Comment Re:What's the issue here? (Score 4, Insightful) 192
The government has the info already, they handed it out!
The government has the info already, they handed it out!
Sorry but unless you define "GOOD ITSEC company audit the shit out of it" in tangible terms that can actually hold someone liable for failure in a real way, this is just baloney. And if you define it with teeth, the price will increase. Basically, to define it properly, you'd be able to do it yourself. Oops.
There are no replacement libraries. The ED25519, ECDH, ChaCha20 and AES-CTR code is all part of OpenSSH itself. And the code is very, very tight and compact and very easy to audit. Entirely the opposite of OpenSSL!!!
The most useful? You mean tmux? Not this old antiquated, bug ridden piece of code, right?
That will take time. The first versions will try to be API compatible because of the huge base of existing software. The future will see incremental API improvements as people learn from their experiences.
Their format of the code is horribly broken and hard to read. Who really fucking cares what they want?
The OpenBSD version of this library should work on any modern unix system with minimal to no change at all. The code being removed affects VMS, Windows, OS/2, and other systems. Even modern versions of Windows should require less hacks to work properly these days. The HUGE amount of workarounds, abstractions and obfuscations to support these ancient/useless systems are nothing but a hindrance to bug-free TLS support.
Since the energy required to produce corn ethanol is nearly equal or sometimes greater than the energy gained as fuel, corn sucks. It should be obvious that you are going to produce more emissions with corn. Even when the tarsands require large amounts of refining, that tarsand oil will be used to produce corn ethanol. Oil is used today in corn agriculture and production of ethanol. Corn as a biofuel is an odd stop-gap. If we have to use subsidies, why not encourage farmers to make some other crop that transforms to oil with higher efficiency?
These are the exact issues that OpenBSD is fixing. Also PHK has commended OpenBSD for taking the effort, so I think he agrees.
And if they were using a FIPS certified version of OpenSSL, they would still be compromised. FIPS means....nothing in this context.
Just because no bank was on the list does NOT mean that they were not vulnerable, just that they have too much to lose by admitting it.
Or about $900,000 less than OpenSSL receives in paid development work each year.
A PR grab...that you can run on any modern unix based OS. Just not VMS or OS/2.
OpenBSD was using a variant of 1.0.1c with the bug.
Funny, several of the mitigation techniques in OpenBSD and grsecurity have made their way to other systems, even Microsoft WIndows... Basically everything you are saying here is a consistent misunderstanding of what's actually going on. Have you really looked?
The stuff that is being cut out isn't just for "other platforms". It's absolutely fucking ancient, and in many cases, probably hasn't even been _compiled_ any time in the last decade.
Happiness is twin floppies.