[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)



Dňa 16. 4. 2014 1:50 Charles Kroeger  wrote / napísal(a):

> At this point, the probability is close to one that every target has had 
> its private keys extracted by multiple intelligence agencies.  The real 
> question is whether or not someone deliberately inserted this bug into 
> OpenSSL, and has had two years of unfettered access to everything.  My 
> guess is accident, but I have no proof.

(please, i am not sure with some English terms below, thanks)

Very good question! On the word, there are questions if the NSA (and
similar) knew about this for long time or not. IMHO, if they didn't knew
about this vulnerability for months, then they aren't doing their job as
good.

Back to proper question. Was this vulnerability done by mistake? My C
knowledge is very low, but i understand, that this was stupid mistake.
If this stupid mistake can be done in Internet's essential crypto
library, then something is wrong! Very wrong. Nobody check the quality
of the code? Nobody realize tests? Need i learn C, to i can check this
by myself?

If this vulnerability comes not from newbie and was made by intent,
thing are worse than wrong. Then it is an attack to alone fundamental of
the free/open software. And what community about this? Where are
information, from who this vulnerability arrived? It is experienced
expert or it is a novice? Contribute this person to another (especially
security) projects too? What this person tell about this? And more and
more another questions are left unanswered.

It is a time to fearing?

regards


Attachment: 0xA8050C7E.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: