On Fri, 11 Apr 2014, Phil Pennock wrote:
On 2014-04-11 at 21:19 +0100, Hazel wrote:
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
"The U.S. National Security Agency knew for at least two years about a flaw
in the way that many websites send sensitive information, now dubbed the
Heartbleed bug, and regularly used it to gather critical intelligence, two
people familiar with the matter said."
I'll address this, but below I'll return to something more constructive
for helping people now.
Who may or may not have known of the vulnerability has longer term
consequences, including how some of us might vote on certain matters,
but doesn't really change the situation now. I will note that the
problem was inserted by a German and the BND are more than capable of
running their own operations without needing help from American
agencies, so _if_ I were to have alcohol near to hand, for cynical
speculation, that's where I'd start.
It's not a verified account, but:
https://twitter.com/nsa_pao/status/454720059156754434
Statement: NSA was not aware of the recently identified Heartbleed
vulnerability until it was made public.
https://twitter.com/nsa_pao/
Official page of the NSA Public Affairs Office. The National
Security Agency/Central Security Service is home to America's
codemakers and codebreakers.
given that they have been caught directly lieing to Congress, it's a bit hard to
just believe their denials.
On the other hand, bloomberg isn't the most reliable of sources either.
but as you say, that really doesn't affect the tactical "what do I need to do
now" question.
David Lang
P.S. for what little it's worth, I think the idea that this is a deliberate bug
are tinfoil hat worthy
on the other hand, if the NSA and other _don't_ have teams of people watching
the commit logs of major projects like openssl, trying to evaluate each patch
for bugs, I would say that they are incompetent. Open source libraries like this
are used too widely for them _not_ to look for bugs in them. Now, the question
of what they should do when they find such bugs is a different can of worms.
David Lang
Separately, a friend and I put together a page with explanations,
advice on related topics, and a list of vendor statements, and we take
pull requests to improve the list. :)
https://cardiac-surgery.github.io/
That may help as something to point people to?
-Phil
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
