The "Heartbleed Bug" --new cyber threat. All you techy types, please weigh in.
- Thread starter Plot Device
- Start date
- Joined
- Apr 24, 2009
- Messages
- 6,902
- Reaction score
- 3,781
- Age
- 50
- Location
- MA
- Website
- www.rebeccaburrell.com
I'll wait to believe it until we get a better source.
The NSA would have to have been watching OpenSSL pretty closely to find the bug so quickly — which is not unlikely.
If they really did know about it, I'd say that's worse than just about everything else we know they've done combined.
It would be reckless endangerment of American businesses and citizens.
They'd be culpable for putting national security at risk rather than defending it.
The NSA would have to have been watching OpenSSL pretty closely to find the bug so quickly — which is not unlikely.
If they really did know about it, I'd say that's worse than just about everything else we know they've done combined.
It would be reckless endangerment of American businesses and citizens.
They'd be culpable for putting national security at risk rather than defending it.
- Joined
- Apr 7, 2005
- Messages
- 7,632
- Reaction score
- 1,204
- Location
- London, UK
- Website
- torgoblog.blogspot.com
I wouldn't be remotely surprised that they
a) realised the significance of the exploit years ago and have been merrily slurping whatever they could get
b) have just realised the significance of the exploit, but have slurped so much relevant data that they can retrospectively check it out for useful tidbits
Yeah, that's in the story I quoted too, but I figured it was so irrelevant I didn't bother quoting that part.
Whether they did or didn't, what else are they going to say?
Last edited:
I suppose NSA's choice is to deny it or to be silent.
It does seem it was quite fast in denying it, almost as if the denial were pre-written.
I think it is understandable that not every vulnerability should get disclosed publicly as soon as it is discovered. Sometimes that is necessary for the greater good of security.
What should not happen is keeping vulnerabilities secret from the software writers, too. There needs to be cooperation and communication there.
If the NSA knew about this, they should have told the OpenSSL guys. If they wanted to exploit it against a legitimate threat, they should have asked for the cooperation of the OpenSSL team. It should have been at the discretion of the OpenSSL team what to do.
If the NSA expects any kind of cooperation in the future, they need to foster good faith in the tech community.
They have actively done the opposite.
What should not happen is keeping vulnerabilities secret from the software writers, too. There needs to be cooperation and communication there.
If the NSA knew about this, they should have told the OpenSSL guys. If they wanted to exploit it against a legitimate threat, they should have asked for the cooperation of the OpenSSL team. It should have been at the discretion of the OpenSSL team what to do.
If the NSA expects any kind of cooperation in the future, they need to foster good faith in the tech community.
They have actively done the opposite.
- Joined
- May 11, 2007
- Messages
- 20,569
- Reaction score
- 4,814
- Location
- youtu.be/QRruBVFXjnY
- Website
- www.ifoundaknife.com
In my professional opinion:
The bug's a real thing. Even if it wasn't, it's a healthy reminder of paying attention to our own online safety.
We should be changing our passwords regularly anyway. (pot meet kettle)
But the quoted passage above? That's the where the casual/naive internet user is likely to get bit in the coming weeks and months. Encouraging people to read and think before clicking is an "always on" mission.
I've known people who do not know how to type a domain into the address bar of a browser (if anything, they type keywords of what they want, and rather than erroring out, the browser does a search on the keyword and opens the first result - they get what they want most the time, so they believe they did the right thing). They don't know the difference between clicking on a popup ad, clicking a link in an email, or whatnot. These people can be told to "think" and "be careful" but they don't the basic knowledge to make such statements helpful.
I'm concerned that it takes too little knowledge to be able to do a first-approximation of negotiating the Web.
Given that Heartbleed has been wild for over two years now, if the NSA really didn't know about it until it went public I think the American people ought to be asking for a refund of their govt funding....
List of company's that have patched the Heartbleed open SSL issue...
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
If you pull up the list you will see Dropbox and Wordpress is on the list, but Wordpress is rather unclear if there is a fix...
Also, most of Google's services were affected but not Chrome...
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
If you pull up the list you will see Dropbox and Wordpress is on the list, but Wordpress is rather unclear if there is a fix...
Also, most of Google's services were affected but not Chrome...
So, in brief summary - regulated financial organisations don't use OpenSSL (largely due to mostly having their IT outsourced to people who know better). This is good to know. Instagram/Pinterest/Tumblr...not so much. Google, shame on you. Yahoo - do you still exist??
I'd suspect it's so they have a private entity to sue and place the blame on if such a bug were found in THEIR SSL software.
Exactly, which is a big part of the definition of "knowing better". Proprietary software often (usually?) isn't any better than open source, but it does give you a vendor's throat to choke if it goes wrong.
- Joined
- Apr 7, 2005
- Messages
- 7,632
- Reaction score
- 1,204
- Location
- London, UK
- Website
- torgoblog.blogspot.com
Isn't it generally a good idea to use open-source crypto? In that you're not relying on security through obscurity, but on stuff that is exposed to the scrutiny of everyone?
For small businesses yes, probably. Big companies (banks, insurance companies etc) need to have contractual support contracts, service level agreements, penalty clauses etc with software vendors and service providers, and you don't get that with open source products. Well you sort of do with RHEL etc, but that's not the same thing.
- Joined
- Dec 9, 2011
- Messages
- 6,543
- Reaction score
- 511
I think that's overblown. Look at this issue. It passed at least two levels of scrutiny and stood for two+ years.
There is, however, some truth to what you said as well.
Using open source software allows you as a client to examine the code for yourself, and to customize it. Software that uses the GPL licensing also enables (and demands, to an extent) sharing among users. And I believe that OpenSSL, the software affected here, uses GPL.
Open source software has its place. I like Microsoft's SQL, but MySQL and even PostgreSQL open source database software powers some of the largest databases on the planet.
There's no reason to deny open source software. Vendors are out there who will provide the same assurance of support and coverage as with closed-source (proprietary) software. And in some cases even more, since those vendors are free to change the software code to suit a particular need.
But Heartbleed should remind us all that no one method is perfect.
- Joined
- Dec 9, 2011
- Messages
- 6,543
- Reaction score
- 511
It's a bit technical, but here's a decent article on one acknowledged attack using the Heartbleed vulnerability.
Basically, by using this attack, a hacker was able hijack VPN sessions in progress and bypass two-factor authentication.
I'm not real happy with that. The password thing, primarily.
Basically, by using this attack, a hacker was able hijack VPN sessions in progress and bypass two-factor authentication.
I'm not real happy with that. The password thing, primarily.
On the face of it that's pretty crappy, but who were the respondents? Big companies usually won't even answer questions like that, and if they do it's only to demonstrate to their customers that all is well. If the "comments admin" on MomAndPopsGrocercyBlog.com aren't making users change their password.... does it really matter?
Because no one uses the same password for every site they visit, right? Right?
Because no one uses the same password for every site they visit, right? Right?