dib22 join:2002-01-27 Kansas City, MO
2 recommendations |
to cme01
Re: Heartbleed - zero day critical bug in OpenSSLsaid by cme01 :someone explain exactly what is going on.... xkcd.com #1354
|
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC
3 recommendations |
to Zoder
Heartbleed disclosure timeline: who knew what and when » www.smh.com.au/it-pro/se ··· urk.html |
|
GuruGuy Premium Member join:2002-12-16 Atlanta, GA |
GuruGuy
Premium Member
2014-Apr-15 9:45 am
Thanks for posting that! Great article. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
said by GuruGuy: Thanks for posting that! Great article.
You're welcome. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
to siljaline
said by siljaline:Heartbleed disclosure timeline: who knew what and when Most interesting to me: quote: Wednesday, April 9 - Facebook and Microsoft donate $US15,000 to Neel Mehta via the Internet Bug Bounty program for finding the OpenSSL bug. Mehta gives the funds to the Freedom of the Press Foundation.
Microsoft uses OpenSSL? Maybe Xbox? |
|
1 recommendation |
planet
Member
2014-Apr-15 11:25 am
said by Steve:Microsoft uses OpenSSL? Maybe Xbox? Akamai?? |
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX |
to mackey
Perhaps you should re-read my post, and consider it in its entirety before responding. |
|
|
dib22 join:2002-01-27 Kansas City, MO |
to Zoder
Looks like we can add OpenVPN to the worry pool... » arstechnica.com/security ··· eys-too/quote: Private encryption keys have been successfully extracted multiple times from a virtual private network server running the widely used OpenVPN application with a vulnerable version of OpenSSL, adding yet more urgency to the call for operators to fully protect their systems against the catastrophic Heartbleed bug.
|
|
trparky Premium Member join:2000-05-24 Cleveland, OH ·AT&T U-Verse
|
to Zoder
Apparently the OpenBSD team has decided to take on OpenSSL's source code. Leading this effort are Ted Unangst (tedu@) and Miod Vallat (miod@), who are head-to-head on a pure commit count basis with both having around 50 commits in this part of the tree in the week since Ted's first commit in this area. They are followed closely by Joel Sing (jsing@) who is systematically going through every nook and cranny and applying some basic KNF. Next in line are Theo de Raadt (deraadt@) and Bob Beck (beck@) who've been both doing a lot of cleanup, ripping out weird layers of abstraction for standard system or library calls. ... All combined, there've been over 250 commits cleaning up OpenSSL. In one week. » yro.slashdot.org/story/1 ··· n-a-week |
|
DannyZGentoo Fanboy Premium Member join:2003-01-29 united state |
DannyZ
Premium Member
2014-Apr-21 1:38 pm
Perhaps another Donation Drive for the fine folks at the OpenBSD team is in order again. » OpenSSH Donation Pledge Drive |
|
trparky Premium Member join:2000-05-24 Cleveland, OH ·AT&T U-Verse
1 recommendation |
trparky
Premium Member
2014-Apr-22 11:45 am
Yesterday Slashdot.org reported that the OpenBSD team had taken over much of the development of OpenSSL with several hundred commits. Well, today we are seeing what I figured would happen after the OpenBSD team took over... a project fork. Not Just a Cleanup Any More: LibreSSL Project Announcedquote: As some of you may know, OpenBSD team have started cleaning up OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of the OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises Multi OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via OpenBSD foundation.
|
|
ironwalker World Renowned MVM join:2001-08-31 Keansburg, NJ |
to Zoder
Bruce has a nice write up with some good links proving this has been out in the wild over a year or so now. » www.schneier.com/blog/ar ··· eed.htmlSome proof justin maybe what your looking for at » www.eff.org/deeplinks/20 ··· ber-2013In any event i'd change password and certs but thats me. Apparently the ca's are flooded now with requests. |
|
|
Razzy12345 to Zoder
Anon
2014-Apr-23 1:55 pm
to Zoder
I had a great laugh about this last week... None of the Microsoft products/services/servers are affected. =) Made me smile ear to ear. (well of course if someone decided to install Apache instead of using IIS...) |
|
|
Makes me think. NSA has also access to the MS SSL code, not only to the OpenSSL code. I bet they've investigated that code too. What did they found there and are not telling us or even Microsoft? For sure an independent researcher has a lot less chances of "rediscovering" it given the restrictive NDA needed to see that code. |
|
|
said by Black Box:Makes me think. NSA has also access to the MS SSL code, not only to the OpenSSL code. I bet they've investigated that code too. What did they found there and are not telling us or even Microsoft? For sure an independent researcher has a lot less chances of "rediscovering" it given the restrictive NDA needed to see that code. They have probably uncovered a lot of bugs they aren't telling anyone about. Their SIGINT arm has more power than their COMSEC arm. If there is a viable exploit they can use, it is fair to assume they will use it for offensive purposes rather than contact the vendor/maintainer. It is also known (according to Snowden docs) that they buy exploits off the grey market. The bottom line is that the best we can hope for is keeping our computers (somewhat) secure against common script kiddies. We will never be secure against well funded state actors like NSA (or criminal groups). That's just the way it is and I don't see it changing. Computers are just too easy to exploit. |
|
norwegian Premium Member join:2005-02-15 Outback 1 edit |
said by KodiacZiller:The digital world is Computers are just too easy to exploit. I've thrown my view on your statement. This is affecting anyone using an electronic Internet based product I would think, not just computers, even though it's roots seem to be based initially on web servers when it went public. |
|
|
to KodiacZiller
said by KodiacZiller:said by Black Box:Makes me think. NSA has also access to the MS SSL code, not only to the OpenSSL code. I bet they've investigated that code too. What did they found there and are not telling us or even Microsoft? For sure an independent researcher has a lot less chances of "rediscovering" it given the restrictive NDA needed to see that code. They have probably uncovered a lot of bugs they aren't telling anyone about. Their SIGINT arm has more power than their COMSEC arm. If there is a viable exploit they can use, it is fair to assume they will use it for offensive purposes rather than contact the vendor/maintainer. It is also known (according to Snowden docs) that they buy exploits off the grey market. That's exactly my point. The 20% that pat themselves on the back for dodging the heartbleed bullet may be happily walking in a hail of fire without even knowing it. |
|
deke40deke40 Premium Member join:2003-01-23 Texas |
to Zoder
I didn't go back and read all 8 pages so hope this is not a repeat. Probably says the same thing as the one posted by dib22 but in more detail. Pretty good but still over my head. » www.wimp.com/heartbleedcode/ |
|