|
to KodiacZiller
Re: Heartbleed - zero day critical bug in OpenSSLsaid by KodiacZiller:Perhaps they have, and after the Snowden revelations I would not be surprised at all. But we don't know whether they have or not and it is doubtful that any kernel devs would willingly go along with it. And what would make you doubt that or even doubt that some of them work for the NSA? They are just 'good' guys?? said by KodiacZiller:On the other hand, I can almost bet that Microsoft has allowed such shenanigans, which is worse because everything is done behind a closed door and no one can see the code. BS, I don't work for Microsoft and I can see the code, lots of non-Microsoft folks have asked for and have seen the code. Have you seen the recipe for KFC or Coke? said by KodiacZiller:We do know that Microsoft made changes to Skype which allowed NSA the ability to eavesdrop on all "encrypted" calls. You mean this? » www.pcworld.com/article/ ··· ion.htmlBlake |
|
Jelf8 join:2012-03-08 Redmond, WA |
to Zoder
I am trying to get a handle on the risk from a home router that does in fact include a version of OpenSSL with the sloppy coding that gives rise to the heartbleed bug.
Can someone that knows about this stuff please provide a second opinion on the following statement:
Case 1 "To be vulnerable to Heartbleed the router has to be acting as an SSL server. If it is merely passing SSL traffic it is not vulnerable. So that generally means VPN or, more importantly for typical home routers, remote management."
If that statement is true, then likely 99.99999% of home users do not have to be concerned about whether or not their home router includes a version of the 'bad' OpenSSL - assuming (dangerous word!) that remote management is 'off' in the router.
Case 2 Or if the above-quoted statement is false, then what is required for the bug to send a 64k chunk of router memory to the bad guy/gal. Specifically, is any more required than: 1. Port 443 (HTTPS port) on the router is open 2. A packet arrives at the router addressed to port 443 and designed to exploit the bug.
Which is true? Case 1? Case 2? Something else? Can some of you security-savvy people please shed light? |
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX |
sivran
Premium Member
2014-Apr-13 2:26 pm
Both can potentially be true.
Case 1 is true for most users.
Case 2 can be true for certain users. For example, if you enabled management via HTTPS (local or remote). |
|
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC
1 recommendation |
to Zoder
Canada Revenue Agency says 900 social insurance numbers stolen using Heartbleed bug quote: MONTREAL The Canada Revenue Agency said Monday about 900 social insurance numbers have been stolen by someone exploiting the Heartbleed computer bug.
The federal revenue agency issued a statement on its website confirming the breach of security, which it said occurred over a six-hour period. [...]
» www.montrealgazette.com/ ··· ory.html |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
to gnome84
said by gnome84: Can a proprietary C compiler be written that strictly enforces safe programing? This sounds like a great idea, but it wouldn't then be C |
|
|
to Zoder
Just got through changing a number of my passwords that either were in need of changing or just questionable. Thank heavens again that I have no social networking sites that need changing. |
|
|
to Zoder
If they were down to going after sites like MumsNet I'm thinking they nailed a whole pile of other sites first. That beer tab might be running up pretty high. quote: On Friday 11 April, it became apparent that what is widely known as the 'Heartbleed bug' had been used to access data from Mumsnet users' accounts.
Heartbleed is a security hole that existed in OpenSSL, the security framework which most websites around the world use. There's a summary of Heartbleed and its effects here.
On Thursday 10 April we at MNHQ became aware of the bug and immediately ran tests to see if the Mumsnet servers were vulnerable. As soon as it became apparent that we were, we applied the fix to close the OpenSSL security hole (known as the Heartbleed patch). However, it seems that users' data was accessed prior to our applying this fix.
So, over the weekend, we decided we needed to ask all Mumsnet users to change their passwords. So, you will no longer be able to log in to Mumsnet with a password that you chose before 5.45pm on Saturday April 12, 2014. If you haven't changed your password yet, you can do so here.
» www.mumsnet.com/info/the ··· ch-to-doBlake |
|
gnome84 join:2014-04-12 Saint Paul, MN |
to Steve
said by Steve:This sounds like a great idea Compilers are not a subject I'm qualified to debate however i've gathered the free bsd implementation of gcc allows warning flags to be configured that will indicate issues with pointers etc Does heart bleed effect all architectures? At one point I was of the opinion that a non X86 server was the preferred choice for secure internet facing applications. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2014-Apr-14 7:10 pm
said by gnome84: however i've gathered the free bsd implementation of gcc allows warning flags to be configured that will indicate issues with pointers etc All compilers allow you to turn on extra error checking, some of which will catch obvious pointer errors, but pointers are so exceptionally powerful that it takes almost nothing to get beyond what can be detected by software inspection. Does heart bleed effect all architectures? Yes, certainly. |
|
gnome84 join:2014-04-12 Saint Paul, MN 1 edit |
said by Steve:Yes, certainly. I'll take you word for that... Why is OpenSSL storing usernames in memory anyways? Perhaps a more aggressive garbage collector is necessary |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2014-Apr-14 7:39 pm
said by gnome84: Why is OpenSSL storing usernames in memory anyways? OpenSSL is strictly a library, and it neither stores usernames nor knows anything about them. The memory being violated here belongs to application that's using the library (say, apache), though it does seem as if zero-memory-on-alloc (or zero-memory-on-free) would have made this information leak meaningless. Steve |
|
|
to Link Logger
said by Link Logger:BS, I don't work for Microsoft and I can see the code, lots of non-Microsoft folks have asked for and have seen the code. Have you seen the recipe for KFC or Coke? You could have fooled me (about working for MS). Everything you say is a positive spin for that company even in the face of overwhelming evidence to the contrary. Here you go: » arstechnica.com/tech-pol ··· confirm/and this: » www.cnet.com/news/nsa-do ··· o-calls/A quote from the top-secret NSA slides: quote: "The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete 'picture.'"
Referring to the fact that NSA has been able to spy on Skype calls "all along" and in 2012 got access to video calls. And let's not forget about the patent Microsoft filed in 2009 in which they developed a technology to allow "wiretapping of VOIP." It must be cool to live in your own fantasy world. |
|
dave Premium Member join:2000-05-04 not in ohio |
to gnome84
said by gnome84:Perhaps a more aggressive garbage collector is necessary If it had a garbage collector, it wouldn't be C. (Not entirely true, since any app could implement its own memory allocation scheme with garbage collection -- but it's not the C way. You're thinking of one of those fancy computer-science-y languages ) Generalized garbage collection in C is problematic for the same reason that everything else in C is problematic: pointers that can point anywhere they damn well want (including in the middle of objects). |
|
|
to Jelf8
said by Jelf8:1. Port 443 (HTTPS port) on the router is open 2. A packet arrives at the router addressed to port 443 and designed to exploit the bug. Now this one has me thinking. We currently have port 443 forwarded to our PS3. The PS3 is using a static LAN IP outside of the assigned range of DHCP. We do not have 8080 open for remote management, and have even turned off management via wireless. So is our setup extremely vulnerable? According to the router manufacturer they are not using OpenSSL... |
|
gnome84 join:2014-04-12 Saint Paul, MN |
to Steve
said by Steve:OpenSSL is strictly a library, Depending on how apache is configured the library may only have access to a fork or child process when the keep alive is received. |
|
|
to dave
said by dave:said by gnome84:Perhaps a more aggressive garbage collector is necessary If it had a garbage collector, it wouldn't be C. Garbage collection is a function of a runtime environment and not one of the language itself. Garbage collection also would not have had any impact here. |
|
dave Premium Member join:2000-05-04 not in ohio |
dave
Premium Member
2014-Apr-14 8:39 pm
Garbage collection is a function of the language, inasmuch as if the language has explicit allocation and deallocation of memory (as in C, C++), there is no need for a garbage collector, and if there is no deallocation method (as in Algol68, Java), you either have a garbage collector or you eventually run out.
And of course garbage collection would not help here; it was not I who suggested it would help. It does not matter if the scooped memory is considered allocated or free, it's still in the address space and still scoopable. |
|
|
said by dave:Garbage collection is a function of the language, inasmuch as if the language has explicit allocation and deallocation of memory (as in C, C++), there is no need for a garbage collector, and if there is no deallocation method (as in Algol68, Java), you either have a garbage collector or you eventually run out In the case of a binary compiled from 'C' (as an example), the native OS is providing the runtime environment just as a Java Virtual Machine (aka Java Runtime Environment) provides the runtime environment for a java application. In the latter case, the JVM provides the garbage collection. In the former case the OS provides the garbage collection (you do realize that OS kernels perform their own garbage collection, yes?) The difference is when/how the de-allocated memory is made available for re-use by the application as well as how the RTE maintains efficiencies in future memory allocations. |
|
gnome84 join:2014-04-12 Saint Paul, MN |
said by Shady Bimmer:the native OS is providing the runtime environment please don't bring your app pool into this |
|
dave Premium Member join:2000-05-04 not in ohio 1 edit |
to Shady Bimmer
This is way off topic, else I'd bore you with my experience with programming languages with and without garbage collectors, and with details of kernel dynamic memory allocation that is not garbage collection (Linux kmalloc/kfree, for example). The above Wikipedia link does indirectly point to an allegedly C-compatible collectable heap (the Boehm garbage collector) which might counter my earlier claim that GC is not really good for C, but I remain skeptical of its generality. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
to Shady Bimmer
said by Shady Bimmer: In the case of a binary compiled from 'C' (as an example), the native OS is providing the runtime environment just as a Java Virtual Machine (aka Java Runtime Environment) provides the runtime environment for a java application. You're confusing garbage collection with memory management; they're not the same thing, and neither C nor the Linux kernel perform garbage collection, at least not by the definition that everybody else uses. If I free some memory ("Here, I don't need this any more"), the OS or the language or the runtime will put it back into the free pool, where it will be available for future allocations. It may also perform some coalescing of contiguous free blocks, such that if you free three blocks of 100-bytes each, it can turn them into a single 300-byte block that's available. But this is not garbage collection: GC is when the runtime (of whatever type) automatically figures out that a certain chunk of memory is no longer used and reclaims the memory without any intervention from the programmer (other than, perhaps, a call "Now would be a great time to make a GC run"). Automatic garbage collection in C is well nigh impossible, at least in the general case. |
|
mackey Premium Member join:2007-08-20 |
to Finger2208
said by Finger2208:Now this one has me thinking. We currently have port 443 forwarded to our PS3. The PS3 is using a static LAN IP outside of the assigned range of DHCP. We do not have 8080 open for remote management, and have even turned off management via wireless. So is our setup extremely vulnerable? According to the router manufacturer they are not using OpenSSL... As the router is doing nothing but passing the packets on to the PS3 then what it's running is completely irrelevant - it needs to be running a SSL-enabled server to be affected. In your case it's the PS3 you need to be looking at. /M |
|
|
to KodiacZiller
said by KodiacZiller:said by Link Logger:BS, I don't work for Microsoft and I can see the code, lots of non-Microsoft folks have asked for and have seen the code. Have you seen the recipe for KFC or Coke? You could have fooled me (about working for MS). Everything you say is a positive spin for that company even in the face of overwhelming evidence to the contrary. Here you go: » arstechnica.com/tech-pol ··· confirm/and this: » www.cnet.com/news/nsa-do ··· o-calls/A quote from the top-secret NSA slides: quote: "The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete 'picture.'"
Check the dates from these articles, yours were the accusation, mine was the findings. said by KodiacZiller:Referring to the fact that NSA has been able to spy on Skype calls "all along" and in 2012 got access to video calls.
And let's not forget about the patent Microsoft filed in 2009 in which they developed a technology to allow "wiretapping of VOIP."
It must be cool to live in your own fantasy world. Which country do you live in and if I get a court order to tap into whatever communication method you can name, do they have a way to allow a tap into a specific conversation or do they just pop open the whole system and see everyone's conversations and data which seems to be your preference given you don't want to prepare for the inevitable like Microsoft was (and everyone else has as well). What color is the sky in your world, really, if its a communication media, bad guys will use it and that means your going to get court orders to tap in. Try to ignore those orders and let me know what happens in your world. Now as to abuses to such monitoring systems, I'm sure they happen, but then again paranoia isn't just a government problem in the US. Blake |
|
mackey Premium Member join:2007-08-20 |
to sivran
said by sivran:Both can potentially be true.
Case 1 is true for most users. How is it only true for "most" users? If the router is not running an SSL-enabled server (VPN, remote management) then it's not vulnerable - period. As for case 2 it's going to depend on your definition of "open." If it's being passed on / forwarded to another device then no, the router is still not vulnerable. The device it's forwarding to however... /M |
|
gnome84 join:2014-04-12 Saint Paul, MN |
to Steve
Your max clients and keep alive would also factor into things.
A trap or a trace might provide visibility into whats in the fork's memory. |
|
|
to Steve
said by Steve:You're confusing garbage collection with memory management; they're not the same thing, and neither C nor the Linux kernel perform garbage collection, at least not by the definition that everybody else uses. No I am not confusing the two. I did not say C provided any garbage collection. In fact I made just the opposite point. Yes, many modern kernels perform garbage collection. I am not confusing memory management with GC, though the two are related. I did specifically note a difference in how and when de-allocated memory is made available for re-use. I never indicated anything about explicit or implicit (automatic) "de-allocation". This is however very far off topic, and to be completely honest I really don't understand how a discussion over languages came in. There is good and poor development in all languages. There are thorough and lazy-ass developers using all languages. There are mistakes and bugs in all languages, and those cover all complexities from simple to extremely difficult. For what it is worth there are kernel developments that likely would have prevented this. They are in other (non-linux) kernels with completely new vm systems and while still not completely mature they take an entirely new approach to heap usage and allocation. This too is getting off topic. There are also tools and libraries that have existed for decades that would help in cases like this during development and testing. Unfortunately they are expensive and rarely used by most open-source (note I did not say all) projects. And no, those are not 100% perfect either but they are yet another tool in the chest that can help. |
|
Shady Bimmer |
to dave
said by dave:The above Wikipedia link does indirectly point to an allegedly C-compatible collectable heap (the Boehm garbage collector) which might counter my earlier claim that GC is not really good for C, but I remain skeptical of its generality. Hmm. You read it on the internet so it must be true. Sorry, but I don't take wikipedia as my authoritative reference and no I was not referring to what is contained in that article. The concept of garbage collection is likely a bit older than most participants in this forum. Its purpose is to automate memory usage and allocation such that the programmer does not need to do so manually. It is primarily used with object-oriented programming since it becomes far simpler to track references but it is not limited to these cases. Again - I am puzzled as to how this because a discussion over choice of language in the first place. |
|
dave Premium Member join:2000-05-04 not in ohio 2 edits
1 recommendation |
dave
Premium Member
2014-Apr-14 11:15 pm
said by Shady Bimmer:You read it on the internet so it must be true. Your wording suggests that I do believe it is true, whereas I actually expressed skepticism. My previous statement was dismissal, then softened to 'well, maybe'. The concept of garbage collection is likely a bit older than most participants in this forum. But not me. |
|
|
to mackey
said by mackey:As the router is doing nothing but passing the packets on to the PS3 then what it's running is completely irrelevant - it needs to be running a SSL-enabled server to be affected. In your case it's the PS3 you need to be looking at. Gotcha...thanks!! |
|
|
cme01 to cme01
Anon
2014-Apr-15 12:44 am
to cme01
someone explain exactly what is going on.... |
|