[170947] in North American Network Operators' Group
RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
daemon@ATHENA.MIT.EDU (Thijs Stuurman)
Mon Apr 14 10:56:16 2014
From: Thijs Stuurman <Thijs.Stuurman@is.nl>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Mon, 14 Apr 2014 14:55:49 +0000
In-Reply-To: <20140413165250.GI36211@burnout.tpb.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I applaud their effort but please see https://blogs.akamai.com/2014/04/hear=
tbleed-update-v3.html
&
http://lekkertech.net/akamai.txt
Kind regards / Vriendelijke groet,
IS Group
Thijs Stuurman
-----Oorspronkelijk bericht-----
Van: Niels Bakker [mailto:niels=3Dnanog@bakker.net]=20
Verzonden: Sunday, April 13, 2014 6:53 PM
Aan: nanog@nanog.org
Onderwerp: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Ye=
ars]
* randy@psg.com (Randy Bush) [Sun 13 Apr 2014, 16:52 CEST]:
>>>the point of open source is that the community is supposed to be=20
>>>doing this. we failed.
>>Versus all of the closed source bugs that nobody can know of or do=20
>>anything about?
>for those you can blame the vendor. =20
BSAFE is almost worse if you go by the recent advisories that have been rel=
eased about it. Many vendors incorporated OpenSSL into their products and =
sold the result for commercial profit without doing (in retrospect) enough =
due diligence. Besides, having a third party to blame doesn't make our dat=
a safer...
At least one vendor, Akamai is helping out now:=20
http://marc.info/?l=3Dopenssl-users&m=3D139723710923076&w=3D2
I hope other vendors will follow suit.
>this one is owned by the community. it falls on us to try to lower the=20
>probability of a next one by actively auditing source as our civic=20
>duty.
I donated some money to the OpenSSL project and hope others will do, or hav=
e already done, the same. It's clear that they are internet infrastructure=
and need more support.
-- Niels.
