Warum noch mal war unsere kritische Infrastruktur im Netz, wie #letsencrypt oder #OpenVPN, von der US-Regierung abhängig?

Irgendwann braucht man nach #Heartbleed und #GnuPG-Krise auch nicht mehr Snowden zitieren, wenn die einzige Konsequenz, die man da nicht gezogen hat, die ist, dass Open Source-Entwicklung auch Geld kostet.

Und dass man das am besten auch nicht allein einer alle vier Jahre wechselnden Regierung überlässt.

Now Simon Moore from the #UniversityOfCambridge (but on sabatical at Victoria University Wellington) is talking about architecture security features with #CHERI
To mitigate #MemorySafety bugs like #HeartBleed

It reminded of heartbleed..

https://xkcd.com/2347/

How to make #opensource #software more secure
The #xz attack, which followed other well-known cybersecurity incidents involving open source software like #Heartbleed, #Shellshock, and #Log4j, was another stark reminder that open source software, given how widespread it is, can pose significant #security risks.  
https://techcrunch.com/2024/11/01/how-to-make-open-source-software-more-secure/ #itsec

Heartbleed: When Is It Good to Name a Vulnerability? – Source: www.darkreading.com https://ciso2ciso.com/heartbleed-when-is-it-good-to-name-a-vulnerability-source-www-darkreading-com/ #rssfeedpostgeneratorecho #DarkReadingSecurity #CyberSecurityNews #Vulnerability #DARKReading #heartbleed

De invloed van heartbleed op cyberveiligheid en het benoemen van kwetsbaarheden https://www.trendingtech.news/trending-news/2024/05/11582/de-invloed-van-heartbleed-op-cyberveiligheid-en-het-benoemen-van-kwetsbaarheden #Heartbleed #OpenSSL kwetsbaarheid #cybersecurity #branded vulnerabilities #Codenomicon #Trending #News #Nieuws

New from me SC UK:

This month marks 10 years since #Heartbleed was disclosed, and #cybersecurity had to react fast. I talked to CISO Neil Thacker and Synopsys - who acquired Codenomicon (who discovered the OpenSSL bug) - about lessons learned over the past decade about open source code bases, patching and vulnerabilities.

https://insight.scmagazineuk.com/ten-years-of-heartbleed-lessons-learned

Today marks the 10th anniversary of the #Heartbleed vulnerability in OpenSSL. It had the same ultimate root cause as recent #XZUtils backdoor incident. This underscores the importance of public funding to protect vital open source projects that underpin our internet infrastructure. Learn more: https://optimizedbyotto.com/post/what-heartbleed-xz-utils-had-in-common/ #OpenSource #Security

¿Pero cómo que han pasado ya diez años de #heartbleed? WTF!!

https://www.securityweek.com/heartbleed-is-10-years-old-farewell-heartbleed-hello-quantumbleed/

Thinking a lot about the #xz backdoor this week. Almost exactly 10 years ago, I wrote this about the #Heartbleed attack and how we should do more to support #OSS, especially for important libraries. Sadly, almost all of what I wrote then is still relevant. https://web.archive.org/web/20140420132336/https://mashable.com/2014/04/14/heartbleed-open-source/

À quelques jours près, la découverte du code malicieux de #xz coïncide avec la découverte de #HeartBleed avec 10 ans d'écart.

(J'ai l'impression que les choses n'ont pas tellement évoluée depuis )

The important role #OpenSSL plays in securing the Internet has never been matched by the financial resources devoted to maintaining it.
The open source #cryptographic #software library secures hundreds of thousands of Web servers and many products sold by multi-billion-dollar companies,
but it operates on a shoestring budget.
OpenSSL Software Foundation President Steve Marquess wrote in a blog post last week that OpenSSL typically receives about $2,000 in donations a year
and has just one employee who works full time on the open source code.

Given that, perhaps we shouldn’t be surprised by the existence of #Heartbleed, a security flaw in OpenSSL that can expose user passwords and the private encryption keys needed to protect websites.

OpenSSL’s bare-bones operations are in stark contrast to some other open source projects that receive sponsorship from corporations relying on their code.
Chief among them is probably the #Linux operating system #kernel, which has a foundation with multiple employees and funding from HP, IBM, Red Hat, Intel, Oracle, Google, Cisco, and many other companies.
Workers at some of these firms spend large amounts of their employers’ time writing code for the Linux kernel, benefiting everyone who uses it.
That’s never been the case with OpenSSL, but the Linux Foundation wants to change that.
️The foundation today is announcing a three-year initiative with at least $3.9 million to help under-funded open source projects️
—with OpenSSL coming first.
Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit at least $100,000 a year for at least three years to the “#Core #Infrastructure #Initiative,” Linux Foundation Executive Director Jim Zemlin told Ars.
To be clear, the money will go to multiple open source projects
—OpenSSL will get a portion of the funding but likely nowhere close to the entire $3.9 million.
The initiative will identify important open source projects that need help in addition to OpenSSL.

https://arstechnica.com/information-technology/2014/04/tech-giants-chastened-by-heartbleed-finally-agree-to-fund-openssl/

Wait, is #heartbleed yet another bug that would've been impossible with any language with sane boundary checks like #Ada or #CommonLisp? (And also yet another malloc & equivalents considered harmful, I suppose.)

Why are we still not learning anything?

Etwas früh dran zum runden Jubiläum hat K2 jetzt #Heartbleed Gedächtnisturnschuhe. https://de.m.wikipedia.org/wiki/Heartbleed

How easy or difficult it is to exploit older SSL/TLS protocols?

https://security.stackexchange.com/questions/269269/how-easy-or-difficult-it-is-to-exploit-older-ssl-tls-protocols

#heartbleed #exploit #attacks #tls