SSL

Heartbeat

 * https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/
 * http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
 * http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

And it should be noted that this ‘bug’ was not found by peer-review of code, it was found by a defense contractor in Finland. And from what I understand it wasn’t found by them via code review either. It was discovered using a tool that employs fuzzy intrusion detection. Probably they detected private data in the upstream, and tracked it down from there. I’ll bet it took them awhile to find where it was coming from in OpenSSL’s code even so.

A few links I picked up on Slashdot’s (woefully incomplete) discussion on this. Everyone on Slashdot assumed this SSL exploit was discovered from peer review of code – no mention of Finland defense contractor and Google shenanigans I covered in comments above.

The relevant code and the fix – this is ineffective (and obviously deliberate hack – to allow a remote to control memory access with no checking). seancassidy openssl bug. Sean states that we must "...Pay money for security audits of critical security infrastructure like OpenSSL...". See Sean Cassidy Test your (any) server filippo heartbleed (from comment here “In the quick tests I did on login.yahoo.com (used for Yahoo’s email and probably all other Yahoo services), I saw three different user’s passwords and at least part of their usernames. And you can just sit there refreshing the page to see more! ”) This is probably the biggest web vulnerability affecting Linux ever. UPDATE: There’s a more comprehensive test site here (from Yahoo’s article on the bug). https://www.yahoo.com/tech/heres-what-you-need-to-know-about-the-heartbleed-bug-82120054478.html

"....Both Robin Seggelmann (who also coauthored the Heartbeat RFC, so not just a flunky there) and his code reviewer Dr Stephen Henson (a security consultant in the UK, another major hub) should NEVER be permitted anywhere near security-related code again, because if they are not owned by some agency, which is highly unlikely, they have proven they are WILDLY incompetent for such work. Unless these developers who introduce these intrusions are take out of circulation one by one, nothing will change. But that will never happen – they’ll likely be promoted. And there are MANY more plants like them...." (this is a quote from the article on igurublog)

Fun fact: MirBSD voluntarily sticks with old OpenSSL. OpenBSD switched two(?) releases ago, and got vulnerabled. One OpenBSD ports committer sits in GNOME, trying to get the others to agree to keep it buildable on the BSDs, too. Makes me wonder if they’ll keep BSD init. (I am considering packaging BSD init for Debian…)

The Chinese military however seems to be running some hardened BSD variant http://www.freebsdnews.net/2011/01/04/kylin-chinese-freebsd-based-secure-os/

I realize people in computers have trouble digesting this answer, as they are used to quick fixes. Yet in this case the problem has no easy fix – if you (we) want a fix, we will have to create one, pretty much from the ground up. And its not just a technological challenge, it’s a social and political one, because no one person can write and maintain an OS by themselves, and any collaborative efforts are socially sabotaged. This utter failure in Linux security shows just how completely worthless many of its ‘security experts’ are – and having dealt with them in various areas, I have always gathered that.This is largely not a technological problem. OSes could be built very differently if there was social, political and even financial support for such changes. Raising these discussions widely, and keeping on track and focused on the real problems they present is very important. No deep technical knowledge required – just repost articles like this and call out the people and trolls who try to downplay them. Be vocal and insistent. And remember, what you use, you support. Use and where applicable buy (or donate money to) developers who are helping the situation. Promote change.

Normally I wouldn’t even link to that Wired spin article, which goes on to tell us how the NSA is doing no such thing and there’s nothing to worry about, go back to sleep. They certainly would never think of bribes and blackmail, from Wired’s watered-down perspective. https://www.wired.com/2014/04/nsa-heartbleed/