First  Prev  1  2  Next  Last
Heartbleed
Posted 4/10/14

Phersu wrote:

Bleed me dry.


LOL
31483 cr points
Send Message: Send PM GB Post
17 / F
Offline
Posted 4/10/14
I read that two of the biggest manufacturers of network equipment said that some of their products also contain the bug, meaning the flaw affects some routers, switches and firewalls used in businesses and homes, and that these devices will be more difficult to fix since the first step in the process may involve a trash can. I wonder if Heartbleed was born out of the NSA's need to have a backdoor into the Internet.
29118 cr points
Send Message: Send PM GB Post
83 / F / Bite the pillow.
Offline
Posted 4/10/14 , edited 4/10/14

trinkit wrote:

I wonder if Heartbleed was born out of the NSA's need to have a backdoor into the Internet.

Hmmm...supposedly not. The man responsible for the bug recently spoke out:

- Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately
- http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html

The German software developer who introduced a security flaw into an encryption protocol used by millions of websites globally says he did not insert it deliberately as some have suggested.

In what appears to be his first comments to the media since the bug was uncovered, Robin Seggelmann said how the bug made its way into live code could "be explained pretty easily".

Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was "unfortunately" missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he said.

"In one of the new features, unfortunately, I missed validating a variable containing a length."

After he submitted the code, a reviewer "apparently also didn’t notice the missing validation", Mr Seggelmann said, "so the error made its way from the development branch into the released version." Logs show that reviewer was Dr Stephen Henson.

Mr Seggelmann said the error he introduced was "quite trivial", but acknowledged that its impact was "severe".

Of course, the guy could be lying or doing your basic "CYA".
40021 cr points
Send Message: Send PM GB Post
M / HI
Offline
Posted 4/10/14

Sychop wrote:


Phersu wrote:

Bleed me dry.


LOL


I LOL at his lol
Posted 4/11/14


I wonder if Heartbleed was born out of the NSA's need to have a backdoor into the Internet.


I think it's unlikely in most cases that NSA would be interested cause as Mr Seggelmann points out it returns random chunks of memory.
It could be done but it seems pretty expensive considering other tools in NSA's toolbox that have been revealed.

uninitialized buffers FTL.
13897 cr points
Send Message: Send PM GB Post
24 / M / Belgium
Offline
Posted 4/11/14 , edited 4/11/14
Just to let you people know, the question about Crunchyroll being vulnerable has already been answered on the Help section. http://www.crunchyroll.com/forumtopic-845787/admins-heartbleed-vulnerability

Furthermore, from what I've read the information that Lastpass gives atm isn't completely right. They check the certificate creation day if a site is already patched or not, apparently updating a cert don't necessarily change the creation day again. The site mentioned by Hairbelly (http://filippo.io/Heartbleed/) is more reliable, since it test the site actively rather than passive.
Posted 4/11/14 , edited 4/11/14
Woaaaaaaaaaahhhhhhhh


Redtube



I'm in big trouble papa bear.

Phersu that isn't funny if you're smart.
29118 cr points
Send Message: Send PM GB Post
83 / F / Bite the pillow.
Offline
Posted 4/11/14

trinkit wrote:

I wonder if Heartbleed was born out of the NSA's need to have a backdoor into the Internet.

Just read this today. Somewhat related...

Sources: NSA knew for at least 2 years about Heartbleed bug, used it to gather intelligence (Bloomberg)
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.
Sailor Candy Moderator
200584 cr points
Send Message: Send PM GB Post
28
Offline
Posted 12/28/15
"Year-end cleanup. Closing threads with no activity since 2014."
First  Prev  1  2  Next  Last
You must be logged in to post.