back to article IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'

That whole Heartbleed bug thing just kept running on and on this week, first with accusations that the National Security Agency had defied its brief by knowing about the security breach and doing stuff-all about it. The Heartbleed flaw, which was revealed last week, allows attackers to access passwords, crypto-keys and other …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    "navigate privacy concerns"

    "Navigate" is usually meant to get around something, not to deal with it.

    i.e. she's there to ensure that Dropbox keeps the US Government happy, and probably is given some sort of getout of the "you are required to deny officially that the Government has any access to customer stored data".

  2. Alister

    NSA fail either way

    the NSA reportedly used the flaw for its own hacking purposes and never warned folks

    but the NSA tweeted that it did no such thing:

    NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.

    So they either knew about it and didn't tell anyone, which will not impress various large corporate bodies who've had to spend money to mitigate against it, or they didn't know about it and were caught hopping, in which case they're in trouble because they bloody SHOULD have known about it.

    1. Anonymous Coward
      Anonymous Coward

      Re: NSA fail either way

      What does it mean for the NSA to not be "aware" of something?

      The NSA has re-defined "collecting data" to mean "an agent looking at collected data" which permitted Clapper to claim before Congress that the NSA did not collect data on millions of Americans.

      I wouldn't be surprised if "being aware of a security issue" as per internal NSA definition means "being aware and offering a fix to the public". Which they didn't. So they haven't been aware. You see?!

      1. PhilBuk
        Holmes

        Re: NSA fail either way

        Nah, they just issued themselves a National Security Letter. Perfect get-out!

        Phil.

  3. Natalie Gritpants
    FAIL

    Fixing an airborne aircraft

    No-one has ever built an aircraft that cannot be landed and maintained. If your IT is in this state you only have yourself to blame. Plenty of other IT services have planned maintenance downtime. If yours does not have this feature you should resign and let someone competent take over.

    1. Eradicate all BB entrants

      Re: Fixing an airborne aircraft

      I did once work in an environment with planned downtime, and overtime was payed as it was carried out on a weekend. The systems worked quite well.

      I am now in a position where the business refuses to have any downtime (I usually get blamed for power cuts too, because I said the systems needed downtime they think I can patch when there is no electricity). So even if I did resign and someone 'competent' did take over they would be in the same position.

      1. Yet Another Anonymous coward Silver badge

        Re: Fixing an airborne aircraft

        But they are in a much better situation than you. They just have to go to the taxpayer/government and say that they need $M extra this year to plan for a change in operating system in 10years time.

        Any reasonable elected official would agree to closing a few hospitals so that the taxman could have an easy transition - everybody loves the IRS afteral.

  4. Henry Wertz 1 Gold badge

    NSA and Rice

    Re: The NSA. I don't see how (theoretically) finding out the NSA knew about Heartbleed for a while (or years) would effect security researchers' view of them in any way whatsoever. It's widely known now (post-Snowden) and widely assumed (pre-Snowden) that the NSA searches for security vulnerabilities -- and not to go tell the world about them. They are after all a spy agency who favors electronic surveillance. I would expect all spy agencies of this type have some people going out looking for 0-day exploits.

    Re: Rice. She was part of a pretty bad administration. Cheney and Rumsfeld in particular really had that supervillain vibe going. But she dealt almost exclusively with foreign relations. Meaning it doesn't make a lot of sense for her to be on Dropbox's board. But, she's not one of those people who spoke out for destroying constitutional rights* and having widespread spying like Bush, Cheney, and Rumsfeld did ("Total Informational Awareness", anyone?) and like Obama currently does (defending the NSA's illegal programs, and parroting the NSA line on topics even when that line has been proven false, hoping if he repeats these false statements enough the public will believe them.)

    *Other than supporting the CIA's illegal "enhanced" interrogations of terrorist suspects.

  5. ecofeco Silver badge

    Somebody dropped the ball

    Blame anyone you want, but ultimately the blame always lies with upper manglement for piss poor planning.

    So in this case it's either the IRS CIO or Congress. I'm going with Congress and specifically the House because they've had a bone to pick over the right wing non-profit "committees" initial status filings that were heavily scrutinized which they thought was onerous.

  6. Alan Brown Silver badge

    As far as OpenSSL goes

    They'd probably have more than 4 volunteers if they didn't discourage/ignore people who wanted to get involved.

    The biggest problem with _any_ form of source auditing - and the source of the infamous "more than 4 people isn't worth it" quote - is that everyone assumes that someone else audited that bit, or that it's already been seen and reported.

    Over the last 18 months it's become clear that there are a lot of such holes in OpenSource - which have usually resulted in exponential numbers of related patches as various devs have gone "I wonder if that's in my code too?". Closed source usually isn't audited and often takes months to be fixed once the makers are notified - if it ever is.

    Yes there's a shitstorm flying at the moment. It's going to result in more secure code longer term which is a GOOD thing.

    I've been casting my eye over a few packages and finding fairly egrarious failures - which the devs usually respond to with a "meh, so what?" (much like what happened with openSSL). It's no wonder the only way to prod people into action is public disclosure.

  7. thx1138v2

    WMD's and Rice, Bush, etc

    If you believe that BS you better look very hard for Peter Rabbit Sunday.

    There's no doubt Saddam Hussein had the WMD's. Part of the Armistice agreement that ended the first Gulf War was that he would destroy them and document the destruction. The weapons inspectors knew what weapons he had. He only needed to document their destruction. Instaed of living up to that agreement he danced the weapons inspectors around for 12 years.

    It was never up to the U.S. or the coalition or anyone else to prove he had them because they were already known.

    The fact that people are still talking about the "missing" WMD's and that it was up to the Bush administration, or anyone else for that matter, to find them is nonsense. I guess it proves that if you tell a lie often enough, some people will believe anything.

    So get up really early Sunday morning, like 12:01:01.001 AM and stay vigilant until 11:59:59.999 and I'm certain you'll see Peter.

    So get up really early Sunday morning, like 12:01:01.001 AM and stay vigilant until 11:59:59.999 and I'm certain you'll see Peter.

    So get up really early Sunday morning, like 12:01:01.001 AM and stay vigilant until 11:59:59.999 and I'm certain you'll see Peter.

    So get up really early Sunday morning, like 12:01:01.001 AM and stay vigilant until 11:59:59.999 and I'm certain you'll see Peter.

    1. Bakana

      Re: WMD's and Rice, Bush, etc

      It wasn't because of the First Gulf War that we knew Saddam had WMDs.

      It was because WE Sold them to him.

      But, by the time of the Bush Wars, he no longer had any Left because he'd used them all on His Own People. Which the Busies also knew.

  8. ian 22

    Heartbleed and China

    If NSA inspect open source code for weakness, perhaps they have been hacking the Chicom for years. The Chinese have been using Linux (when they haven't been using pirated Windoes).

    If NSA do such inspection, likely the Chinese do also.

  9. Justin Clements

    Blimey...

    ....all this anti-Rice stuff.

    I do hope that when the current administration is replaced you also remember their failings so well, especially since they've had 5 long years endorsing what the NSA has been up to....

  10. Bakana

    Better Fix.

    There is a better fix than the "Repeair" to OpenSSL.

    Fix the Operating System's memory Management processes so that whenever a process requests a block of Memory, it gets a block that has been Cleared of all "leftover" data from the previous process that used that particular block of memory.

    Simple, Elegant, does not depend on thousands of 3rd party processes to always do it Right.

    Heretical to say this, but the tiny speed hit clearing memory, both Before & After it gets handed to various processes would be More than paid for in many ways.

    Besides solving this problem it would also have the side benefit of flushing out a bunch of processes and applications which are using poor Memory Management on the part of the OS as a "Feature" instead of the sloppy Design it is.

  11. guvna

    Good on CR.

    I hope she can help make Dropbox bigger and better.

    I use it, and am glad she's on-board. The guys obviously thought she can bring good things to the table. Hopefully she'll do so.

    Whatever she got up to in the past, I couldn't care less. I use the product, like how it works, and hope it gets better.

This topic is closed for new posts.

Other stories you might like