On 04/11/2014 03:51 PM, ianG wrote:
On 11/04/2014 17:50 pm, Jeffrey Walton wrote:
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
The U.S. National Security Agency knew for at least two years about a
flaw in the way that many websites send sensitive information, now
dubbed the Heartbleed bug, and regularly used it to gather critical
intelligence, two people familiar with the matter said.
1. score 1 up for closed source. Although this bug would as equally
exist in closed source, the likelihood of discovery, publication and
exploitation is much lower.
Isn't that a naive assumption? Every US-based company that has anything
to do with crypto has to send in their source-code to a special address
before you can be granted a License Exception (US BIS rules) to export
to foreign customers. (The only exception is open-source - whose
creators must still notify a special e-mail address about the new FOSS).
In either case, NSA knows about it.
Is it any less worse that only the NSA might have exploited unknown
loopholes than random attackers after your money? They're undermining
trust in the internet - which is now a multi-billion - perhaps even a
trillion - dollar industry involving millions of jobs. Given that the
US is probably the largest creator of technology products, the end
result is likely to be a boon for technology companies around the world
as US jobs are lost due to lost exports.
As I see it, only open-source software has a chance to be trusted since
users can see what they're deploying; of course, it has to be verified,
but that was always true.
Arshad Noor
StrongAuth, Inc.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
