On 11/04/2014 17:50 pm, Jeffrey Walton wrote: > http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html > > The U.S. National Security Agency knew for at least two years about a > flaw in the way that many websites send sensitive information, now > dubbed the Heartbleed bug, and regularly used it to gather critical > intelligence, two people familiar with the matter said.
Bingo! What lessons are we picking up from this? Here's what I'm feeling so far, flame away: 1. score 1 up for closed source. Although this bug would as equally exist in closed source, the likelihood of discovery, publication and exploitation is much lower. 2. Score another 1 up for interpreted languages that handle array allocation cleanly. This is more or less a buffer overflow, in a wider sense. 3. We have evidence of NSA exploitation in the above, and there was another prior indication that was suggested to be agency. https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013 4. This should put to rest any silly claims that the NSA put the bug into play themselves. The programmer and the reviewer missed it. 5. I've seen no evidence yet of attacker-inflicted damages, nor of new exploits, but it's only been a week. > The NSA’s decision to keep the bug secret in pursuit of national > security interests threatens to renew the rancorous debate over the > role of the government’s top computer experts. 6. It is becoming clearer that the NSA's mission is offensive first, defensive ever? They aren't our friends, they might be our enemy. Has impact on all sorts of cooperation questions (NIST, IETF). > Heartbleed appears to be one of the biggest glitches in the Internet’s > history, a flaw in the basic security of as many as two-thirds of the > world’s websites. 7. In contrast to damages, the rework bill is immense. All those sites multiplied by average refit cost. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ http://happyplace.someecards.com/30541/the-heartbleed-bug-which-sites-you-should-change-your-passwords-for-and-how-to-panic Does anyone have a view as to the average cost to refit? iang _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
