akamai, "should not be sending out non-functional, bug ridden patches
> to the OpenSSL community" as Pinckaers did is not constructive.

Especially when the release specifically stated "*This should really be
considered more of a proof of concept than something that you want to put
directly into production*" and "*do not just take this patch and put it
into production without careful review*."  Akamai made mistakes here, but
releasing what they obviously believed to be workable code in the way that
they did wasn't one of them.
  Scott