Announcement

**OneTimeShot** · 14 January 2016, 05:01 PM

Should I point out that this is from the people behind LibreSSL who were complaining extremely loudly about how completely incompetent the OpenSSL team was?

...or maybe computer security is actually hard?

**caligula** · 14 January 2016, 05:28 PM

Originally posted by OneTimeShot View Post

Should I point out that this is from the people behind LibreSSL who were complaining extremely loudly about how completely incompetent the OpenSSL team was?

...or maybe computer security is actually hard?

There are languages in which buffer overflows are impossible thanks to strong typing (e.g. dependent typing, to be precise. And it doesn't bloat the executable, see e.g. ATS http://www.ats-lang.org/). C/C++ isn't one of them. Yes, computer security is hard, but also some of the problems are already solved. Unfortunately the security "experts" aren't professional enough since they dislike language that solve their problems. They WANT your systems to be compromised by using the decades old amateurish attempts at language design.

**rmiller** · 14 January 2016, 05:58 PM

Originally posted by OneTimeShot View Post

Should I point out that this is from the people behind LibreSSL who were complaining extremely loudly about how completely incompetent the OpenSSL team was?

...or maybe computer security is actually hard?

What? This is just a fix for two security bugs. The complaining about OpenSSL was because a flaw design and bad security practices.

**rmiller** · 14 January 2016, 06:09 PM

Originally posted by caligula View Post

There are languages in which buffer overflows are impossible thanks to strong typing (e.g. dependent typing, to be precise. And it doesn't bloat the executable, see e.g. ATS http://www.ats-lang.org/). C/C++ isn't one of them. Yes, computer security is hard, but also some of the problems are already solved. Unfortunately the security "experts" aren't professional enough since they dislike language that solve their problems. They WANT your systems to be compromised by using the decades old amateurish attempts at language design.

Modern C style offer a safe way for dealing with overflow without the complexity (and the security bugs) of modern high level languages. Also, most languages lacks of the amount of exploit mitigation techniques added by a C/C++ compiler.

**OneTimeShot** · 14 January 2016, 06:16 PM

Originally posted by rmiller View Post

What? This is just a fix for two security bugs. The complaining about OpenSSL was because a flaw design and bad security practices.

Yeah - because that makes a difference to the people who are at risk? Remember that there was also a server SSH vulnerability for multiple years (that was ironically fixed in Sun's commercial branch).

If this was Microsoft or Apple, or anyone else I'd just shrug and let it go - but I see no reason to go light on LibreSSL because they were **extremely** vitriolic (and personal) in attacking the OpenSSL team.

**Daktyl198** · 14 January 2016, 06:24 PM

Originally posted by OneTimeShot View Post

Yeah - because that makes a difference to the people who are at risk? Remember that there was also a server SSH vulnerability for multiple years (that was ironically fixed in Sun's commercial branch).

If this was Microsoft or Apple, or anyone else I'd just shrug and let it go - but I see no reason to go light on LibreSSL because they were **extremely** vitriolic (and personal) in attacking the OpenSSL team.

Question: do you mean that the LibreSSL people wrote the feature that causes this bug? Because I don't remember LibreSSL being a thing 6 years ago. So what exactly about them are you criticizing in regards to this bug?

**RavFX** · 14 January 2016, 06:40 PM

Disabling a feature is not a fix.

I use this feature a lot thanks to the crappiness of my Internet connection.

**caligula** · 14 January 2016, 06:48 PM

Originally posted by rmiller View Post

Modern C style offer a safe way for dealing with overflow without the complexity (and the security bugs) of modern high level languages. Also, most languages lacks of the amount of exploit mitigation techniques added by a C/C++ compiler.

What complexity and security bugs? Apparently you have no idea what you're talking about.

> most languages lacks of the amount of exploit mitigation techniques added by a C/C++ compiler

Does not parse.

**rmiller** · 14 January 2016, 06:54 PM

Originally posted by OneTimeShot View Post

Yeah - because that makes a difference to the people who are at risk? Remember that there was also a server SSH vulnerability for multiple years (that was ironically fixed in Sun's commercial branch).

If this was Microsoft or Apple, or anyone else I'd just shrug and let it go - but I see no reason to go light on LibreSSL because they were **extremely** vitriolic (and personal) in attacking the OpenSSL team.

Obviously, follow good security practices makes a difference. Al least in term of security.

Announcement

OpenSSH Clients Struck By New Security Vulnerability

OpenSSH Clients Struck By New Security Vulnerability

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment