This is a great reminder for others to consider a donation to the Freedom of the Press foundation's ongoing campaign to fund the development of encryption tools to benefit journalists, sources, and everyone who communicates digitally!
I was already wondering, though: might Mehta and/or Codenomicon have been put on the scent of the Heartbleed bug by an inquiry from one of the journalists with Snowden docs?
I hope we hear more about how each of the researchers found the bug – code auditing? fuzzing? observing attempted exploits? etc – and in the same general timeframe.
No. Neel found it by auditing code. See CVE-2011-0014 for a previous OpenSSL bug he found by auditing code. See CVE-2010-0239 to witness his awesome ability to find bugs by auditing assembly code.
Not to diminish Neel's work (nobody will deny that he was already known as being at the top of his game for the last decade or more), but this particular one was blatantly obvious for anyone who audits C code. This just tells us that nobody bothered to look at it for 2 years. If a client had given me this code to audit, I'd have found it immediately. If you were hiring for an entry level auditing type position, or an intern, and they did not spot this, you would not want to hire that person.
For me personally, one of the biggest reasons why I wouldn't have looked is because there is a perception that the probability of things this dumb being missed means looking is surely a waste of time that could be billed hourly to paying clients. It's moments like these that really challenge those assumptions.
[+] [-] handsomeransoms|12 years ago|reply
https://pressfreedomfoundation.org/
Huge thanks to Neel, whose donation pushed us over the edge to meet our goal!
(Full disclosure: I work for the Freedom of the Press Foundation)
[+] [-] gojomo|12 years ago|reply
I was already wondering, though: might Mehta and/or Codenomicon have been put on the scent of the Heartbleed bug by an inquiry from one of the journalists with Snowden docs?
I hope we hear more about how each of the researchers found the bug – code auditing? fuzzing? observing attempted exploits? etc – and in the same general timeframe.
[+] [-] DrewHintz|12 years ago|reply
[+] [-] lawnchair_larry|12 years ago|reply
For me personally, one of the biggest reasons why I wouldn't have looked is because there is a perception that the probability of things this dumb being missed means looking is surely a waste of time that could be billed hourly to paying clients. It's moments like these that really challenge those assumptions.
[+] [-] motyar|12 years ago|reply
Huge thanks to Neel.
[+] [-] ronnier|12 years ago|reply
[+] [-] tptacek|12 years ago|reply
[+] [-] dpeck|12 years ago|reply
My company worked hard on recruiting him about that long ago and his reputation was already well established then.
[+] [-] iancarroll|12 years ago|reply
[+] [-] projuce|12 years ago|reply
https://bugcrowd.com mainly paid reward programs, can start using it for a bug bounty/rewards program for free (also maintains the bug bounty list which is used by many white hat hackers https://bugcrowd.com/list-of-bug-bounty-programs/)
https://crowdcurity.com
[+] [-] camus2|12 years ago|reply
[+] [-] iamthepieman|12 years ago|reply
Karma + 1,000,000
[+] [-] JohnnyCat|12 years ago|reply
[+] [-] sfall|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] throwaway662|12 years ago|reply
[deleted]
[+] [-] shekhar101|12 years ago|reply