[Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

[Jerry Leichter]

On Apr 8, 2014, at 1:12 PM, Jonathan Thornburg <jthorn at astro.indiana.edu> wrote:
>> E.g., if we cannot show any damages from this breach, it isn't worth
>> spending a penny on it to fix!
> 
> This analysis appears to say that it's not worth spending money to
> fix a hole (bug) unless either money has already been spent or damages
> have *already* occured.  This ignores possible or probable (or even
> certain!) *future* damages if no rework has yet happened.
You're misreading what Iang wrote.  To say one should not fix a *potential problem that hasn't yet occurred* because we can't prove it's caused any losses yet is absurd.  Before the problem actually occurs, all we have to go on is our estimates of the possible cost, and we have to anticipate those costs.

However, in the case of a problem that *has actually occurred*, if you *still* can't show any loses - then you have to seriously ask whether the problem is worth fixing, or whether it isn't really a "problem" at all.

For example, there are all sorts of plausible-sounding arguments that if people are exposed to signals at the frequencies and power levels used for WiFi then various bad things will happen to them.  Well ... we've exposed many millions of people to such signals for extended periods of time, and the evidence is that the "problem" - exposure to RF - doesn't produce any real costs.  The research that shows that is valuable; and documentation of the actual costs (or lack thereof) for various classes of software bugs would *also* be valuable.  Without such research an documentation, our risk analyses are lacking a solid foundation.
                                                        -- Jerry