Warum noch mal war unsere kritische Infrastruktur im Netz, wie #letsencrypt oder #OpenVPN, von der US-Regierung abhängig?
Irgendwann braucht man nach #Heartbleed und #GnuPG-Krise auch nicht mehr Snowden zitieren, wenn die einzige Konsequenz, die man da nicht gezogen hat, die ist, dass Open Source-Entwicklung auch Geld kostet.
Und dass man das am besten auch nicht allein einer alle vier Jahre wechselnden Regierung überlässt.
[Blog] Kritische Lücke in OpenSSL: „heartbleed“ – https://blog.atari-frosch.de/2014/04/08/kritische-luecke-in-openssl-heartbleed/
Now Simon Moore from the #UniversityOfCambridge (but on sabatical at Victoria University Wellington) is talking about architecture security features with #CHERI
To mitigate #MemorySafety bugs like #HeartBleed
20 Jahre #Melani: Die grössten Fälle - inside-it.ch https://www.inside-it.ch/20-jahre-melani-die-groessten-faelle-20241219 #Hacking #CyberCrime #Malware #Ransomware #DDoS #log4j #HeartBleed #Emotet #NotPetya #Stuxnet #WannaCry
How to make #opensource #software more secure
The #xz attack, which followed other well-known cybersecurity incidents involving open source software like #Heartbleed, #Shellshock, and #Log4j, was another stark reminder that open source software, given how widespread it is, can pose significant #security risks.
https://techcrunch.com/2024/11/01/how-to-make-open-source-software-more-secure/ #itsec
Als ich meinte, wir brauchen mal wieder richtige Bugs, meinte ich nicht dieses auf #Wish bestellte #Heartbleed …
https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html
Follow up to my first #Heartbleed article, this time with a interview with OpenSSF GM Omkhar Arasaratnam to discuss the security of open source 10 years on. Looking at whether we are too reliant on the volunteered hours of maintainers, asking if the space is clouded with for-profit offerings, and who is looking after the health of those maintainers?
https://insight.scmagazineuk.com/open-source-security-10-years-after-hearbleed
New from me SC UK:
This month marks 10 years since #Heartbleed was disclosed, and #cybersecurity had to react fast. I talked to CISO Neil Thacker and Synopsys - who acquired Codenomicon (who discovered the OpenSSL bug) - about lessons learned over the past decade about open source code bases, patching and vulnerabilities.
https://insight.scmagazineuk.com/ten-years-of-heartbleed-lessons-learned
Este parasitismo provoca precariedad, agotamiento y hartazgo en desarrolladores y lleva a problemas de seguridad global como #Heartbleed
Por eso nuestras autoridades se plantean obligar a las BigTech a contribuir… ¡NO! Se plantean obligar a voluntarios a darles mantenimiento 🤯
Today marks the 10th anniversary of the #Heartbleed vulnerability in OpenSSL. It had the same ultimate root cause as recent #XZUtils backdoor incident. This underscores the importance of public funding to protect vital open source projects that underpin our internet infrastructure. Learn more: https://optimizedbyotto.com/post/what-heartbleed-xz-utils-had-in-common/ #OpenSource #Security
¿Pero cómo que han pasado ya diez años de #heartbleed? WTF!!
https://www.securityweek.com/heartbleed-is-10-years-old-farewell-heartbleed-hello-quantumbleed/
Thinking a lot about the #xz backdoor this week. Almost exactly 10 years ago, I wrote this about the #Heartbleed attack and how we should do more to support #OSS, especially for important libraries. Sadly, almost all of what I wrote then is still relevant. https://web.archive.org/web/20140420132336/https://mashable.com/2014/04/14/heartbleed-open-source/
À quelques jours près, la découverte du code malicieux de #xz coïncide avec la découverte de #HeartBleed avec 10 ans d'écart. 🥳
(J'ai l'impression que les choses n'ont pas tellement évoluée depuis 😓)
The important role #OpenSSL plays in securing the Internet has never been matched by the financial resources devoted to maintaining it.
The open source #cryptographic #software library secures hundreds of thousands of Web servers and many products sold by multi-billion-dollar companies,
but it operates on a shoestring budget.
OpenSSL Software Foundation President Steve Marquess wrote in a blog post last week that OpenSSL typically receives about $2,000 in donations a year
and has just one employee who works full time on the open source code.
Given that, perhaps we shouldn’t be surprised by the existence of #Heartbleed, a security flaw in OpenSSL that can expose user passwords and the private encryption keys needed to protect websites.
OpenSSL’s bare-bones operations are in stark contrast to some other open source projects that receive sponsorship from corporations relying on their code.
Chief among them is probably the #Linux operating system #kernel, which has a foundation with multiple employees and funding from HP, IBM, Red Hat, Intel, Oracle, Google, Cisco, and many other companies.
Workers at some of these firms spend large amounts of their employers’ time writing code for the Linux kernel, benefiting everyone who uses it.
That’s never been the case with OpenSSL, but the Linux Foundation wants to change that.
⭐️The foundation today is announcing a three-year initiative with at least $3.9 million to help under-funded open source projects⭐️
—with OpenSSL coming first.
Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit 💥at least $100,000 a year for at least three years💥 to the “#Core #Infrastructure #Initiative,” Linux Foundation Executive Director Jim Zemlin told Ars.
To be clear, the money will go to multiple open source projects
—OpenSSL will get a portion of the funding but likely nowhere close to the entire $3.9 million.
The initiative will identify important open source projects that need help in addition to OpenSSL.
Le pire, c'est que le débat autour des petits projets extrêmement utilisés et pourtant complètement sous-financés avait déjà eu lieu plusieurs fois ces dernières années, à la suite de failles mémorables telles que #Heartbleed.
Sauf que ça s'agite un peu sur le moment, ça créé divers fonds pour financer le libre, mais une fois la tempête passée, on en entend plus parler et rien ne change ☹️
All in all, this seems like another wildly overblown security vulnerability #publicity tour. I'm only shocked it doesn't have its own website and professional logo like "#shellshock" or "#heartbleed".
Signed,
Long time qmail guy & #internet #mail #infrastructure consultant
5/5
#PRStunt #security #vulnerability #researcher #report #PR #stunt
I don't see any nickname for the upcoming #curl #vulnerability yet. You can make some suggestions here:
Wait, is #heartbleed yet another bug that would've been impossible with any language with sane boundary checks like #Ada or #CommonLisp? (And also yet another malloc & equivalents considered harmful, I suppose.)
Why are we still not learning anything?
Etwas früh dran zum runden Jubiläum hat K2 jetzt #Heartbleed Gedächtnisturnschuhe. 😍 https://de.m.wikipedia.org/wiki/Heartbleed
