Results 11 to 14 of 14
Thread: Heartbleed (OpenSSL exploit)
-
04-13-14, 09:38 AM #11
Re: Heartbleed (OpenSSL exploit)
It is a strength of the open source model.
Programmers make mistakes. Software has bugs. No model fixes that problem.
[optimists among us would say "no model fixes that problem yet"]
There are upsides and downsides to both open- and closed-source models. Because of the nature of closed-source, there are lots of interesting comparisons that can't be made - half the data isn't available. But we do know of many examples of catastrophic security bugs in closed-source software that went unfixed for much longer than two years. We have examples of security bugs that were known by the vendor but kept secret from vulnerable parties.
As soon as this bug was discovered it was announced and fixed. The response to the problem was exactly what you hope all responses could be - everyone was told how the bug worked, everyone was told how to fix it, and everyone was told what possible damage had been done.
Heartbleed Bug
What Heartbleed Can Teach The OSS Community About Marketing | Kalzumeus Software
Cheers,
AetheLove
-
- Join Date
- 08-20-07
- Location
- Tempe, Arizona, United States
- Posts
- 1,418
- Post Thanks / Like
- Blog Entries
- 2
04-13-14, 02:11 PM #12Re: Heartbleed (OpenSSL exploit)
To Gumby's point though one of the problems that open source creates is a process problem. Project operate with the same political pressures as companies or any other large group. The guy who checked this bug into the code was well known and as a result his code was trusted almost implicitly.
It take a lot of discipline to run an OSS project and you almost need a dictator, a la Linus Torvalds. Open SSL was using something more akin to the bazaar model which is fine for projects that aren't mission critical.
tl;dr The problem wasn't that a mistake was made, the problem was the process OpenSSL uses.
-H
-
- Join Date
- 01-28-07
- Location
- Arizona
- Posts
- 13,490
- Post Thanks / Like
- Blog Entries
- 5
04-14-14, 09:24 PM #13Re: Heartbleed (OpenSSL exploit)
Supposedly (if you believe anonymous sources) the NSA found it a couple years ago. They just decided not to speak up
Report: NSA Used Heartbleed to Spy on People for Years
-
- Join Date
- 07-24-06
- Location
- Colorado
- Posts
- 5,025
- Post Thanks / Like
- Blog Entries
- 6
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Bookmarks