[wplug] OpenSSL security vulnerability

[Tom Rhodes]

On Fri, 16 May 2008 09:18:41 -0400
Christopher DeMarco <demarco at maya.com> wrote:

> On Fri, May 16, 2008 at 01:30:08AM -0400, Zach wrote:
> 
> > Well that was rather dumb. What is the name of the genius who made
> > this code change and why did it take TWO YEARS to discover this
> > flaw?
> 
> Rather than nailing people to trees, let's all PayPal the person who
> *un*covered it.  And the Ubuntu folks who responded with a fast
> ssh-vulnkey et.al. need some e-beer as well.

Not completely how it works - speaking as a former member of the
FreeBSD Security team AND past member of the Samba security team.[1]

Sometimes the flaw is uncovered by a project developer or member,
that's great.  The right people can be notified, reproduce the
flaw, design and test a patch, plan for the annoucement, and handle
issues accordingly.  Unfortunately, there are cases of common users
finding out and accidentally mailing the information to a list.
This can cause insta-panic for the project.  But it does get the
wheels moving rather quickly.

In some other cases, you get some lonely college kid who wants
to make a name for themselves threaten to expose the issue on
a security related mailing list or vastly popular web site.
Normally those cases mean someone wants to feel important for
a few hours out of the day, and it gives them power to feel they
have the "project at their mercy" for a few moments.  A lot of
times they aren't that malicious - I only remember once or
twice about this happening.  And at least once it was more of
an issue of local verses remote exploit.

Some people are pretty strange ...


[1]: Actually, not really a member, more of a non-member on their
private security vulnerability mailing list for the interest of
FreeBSD and another company - had the opportunity to make comments
on patches and situations, etc.  Jerry is a nice guy.  :P

-- 
Tom Rhodes