Discussion:
HeartBleed perpetrator identified
(too old to reply)
Thad Floryan
2014-04-11 19:37:31 UTC
Permalink
Found the following on the 'Net yesterday:

" Actually, it was Robin Seggelmann (seggelmann at fh-muenster.de) who
" provided Dr. Stephen Henson (steve at openssl.org) this single line
" of code, which "is" the heartbleed bug, in a heartbeat:
"
" buffer = OPENSSL_malloc(1 + 2 + payload + padding);
"
" The problem is that our Dr. Steve dutifully committed this code
" on Sat, 31 Dec 2011 at the ripe time of an hour before the new year:
" 15:59:57 -0700 (22:59 +0000).
"
" Of course Steve didn't check the code, and, one wonders, why was
" Steve checking in someone elses' submitted code (which is a basic
" no no in security software practices)?
"
" The result is that now, all encrypted data to two million servers
" that someone bothered to archive in the past two years (*cough*
" MPS, *cough* NSA, *cough* FIS) is/was wide-open cleartext!
Thad Floryan
2014-04-11 20:30:14 UTC
Permalink
Post by Thad Floryan
" Actually, it was Robin Seggelmann (seggelmann at fh-muenster.de) who
" provided Dr. Stephen Henson (steve at openssl.org) this single line
"
" buffer = OPENSSL_malloc(1 + 2 + payload + padding);
"
" The problem is that our Dr. Steve dutifully committed this code
" 15:59:57 -0700 (22:59 +0000).
"
" Of course Steve didn't check the code, and, one wonders, why was
" Steve checking in someone elses' submitted code (which is a basic
" no no in security software practices)?
"
" The result is that now, all encrypted data to two million servers
" that someone bothered to archive in the past two years (*cough*
" MPS, *cough* NSA, *cough* FIS) is/was wide-open cleartext!
What's interesting is that another ba.internet subscriber sent me an
email citing a Slashdot reference at the same time I was reading the
same Slashdot reference today:

http://article.gmane.org/gmane.os.openbsd.misc/211963

which concludes:

"OpenSSL is not developed by a responsible team."

Thad
Keith Keller
2014-04-11 21:10:54 UTC
Permalink
Post by Thad Floryan
Post by Thad Floryan
" The result is that now, all encrypted data to two million servers
" that someone bothered to archive in the past two years (*cough*
" MPS, *cough* NSA, *cough* FIS) is/was wide-open cleartext!
This is of course not accurate, as having just the encrypted data isn't
sufficient; a TLA would have needed to actually exploit the bug and
gotten the private keys from the running processes' memory. The
original author should change "is/was" to "is/was possibly".
Post by Thad Floryan
http://article.gmane.org/gmane.os.openbsd.misc/211963
"OpenSSL is not developed by a responsible team."
The OpenBSD folks are generally known as a paranoid bunch. See e.g.

https://en.wikipedia.org/wiki/OpenBSD_security_features

It wouldn't surprise me if they develop their own drop-in replacement
for OpenSSL.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Bhairitu
2014-04-12 19:16:02 UTC
Permalink
Post by Thad Floryan
Post by Thad Floryan
" Actually, it was Robin Seggelmann (seggelmann at fh-muenster.de) who
" provided Dr. Stephen Henson (steve at openssl.org) this single line
"
" buffer = OPENSSL_malloc(1 + 2 + payload + padding);
"
" The problem is that our Dr. Steve dutifully committed this code
" 15:59:57 -0700 (22:59 +0000).
"
" Of course Steve didn't check the code, and, one wonders, why was
" Steve checking in someone elses' submitted code (which is a basic
" no no in security software practices)?
"
" The result is that now, all encrypted data to two million servers
" that someone bothered to archive in the past two years (*cough*
" MPS, *cough* NSA, *cough* FIS) is/was wide-open cleartext!
What's interesting is that another ba.internet subscriber sent me an
email citing a Slashdot reference at the same time I was reading the
http://article.gmane.org/gmane.os.openbsd.misc/211963
"OpenSSL is not developed by a responsible team."
Thad
Corporate software is not always that secure either so it is six of one
and a half dozen of the other.

Loading...