[171008] in North American Network Operators' Group
Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
daemon@ATHENA.MIT.EDU (Michael Thomas)
Mon Apr 14 19:19:41 2014
Date: Mon, 14 Apr 2014 16:14:17 -0700
From: Michael Thomas <mike@mtcc.com>
To: nanog@nanog.org
In-Reply-To: <m2bnw3ecka.wl%randy@psg.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 4/14/14 4:06 PM, Randy Bush wrote:
>>> for those you can blame the vendor. this one is owned by the
>>> community. it falls on us to try to lower the probability of a next
>>> one by actively auditing source as our civic duty.
>> is that kind of like jury duty? if only it were more like literature,
>> which we could read for enjoyment.
> true. also, as someone whacked me, far too many networkers can not read
> code at all.
>
>
It's much, much worse than that. I can still read code plenty fine, but bugs can be
extremely obscure, and triply so with convoluted security code where people are
actively going after you to find problems in most inventive ways. Openssl, etc,
probably need to be treated more like Mars Landers than the typical github forkfest.
Mike
