Re: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

[Tom Morris <blueneon () gmail com>]

Been spending most of the day scrubbing away that vuln in my facility
here.... now here's the fun part: imagine just how many embedded devices
(most of which get orphaned from a software maintenance perspective the
moment they hit the store shelves) are gonna have this flaw. There's been
the discussion of crappy home broadband CPE...

Only a matter of time before someone fakes the certificate and breaks a
"trusted" software update method, or heck... a dns explot + fake
certificate = several million compromised payment card terminals.


On Wed, Mar 5, 2014 at 4:58 PM, jim deleskie <deleskie () gmail com> wrote:

> Doing some serious adjusting of my tinfoil today over his :)
>
> -jim
>
>
> On Wed, Mar 5, 2014 at 5:03 PM, Jay Ashworth <jra () baylink com> wrote:
>
> > ----- Original Message -----
> > > From: "Leo Bicknell" <bicknell () ufp org>
> >
> > > On Mar 4, 2014, at 9:07 PM, Jay Ashworth <jra () baylink com> wrote:
> > >
> > > > Is this the *same* bug that just broke in Apple code last week?
> > >
> > > No, the Apple bug was the existence of an /extra/ "goto fail;".
> > >
> > > The GnuTLS bug was that it was /missing/ a "goto fail;".
> > >
> > > I'm figuring the same developer worked on both, and just put the line
> > > in the wrong repository. :)
> >
> > Those who speculate that these bugs happened at the behest of the NSA
> > would probably agree with you.
> >
> > Cheers,
> > -- jra
> > --
> > Jay R. Ashworth                  Baylink
> > jra () baylink com
> > Designer                     The Things I Think                       RFC
> > 2100
> > Ashworth & Associates       http://www.bcp38.info          2000 Land
> > Rover DII
> > St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647
> > 1274



-- 
--
Tom Morris, KG4CYX
Mad Scientist and Operations Manager, WDNA-FM 88.9 Miami - Serious Jazz!
786-228-7087
151.820 Megacycles