Little Progress Has Been Made Toward Preventing the Next Heartbleed

Discussion in 'other security issues & news' started by lotuseclat79, Aug 12, 2014.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    I don't see this changing unless, as it mentions in the article, commercial companies who use open source libraries are made legally liable. So that,for example, they would be considered negligent if bugs arose in software libraries they used but hadn't audited, or hadn't some form of support contract. Won't happen because of the craven behavior of politicians towards corporates.

    A decent infusion of money would improve quality and fix rate fairly quickly.
     
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    The real progress is the progress LibreSSL is making to become a viable replacement.

    Throwing money at crappy developers doesn't improve crappy code, you'd need to hire better people all together or teach the current ones. Those better people are already working on a better project, LibreSSL.

    To be clear, a lack of funding isn't what caused OpenSSL to be an abomination, it just kept it undermanned. There are many good projects in the world that are also undermanned.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    Well, Truecrypt was very well-coded by accounts I've heard, but needed crowdfunding to audit, and didn't entice the developers sufficiently to continue. And it's stopped development.

    It's not point libraries or projects that's the problem either, it goes from soup to nuts to make a solid base for our computing and communications so that no-one without a warrant gets to see anything. Every darn thing is security is needlessly hard, and it only needs one slip.

    People have to eat, and it's a hard call when your family needs resources and you tell them you don't have time or money enough - or else you can work for some corporate or the security services for a fat pay-check and weaken encryption and attack the population and allies. Talk about Faustian. There's a huge amount of resources on the bad-guy side, and not enough representing the interests of the population.
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Well I'm not against paying people to work on open source projects just in case you thought that. I just think the funding is going to the wrong place.
     
Loading...
Thread Status:
Not open for further replies.