

New Bug Found in Widely Used OpenSSL Encryption - plg
http://bits.blogs.nytimes.com/2014/06/05/new-bug-found-in-widely-used-openssl-encryption

======
was_hellbanned
_But, in reality, OpenSSL had only one full-time developer and three “core”
volunteer programmers in Europe, and operated on a budget of $2,000 in annual
donations. This, despite the fact that OpenSSL is used to encrypt the majority
of the world’s web servers and widely used by technology companies such as
Amazon and Cisco._

There's an interesting statement from our times.

~~~
x0x0
in the sense that it is utterly wrong, I suppose so...

in reality, openssl appears to be a $1mm+/year for-profit fips consulting
business [1] that appears to not care much about security, letting serious
security issues sit in their bug tracker for years on end

[1]
[http://www.youtube.com/watch?v=GnBbhXBDmwU#t=559](http://www.youtube.com/watch?v=GnBbhXBDmwU#t=559)

~~~
justizin
they only get paid for implementing fips-related security features, which is
an important job. they would love to spend more time on core security and have
already tooled up to.

they went into the consulting biz to pay for the maintenance of openssl, but
it hasn't panned out well until recently.

it's petty to take something done with great dedication and provided for free,
with freedom, and demonize them. where are YOUR commits?

~~~
jurjenh
I'm pretty sure the implication is that the big corporates don't care a hoot
about open source, the ethics or the model - they'll just take it, the cheaper
the better.

The principle and supposed ethic is to share and have some reciprocity - the
reality is somewhat different. And we all suffer. Tragedy of the commons, I
guess...

~~~
lupin_sansei
I'd like to see a campaign and a web page to encourage big companies to donate
to open source projects, and to display their donations publicly.

------
Shorel
This means the security researchers are actually studying and trying to fix
OpenSSL.

I think it's good news.

~~~
bradford
There are many applications/areas where finding and fixing bugs is 'good
news'. Cryptography isn't one of them. Stakeholders really expect this stuff
to work before relying on it, and I can't imagine anyone is happy about a
10-year old vulnerability.

I'm certainly interested in hearing further analysis on this.

~~~
meowface
It's good news that researchers are finding them instead of black hats. The
only bad part is that OpenSSL has many more implementation flaws than a
serious crypto project should.

~~~
mikeyouse
> It's good news that researchers are finding them instead of black hats.

Of course, black hats could have already known about these exploits for
years..

