Posted: Sat Apr 19, 2014 3:04 pm
If you haven't heard of this bug, you've been living in a cave the past week. It allows you to snoop memory space in the OpenSSL library. Outside of upgrade, it is indefensible and untraceable. Here's how it happened.
This is precisely the wrong attitude to take, Steve. Know why? Google caught your mistake and patched their shit before the flaw was public knowledge. You might want to chat with Google and see if they'll tell you how they did that.
OpenSSL is about half a million lines of code. By comparison, MS Word has a few million, Windows 8 has about 50M. That being said, I've had code reviews at work where 5-6 sets of eyes plus the author missed bad logic. Sometimes it's not even 100 or 10 lines of change.
My observations about security thus far:
1) Few to no companies take it seriously until they get hammered hard enough to get in the news.
2) Few to no developers, be they open source pro bono workers or FTEs, do enough white/black hat testing.
3) This particular bug is a way to attack old-ass languages like C, which is OpenSSL's implementation. I should really say "the primary way." Why maintain a security library built on fundamentally insecure code? It's like looking after the dusty temple of some long-forgotten religion. Fucking sunset C.
Just $9,000 has recently been donated to OpenSSL even in light of the Heartbleed bug. [OpenSSL Software Foundation prez Steve] Marquess pointed at the billion-dollar companies that use the software, which include such entities as Facebook, Google and Yahoo.
"I'm looking at you, Fortune 1000 companies," he wrote in the letter.
Open source software is used by both startups and big corporations for no cost, but it may be time for them to chip in.
This is precisely the wrong attitude to take, Steve. Know why? Google caught your mistake and patched their shit before the flaw was public knowledge. You might want to chat with Google and see if they'll tell you how they did that.
Henson apparently failed to notice a bug in Seggelmann's implementation, and introduced the flawed code into OpenSSL's source code repository on December 31, 2011.
...
Neel Mehta of Google's security team reported Heartbleed on April 1, 2014.
OpenSSL is about half a million lines of code. By comparison, MS Word has a few million, Windows 8 has about 50M. That being said, I've had code reviews at work where 5-6 sets of eyes plus the author missed bad logic. Sometimes it's not even 100 or 10 lines of change.
My observations about security thus far:
1) Few to no companies take it seriously until they get hammered hard enough to get in the news.
2) Few to no developers, be they open source pro bono workers or FTEs, do enough white/black hat testing.
3) This particular bug is a way to attack old-ass languages like C, which is OpenSSL's implementation. I should really say "the primary way." Why maintain a security library built on fundamentally insecure code? It's like looking after the dusty temple of some long-forgotten religion. Fucking sunset C.