

Heartbleed Bug's 'Voluntary' Origins - T-A
http://online.wsj.com/news/articles/SB10001424052702303873604579495362672447986

======
simonster
The article seems to suggest that there is something unreasonable about
Stephen Henson's "Before you email me..." page on his website, which is here:
[http://www.drh-consultancy.demon.co.uk/contact.html](http://www.drh-
consultancy.demon.co.uk/contact.html)

It turns out that the way that he "compares his responsibilities to those of
Bill Gates when he managed Microsoft" is by stating:

 __The occasional person sends this query to both mailing lists (in almost all
cases only one mailing list is appropriate) and when they do not get an
immediate response email the entire core and development team. Presumably this
is the same kind of person that emails Bill Gates whenever they have a Windows
problem. __

Emailing open source developers who you do not know at their personal email
addresses is rarely appropriate when a public mailing list for the project
exists. The tone is a little prickly but what Henson says seems reasonable to
me.

------
PhantomGremlin
I hate articles like this. They're so one sided. Here's a money quote: "Errors
in complex code are inevitable". Even the headline sets the same tone and
calls the flaw a "fluke". Oops, this programming stuff is hard, be thankful
that it "works" at all.

Bullshit. There's something that was left unsaid in the article, specifically
"best practices". Why wasn't the length validated at all? There's nothing new
or "complex" about simple defensive programming. How can anyone (even a part
timer) working on software that's so security critical be so clueless? Forget
about more obscure stuff like the full disclosure mailing list, just reading
CERT alerts should make this abundantly clear to anyone in security. Hell, the
xkcd cartoon [1] makes it abundantly clear. If you can't take that cartoon to
heart, you have _no_ business writing Internet facing software.

I think Marco Peereboom got it right oh so many years ago when he said that
OpenSSL was written by monkeys. [2]

However, the article does get something right. It's insane that something so
critical to internet commerce is essentially a hobby project by a few people
mostly in their spare time. That's not simply crazy, that's totally fucking
insane. That's the biggest takeaway of this entire fiasco.

[1] [http://xkcd.com/327/](http://xkcd.com/327/) [2]
[https://news.ycombinator.com/item?id=7556407](https://news.ycombinator.com/item?id=7556407)

~~~
stcredzero
_Bullshit. There 's something that was left unsaid in the article,
specifically "best practices"._

If the NTSB used the "best practices" mantra like the software industry did,
then there would be no stick shakers, ground proximity warnings, and collision
avoidance systems. Thousands more would be dead without such automation. It's
amazing that the _software_ industry so often responds to such problems by
saying we programmers should do one more thing, and do it consistently without
fail. (Then no concrete steps are taken.) Aren't programs better suited to
such tasks? We should be using languages or libraries that are memory-safe and
give us automatic means of avoiding timing attacks.

When we in the software industry fix widespread safety issues, our answer
shouldn't be, "we should've done X, those people are to blame for not doing X,
let's all just do it from here on out." If we were fire marshals, there would
be no mandatory fire alarms, emergency exits, and occupancy regulations.
Instead we'd "tsk tsk" and talk about how those poor victims were "doing it
wrong."

If governments were exploiting this bug, they were doing the opposite of what
they should've been doing: fixing it once and for all. I've read several users
comment that an Ada implementation of TLS would avoid the same class of errors
entirely.

~~~
PhantomGremlin
> Aren't programs better suited to such tasks?

You're absolutely right. "Wetware" is highly imperfect; widespread adoption of
better tools is essential.

> I've read several users comment that an Ada implementation of TLS would
> avoid the same class of errors entirely.

I don't know Ada, but at least according to Wiki it is much more suitable for
this sort of programming [1] than using C. So why isn't Ada more popular?
Perhaps its time has passed? I do see frequent mention here on HN of other,
more recent languages with similar goals.

[1]
[http://en.wikipedia.org/wiki/Ada_%28programming_language%29#...](http://en.wikipedia.org/wiki/Ada_%28programming_language%29#Features)

------
lifeisstillgood
I struggle to work out the tone here :

it varies from "My god we are all dependant on half a dozen volunteers" to
"why doesn't someone pay these guys?" to "what a bunch of fools - we cannot
all use the same code"

~~~
stcredzero
All using the same code would've been smart -- if everyone who depended on
that code had been actively aware and contributing to their own rational self
interest. Like so many others, I just took it for granted and assumed the
OpenSSL guys knew what they were doing. Putting all your eggs in one basket
isn't necessarily foolish, if it's some kind of armored, padded, exquisitely
engineered basket. It is, if it's a rickety volunteer-made basket.

~~~
michaelt

      Like so many others, I just took it for granted and 
      assumed the OpenSSL guys knew what they were doing.
    

While the mantra "don't work on your own security code, you'll get it wrong,
use a library instead" is generally good advice for programmers, I imagine it
makes it harder for the libraries to recruit contributors.

------
logn
>Last decade, Steve Marquess, a former U.S. Defense Department consultant
living in Maryland, started the OpenSSL Software Foundation to secure
donations and consulting contracts for the group.

That's kind of like a former Christian preacher living in Alabama raising
money for Planned Parenthood.

~~~
dTal
>That's kind of like a former Christian preacher living in Alabama raising
money for Planned Parenthood.

Courageous and admirable, you mean?

