[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Subject: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
From: bzs at world.std.com (Barry Shein)
Date: Wed, 16 Apr 2014 23:01:33 -0400
In-reply-to: <CAGL1wDRb8cmfDwouRkL9Fj0j1axqusqjFhbiyx_1-u4dyn_+Xg@mail.gmail.com>
References: <[email protected]> <[email protected]> <ED78B1C68B84A14FA706D13A230D7B431E326CEC@ITS-MAIL02.campus.ad.csulb.edu> <[email protected]> <CAGL1wDRb8cmfDwouRkL9Fj0j1axqusqjFhbiyx_1-u4dyn_+Xg@mail.gmail.com>

On April 16, 2014 at 15:34 jason.iannone at gmail.com (Jason Iannone) wrote:
 > I can't cite chapter and verse but I seem to remember this zeroing
 > problem was solved decades ago by just introducing a bit which said
 > this chunk of memory or disk is new (to this process) and not zeroed
 > but if there's any attempt to actually access it then read it back as
 > if it were filled with zeros, or alternatively zero it.

Those were my words.

I was talking about kernel memory/disk management.

And then Jason Iannone...
 > Isn't that a result of the language?  Low level languages give that
 > power to the author rather than assuming any responsibility.  Hacker
 > News had a fairly in-depth discussion regarding the nature of C with
 > some convincing opinions as to why it's not exactly the right tool to
 > build this sort of system with.  The gist, forcing the author of a
 > monster like OpenSSL to manage memory is a problem.

This is a potentially huge discussion with many dimensions.

A library like openssl is intended to fit into a huge software
ecosystem much of which is already written in C.

Writing it in another language (other than perhaps C++) would require
a cross-language API or similar (e.g., IPC) which introduces other
issues.

So, oftentimes you use a three-prong plug because you are faced with
three-prong receptacles and rebuilding the entire building to a new
standard just isn't practical even if you believe the result presents
a potential shock hazard.

And, if I may editorialize, there's a reason most of that ecosystem is
built in C, it's not only legacy. Other languages have their own
shortcomings, you can't just consider one aspect.

-- 
        -Barry Shein

The World              | bzs at TheWorld.com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD        | Dial-Up: US, PR, Canada
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*

References:
- [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
  - From: johnl at iecc.com (John Levine)
- [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
  - From: dougb at dougbarton.us (Doug Barton)
- [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
  - From: Matthew.Black at csulb.edu (Matthew Black)
- [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
  - From: bzs at world.std.com (Barry Shein)
- [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
  - From: jason.iannone at gmail.com (Jason Iannone)

Prev by Date: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
Next by Date: DMARC -> CERT?
Previous by thread: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
Next by thread: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
Index(es):
- Date
- Thread