[170897] in North American Network Operators' Group
Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
daemon@ATHENA.MIT.EDU (William Herrin)
Fri Apr 11 21:03:59 2014
In-Reply-To: <53486C44.6080304@alter3d.ca>
From: William Herrin <bill@herrin.us>
Date: Fri, 11 Apr 2014 21:03:10 -0400
To: Peter Kristolaitis <alter3d@alter3d.ca>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Apr 11, 2014 at 6:27 PM, Peter Kristolaitis <alter3d@alter3d.ca> wrote:
> I would imagine that federal contractors have to adhere to FIPS 140-2
> standards (or some similar requirement) for sensitive environments, and none
> of the affected OpenSSL versions were certified to any FIPS standard... the
> last version that WAS certified (0.9.8j) is only rated to Level 1, which,
> being the lowest possible rating, I suspect is not permitted for use by NSA
> contractors -- they're probably required to use level 3 or 4 for everything.
Some of the time, sure. And some of the time they buy Red Hat Linux
off the shelf like everybody else. They have budgets too. They can't
do everything at the highest protection level. Or did you think they
were above and immune to the ordinary business realities of the 21st
century?
Regards,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
