For censored's sake! This is elementary stuff that any C programmer has drummed into them at noob level. I know we all make mistakes but nobody picked up on this!? It should, in theory, take a line or two of code to fix.
What I worry about most though is how it will affect people's opinion of and trust in FOSS. I saw a comment just recently where some idiot was blaming it on the open source model. It was something like "[This wouldn't happen with a proprietary, closed source syatem because this is something that's too elementary for a hacker to even think of trying, but being able to see the source makes these systems vulnerable]" which, to me, is just crap because a professional hacker lives by the creed of "Effective yet simple" and secondly because this could have been accidentally discovered. In both cases, a proprietary system with this oversight would've been a ticking time-bomb. Besides, this was discovered by a pen-testing team so it would have come up regardless.
The issue I have mixed feelings about: How big of a threat is this reallistically to the individual person (I'm specifically not talking about corporations here now but rather folks like you or me)? Grabbing data from, essentially random, memory is meaningless without doing it enough times and fast enough to obtain something usable. It's also targetless in the sense that one cannot target a specific person. At most you could target the server itself right? Or did I miss something (I'm not a networking guy so I don't know all the ins and outs)? I'm looking at it from a socialogical perspective here. What purpose is there in hijacking some everyday person's gmail account when you can create your own free (including batches of them)? The only risks I see are with regard to finances, for example online shopping etc and even then, we're grabbing at pieces of puzzles not knowing which puzzle we even want to build. I guess what I mean is how much of an effort would it be to gain anything of any value through this exploit. Once again, I speak as someone who isn't a networking expert and someone whose security is extremely high by luck and paranoia (I don't keep sensitive data on my phone nor do I login to any important sites from it, I don't have any online financial services other than with my bank, I have other people do my online shopping and give them a little percent (except where I can make a bank deposit with a reference number) and I don't have much personally identifiable info kicking about (if any) on the net) so maybe I just can't picture this because I'm so distanced. I am trying to put myself in that situation but it's hard to imagine even using a credit card online or over the phone.
I dunno, what does everyone else think? How's everyone feel about this? Are we in, as unknown entities milling about our boring daily lives at much risk? If so, exactly what, besides the obvious? This is a genuine question from someone who still does most things in the real world.
You're a bad man!
