dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
8868

dib22
join:2002-01-27
Kansas City, MO

2 recommendations

dib22 to cme01

Member

to cme01

Re: Heartbleed - zero day critical bug in OpenSSL

said by cme01 :

someone explain exactly what is going on....


xkcd.com #1354

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

3 recommendations

siljaline to Zoder

Premium Member

to Zoder
Heartbleed disclosure timeline: who knew what and when

»www.smh.com.au/it-pro/se ··· urk.html

GuruGuy
Premium Member
join:2002-12-16
Atlanta, GA

GuruGuy

Premium Member

said by siljaline:

Heartbleed disclosure timeline: who knew what and when

»www.smh.com.au/it-pro/se ··· urk.html

Thanks for posting that! Great article.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline

Premium Member

said by GuruGuy:


Thanks for posting that! Great article.

You're welcome.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve to siljaline

to siljaline
said by siljaline:

Heartbleed disclosure timeline: who knew what and when

Most interesting to me:
quote:
Wednesday, April 9 - Facebook and Microsoft donate $US15,000 to Neel Mehta via the Internet Bug Bounty program for finding the OpenSSL bug. Mehta gives the funds to the Freedom of the Press Foundation.

Microsoft uses OpenSSL? Maybe Xbox?

planet
join:2001-11-05
Oz

1 recommendation

planet

Member

said by Steve:

Microsoft uses OpenSSL? Maybe Xbox?

Akamai??

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to mackey

Premium Member

to mackey
Perhaps you should re-read my post, and consider it in its entirety before responding.

dib22
join:2002-01-27
Kansas City, MO

dib22 to Zoder

Member

to Zoder
Looks like we can add OpenVPN to the worry pool...

»arstechnica.com/security ··· eys-too/
quote:
Private encryption keys have been successfully extracted multiple times from a virtual private network server running the widely used OpenVPN application with a vulnerable version of OpenSSL, adding yet more urgency to the call for operators to fully protect their systems against the catastrophic Heartbleed bug.


trparky
Premium Member
join:2000-05-24
Cleveland, OH
·AT&T U-Verse

trparky to Zoder

Premium Member

to Zoder
Apparently the OpenBSD team has decided to take on OpenSSL's source code. Leading this effort are Ted Unangst (tedu@) and Miod Vallat (miod@), who are head-to-head on a pure commit count basis with both having around 50 commits in this part of the tree in the week since Ted's first commit in this area. They are followed closely by Joel Sing (jsing@) who is systematically going through every nook and cranny and applying some basic KNF. Next in line are Theo de Raadt (deraadt@) and Bob Beck (beck@) who've been both doing a lot of cleanup, ripping out weird layers of abstraction for standard system or library calls. ... All combined, there've been over 250 commits cleaning up OpenSSL. In one week.

»yro.slashdot.org/story/1 ··· n-a-week

DannyZ
Gentoo Fanboy
Premium Member
join:2003-01-29
united state

DannyZ

Premium Member

Perhaps another Donation Drive for the fine folks at the OpenBSD team is in order again. »OpenSSH Donation Pledge Drive

trparky
Premium Member
join:2000-05-24
Cleveland, OH
·AT&T U-Verse

1 recommendation

trparky

Premium Member

Yesterday Slashdot.org reported that the OpenBSD team had taken over much of the development of OpenSSL with several hundred commits. Well, today we are seeing what I figured would happen after the OpenBSD team took over... a project fork.

Not Just a Cleanup Any More: LibreSSL Project Announced
quote:
As some of you may know, OpenBSD team have started cleaning up OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of the OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises Multi OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via OpenBSD foundation.

ironwalker
World Renowned
MVM
join:2001-08-31
Keansburg, NJ

ironwalker to Zoder

MVM

to Zoder
Bruce has a nice write up with some good links proving this has been out in the wild over a year or so now.
»www.schneier.com/blog/ar ··· eed.html
Some proof justin maybe what your looking for at
»www.eff.org/deeplinks/20 ··· ber-2013

In any event i'd change password and certs but thats me.
Apparently the ca's are flooded now with requests.

Razzy12345
@rr.com

Razzy12345 to Zoder

Anon

to Zoder
I had a great laugh about this last week... None of the Microsoft products/services/servers are affected. =) Made me smile ear to ear. (well of course if someone decided to install Apache instead of using IIS...)

Black Box
join:2002-12-21

Black Box

Member

Makes me think. NSA has also access to the MS SSL code, not only to the OpenSSL code. I bet they've investigated that code too. What did they found there and are not telling us or even Microsoft? For sure an independent researcher has a lot less chances of "rediscovering" it given the restrictive NDA needed to see that code.

KodiacZiller
Premium Member
join:2008-09-04
73368

KodiacZiller

Premium Member

said by Black Box:

Makes me think. NSA has also access to the MS SSL code, not only to the OpenSSL code. I bet they've investigated that code too. What did they found there and are not telling us or even Microsoft? For sure an independent researcher has a lot less chances of "rediscovering" it given the restrictive NDA needed to see that code.

They have probably uncovered a lot of bugs they aren't telling anyone about. Their SIGINT arm has more power than their COMSEC arm. If there is a viable exploit they can use, it is fair to assume they will use it for offensive purposes rather than contact the vendor/maintainer. It is also known (according to Snowden docs) that they buy exploits off the grey market.

The bottom line is that the best we can hope for is keeping our computers (somewhat) secure against common script kiddies. We will never be secure against well funded state actors like NSA (or criminal groups). That's just the way it is and I don't see it changing. Computers are just too easy to exploit.

norwegian
Premium Member
join:2005-02-15
Outback

1 edit

norwegian

Premium Member

said by KodiacZiller:

The digital world is Computers are just too easy to exploit.

I've thrown my view on your statement.
This is affecting anyone using an electronic Internet based product I would think, not just computers, even though it's roots seem to be based initially on web servers when it went public.

Black Box
join:2002-12-21

Black Box to KodiacZiller

Member

to KodiacZiller
said by KodiacZiller:

said by Black Box:

Makes me think. NSA has also access to the MS SSL code, not only to the OpenSSL code. I bet they've investigated that code too. What did they found there and are not telling us or even Microsoft? For sure an independent researcher has a lot less chances of "rediscovering" it given the restrictive NDA needed to see that code.

They have probably uncovered a lot of bugs they aren't telling anyone about. Their SIGINT arm has more power than their COMSEC arm. If there is a viable exploit they can use, it is fair to assume they will use it for offensive purposes rather than contact the vendor/maintainer. It is also known (according to Snowden docs) that they buy exploits off the grey market.

That's exactly my point. The 20% that pat themselves on the back for dodging the heartbleed bullet may be happily walking in a hail of fire without even knowing it.

deke40
deke40
Premium Member
join:2003-01-23
Texas

deke40 to Zoder

Premium Member

to Zoder
I didn't go back and read all 8 pages so hope this is not a repeat.

Probably says the same thing as the one posted by dib22 but in more detail.

Pretty good but still over my head.

»www.wimp.com/heartbleedcode/