On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said: > The interesting thing to me is that the article claims the NSA have been > using this for "over two years", but 1.0.1 (the first vulnerable version) > was only released on 14 Mar 2012. That means that either:
> * The NSA found it *amazingly* quickly (they're very good at what they do, > but I don't believe them have superhuman talents); or You seriously think the NSA *isn't* watching the commits to security-relevant open source? Remember - it was a bonehead bug, it's *not* unreasonable for somebody who was auditing the code to spot it. Heck, there's a good chance that automated tools could have spotted it.
pgpumtq4kr1RX.pgp
Description: PGP signature
