[Klug-general] SSL bug

Thu May 22 14:58:59 BST 2008

On Thu, 22 May 2008 13:43:27 +0100, J D Freeman <klug at quixotic.org.uk>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thu, May 22, 2008 at 08:33:59AM -0400, Karl Lattimer wrote:
>> Never in my life have I claimed apple invented email... I may have said
>> something like that sarcastically... But seriously, email has been
> around a
>> lot longer than apple.
>>
>> I think you can call that libelous.
> 
> http://mailman.lug.org.uk/pipermail/kent/2007-January/001716.html
> and my followup
> http://mailman.lug.org.uk/pipermail/kent/2007-January/001718.html

Hmm, I don't see that I claim that apple invented email there, I was taking
the piss out of your for not moving with the times.

Your statement is still libel. 

>> I don't need to quote something online when I'm surrounded by real
>> professionals all day long. Remember I do work for one of the worlds
>> biggest companies.
> 
> Yes, and I have worked for for one of the worlds biggest companies, and
> for a few other large companies, this doesn't necessarily make me more
> able to make unbacked up claims.

Which company? Hmm... Don't want to say it out loud? Funny, every man and
his dog knows who I work for...

Yeah, well I have real professionals around me all day long, what I hear at
morning coffee is quite a bit more advanced than anything I've ever heard
you talking about...

> So, I ask again, retract your statement or provide a source for your
> claim.

Specifically my source is Rodrigo Novo... It was said amongst ourselves, he
may have been quoting someone else, he makes a valid point. 

Also I don't necessarily need to quote someone else, lets just say you can
quote me. Personally I think quotations are for fairly stupid people who
aren't able to discern opinion on their own.

>> > You are making it out that this is the first, last, and only time a
> bug
>> > like this will every occur. I think we are fair to say this is not the
>> > case. There are a greater number of, IMHO, more dangerous bugs in
>> > machines running other distro's and OS's than this bug in debian.
>>
>> Name one? Other than the one I've named below.
>>
>> The only comparable flaw I know of is the SSH monkey in the middle
> attack,
>> which only affects protocol version 1 and still requires that you have a
>> way to inject into the route.
> 
> You are looking at the flaws in a single tool. What about flaws that
> have occured in other things? What about the recent bug where people
> could inject random code into worldpays pages? What about the similiar
> bug in paypal. I would suggest Paypal has more money and more users
> than debian.

So you can't name one?

> Not to mention the almost limitless bugs in the various windows
> releases.

Still don't effect an entire e-commerce infrastructure, sorry you FAIL.

>> LOL, stripped the rest of the email because you've lost in even
> attempting
>> to continue to defend.
> 
> If you so wish.
> 
>> This _IS_ the biggest flaw in history, deal with it.
> 
> You are still failing to back this claim up with evidence. Its like me
> claiming I have invented faster than light travel. The claim is
> worthless until I show you my spaceship flying faster than light.
> 
> Stop evading the question and put something on the table.

LOL, why? 

If people around me say it, its enough, if I hear the same grumblings in
the software community at large then its enough.

Why are you so keen to evade the fact that this is the biggest issue the
world has had to face with cryptography since the arrival of public key
algorithms.

I suppose you could probably class 2600 circumventing DES as a fairly big
issue too, what with the t-shirts that made the US government a bit red
faced an all. That still doesn't detract from the fact that I say this is
the biggest security issue I've ever seen, and I've been around to watch
the massive sendmail bugs, apache bugs etc...

Never in history has cryptography been owned on such a scale. Quote me on
that bitch.

K,