Comment Re:Wat? (Score 1) 582
What the OpenSSL team seems to have failed to do is to perform a really serious amount of destructive testing on their library which, as you pointed out is essentially what black hats do to find these kinds of vulnerabilities anyway. This is not surprising since quality assurance and testing seems to be a bit of a poor relations many FOSS projects just like it is in the closed source community.
Actually that surprised me quite a bit. A lot of FOSS projects do perform testing, at least automated testing. And some even do fuzz testing. And some even run static code analyzers. So considering how important and widely-used OpenSSL is, I was surprised to hear they didn't. So I went and checked and they do appear to have some test code. Obviously not enough, or at least not for this new hearbeat feature, but they do have some.
Finally, when something is as widely used and fundamental to the workings of the internet and online commerce as OpenSSL is one would expect that perhaps some of the big beneficiaries of the OpenSSL project like Google, Apple, Amazon, Facebook etc. could foot the bill to do some suitably paranoid amount of quality assurance on it and other such FOSS projects.
I'm with you 100% on that. They have no legal obligation of course, but damn they look really cheap and slimy right now. (except for maybe Apple since they don't use OpenSSL, but then again they had their own embarrassing security bug just a few months back)