I personally incline toward - memory safety in C is hard. We have had enough of those bug pop on their own to need encouragement. Whether interested parties knew of it and use it as a key towards all you can eat intelligence buffet is another story.
Memory safety in C is hard, but this bug, a memcpy with a user-supplied, unchecked length? I mean this is stuff that I learned about in my first serious class that involved C, and it wasn't even security related. C is a language where you code defensively at almost all times, yet this was ignored in the SSL implementation, a project which is based around communicating with a user? This is the situation where you really can't trust things like lengths. Either its incompetence or shilling, both of which are harrowing.
Incompetence on the part of the website companies that didn't pay the money to hire people to make sure that a piece of their critical infrastructure was up to the task? Yes, I agree.
