On 7/05/2014 9:27 PM, Julien Goodwin wrote:
On 07/05/14 12:31, Trent W. Buck wrote:
The *only* reason heartbleed is getting mainstream media attention, is because the researchers invested more effort into registering a catchy domain name and designing a cute logo, than on responsible disclosure.
Given they're my coworkers I take umbrage to that. The Finnish team who (apparently) rediscovered this after it was already disclosed to the OpenSSL team by researchers at Google did do some of the publicity, but by that point the patch was already ready, the openssl team were simply taking time on the release to try and coordinate it.
I've seen nothing showing anything but responsible disclosure from all sides on this issue (others, even others involving Google researchers sure).
I have no problem with how the disclosure was handled. In fact I think it was handled very, very well. There have been reports and denials about the NSA using the bug.... guess we'll never know the answer to that. But I did hear about one server/service that somehow manages to keep every single data packet to/from them -- they analyzed those packets and found evidence of the exploit in play. Wish I had the reference, but that makes it more interesting and scary. Ordinarily no such traffic capture is available and the logs themselves don't give any hint of an exploit having been attempted (success or failure). Cheers A.