A couple of observations about Heartbleed:
- It was a bug in open source software that is widely used, released under a public microscope and carefully/constantly reviewed by dedicated experts. Yet the bug was around for two years before it was publicly exposed. No, I'm not putting down open source. I still think it's a great way to do things, especially from a security standpoint. Just pointing out that it's not magically perfect. Problems can still go unnoticed.
- It went publicly unnoticed, but the NSA knew about it and exploited it for most or all of that two years. So you can bet that other governments' intelligence agencies did too. QED, when the US government huffs and puffs about its dedication to "cyber security," they're blowing smoke up your ass. If they identify a dangerous flaw in widely used Internet software, they don't broadband it so it can be fixed, they just exploit it, knowing that the Chinese, the Russians, et. al are exploiting it too.
The only really good thing to come out of this is that with the fix, NSA has had a spy door slammed shut in its face.
No comments:
Post a Comment