Safer != Perfect

Open Source is not perfect. It also does not help when you have large commercial institutions RELYING on the source code in a security critical role under constant attack by well-funded adversaries, AND the developers of said open source code are so pitifully underfunded, AND the commercial proprietors that cause said open source library to become a high-value target are only willing to invest in features, and not improvements that would lead to better quality and lesser likelihood of serious bugs.

I never saw a C program with a remote file inclusion bug or a C code injection bug caused by an eval().

Pretty much all the errors caused by C fall into two buckets: reading an improper memory location and writing an improper memory location (including double-free'ing an invalid memory address).

As long as you can be certain to avoid those two conditions, C is just as safe as other languages. There are ways you can design your C programs, and rules you can follow which make it unlikely for you to include such errors.

For non-trivial programs, there are plenty of advantages of managing your own memory: which you cannot do in other languages such as Python or Java.

The other languages' use of garbage collection results in great space and runtime inefficiencies.

$30,949 is how much the OpenBSD Foundation received in donations in 2013.

And yet... I heard OpenSSL itself gets at most $2000 in a typical year. Despite tens of thousands of banks, retailers, hardware manufacturers, software manufacturers, all relying on their code in a security critical fashion to support their business activities. The MOST the OpenSSL project gets in contributions is a mere shilling?

And no real support for high quality code review, maintenance, and release management. Just support for adding feature bloat.

Oh... Redhat lover..... Actually, there's a problem with that: It will only upgrade packages within a release, AND you can't upgrade to the new release.

It's like being stuck at Windows XP Service Pack 1, and having to go do an offline boot from CD update from CD install media to go to SP2.

So it's really "Insert RHEL 6 CD"; Go through installer again; Windows has a much better experience....

Ubuntu's release upgrade process is also OK

do-release-upgrade

No... they SAID they cancelled this policy, immediately after it was brought to light. if they quietly reinstate in whole or in part... who would be the wiser? :)

I would also only be able to use EC cryptography with PFS with OpenSSL. I don't trust EC personally, yet. It's just not been around long enough for me.

The promise of PFS is that a private key compromised or lost after the fact does not compromise the contents of all sessions. Which means it's useless for an attacker to intercept thousands of SSH sessions, and then later make an attempt to break into the server --- they need private key at the time of any attack.

You're argument is the equivalent of saying "I would use SSH, but I just don't trust PAM yet for my password authentication, which SSH seems to require. So I'll keep on using Telnet."

By the way, ECDSA has been around over 10 years. In computer industry terms, that is quite ancient.

Which only tells us they're patched now, it doesn't tell them how much time the site was vulnerable.

That's true, BUT for the ones that are patched now --- the admin probably understands the issue. The sites with negligent, clueless, or sloppy admins, will be unpatched sites mostly (or sites running earlier releases before the vulnerable version).

Which only tells us they're patched now, it doesn't tell them how much time the site was vulnerable.

If they're patched now but were vulnerable 1 month ago; there is a pretty good chance >90% that the keys have not been stolen.

How can a black hole swallow a star if the star's clock slows to a stop as it approaches the event horizon?

It stops from the star's perspective, maybe. From the perspective of an outside observer: the star is absorbed into the blackhole and ceases to exist.

but according to Hawking, there is no event horizon as previously believed; just an apparent horizon.

what's next? researchers use beads to do arithmetic?

Next article is on how to use paper logarithm tables to perform calculations in a post-apocalyptic world.

You are correct about there being other IIS security vulnerabilities. There have also been other OpenSSL, Apache, and Nginx remote code execution vulnerabilities.

The Nginx RCE could also be used to compromise key storage.... could do even better than that, could load an eavesdropping trojan into memory.

The past IIS vulns did not necessarily easily compromise key storage.

The Heartbleed bug is MUCH easier to exploit than any RCE bug, even though the RCE bugs are more useful for an attacker, if a server is known to be vulnerable to one.

You would not believe what VP's will force you to do to get their $20 million flagship project out the door and then quickly forgotten about after the guy that was forced to do it quits in disgust.

Fraud that can get you in jail is not one of those things that some VP can force you to do.

The CA has to be validated by third party auditors, before it can even be trusted. One of the aspects that must be audited is the governance of that CA and the policies and controls of the CA designed to ensure the CA operates only according to the policies, and that would include that no system admin or member of management is capable of bypassing the rules.

GPL doesn't restrict people from using the software any way they want. It restricts them from preventing anyone else from using the software any way they want.

No... you're missing the big picture. It restricts the following use right: The right to use the code by modifying it and making a copy of the software and sell or give it to a friend or client, without giving the friend or client access to the source code.

Modifying the code and redistributing just the binary is one way of using the program. This use of the program is restricted by the GPL.

So the GPL does indeed restrict use.

You are prohibited from adding proprietary changes and keeping the nature and form of your changes confidential and protecting your rights to your changes and modifications.