Heartbleed bug OpenSSL

Discussion in 'Off-Topic' started by praondevou, Apr 9, 2014.

  1. praondevou

    Thread Starter AAC Fanatic!

    Jul 9, 2011
    2,936
    488
  2. ActivePower

    Member

    Mar 15, 2012
    155
    23
    Well, I was going to post about the Heartbleed bug on here myself and you beat me to it. There has been extensive discussion of this on Hacker News and Reddit. Apparently a missing bounds-check in an extension made up to 64k of data vulnerable on a connected server/client per transaction.

    It has probably been fixed though. This offers up some more information and here's a xkcd comic on it.
     
    Last edited: Apr 9, 2014
  3. Metalmann

    Active Member

    Dec 8, 2012
    700
    223
    Sometimes, I think those damned bugs, viruses, trojans; are created by the software anti-malware companies.
     
    PackratKing likes this.
  4. joeyd999

    AAC Fanatic!

    Jun 6, 2011
    2,682
    2,743
    OpenSSL is not a "company" -- nor would it be influenced by an anti-malware company. It is developed under the "bazaar" model like most free (as in freedom) software. The source code is downloadable for review and/or modifcation, under the theory that "many eyes make bugs shallow". Most times, bugs are caught and squashed quickly. This is one that got away. Nobody's perfect.
     
  5. JoeJester

    AAC Fanatic!

    Apr 26, 2005
    3,373
    1,159
    Free .... you get what you pay for.....
     
  6. JoeJester

    AAC Fanatic!

    Apr 26, 2005
    3,373
    1,159
    You make a great leap of faith that those that download it fully vetted the module prior to activation, including finding any malware.

    Obviously, the application wasn't fully vetted.

    This malware worked as fully intended by the author. How many "experts" used this "as is" without vetting? We will never know.

    This incident "stained the soul" of OpenSource with respect to SSL.
     
  7. joeyd999

    AAC Fanatic!

    Jun 6, 2011
    2,682
    2,743
    The process works more often than it doesn't. Free software has a far better record regarding vulnerabilities than proprietary software.

    Who said anything about malware? This was a buffer overflow...a programming mistake. And it was caught, eventually. And the author of the "malware"? Had this been intentional, he could easily be tracked down from the code commits.

    Me thinks thou doth protest too much.
     
  8. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    2,908
    2,169
    As opposed to large closed-source companies and " " who actually protect our privacy. :cool:
    http://www.heise.de/tp/artikel/5/5263/1.html
    http://bits.blogs.nytimes.com/2013/...ryption-standards/?_php=true&_type=blogs&_r=0

    http://security.stackexchange.com/q...ng-heartbeat-to-ssl-and-who-proposed-its-form

    http://vimeo.com/91425662
    A input validation bug and a buffer exploit, sounds like the same attack vector for thousands of Windows based malware. Taken at face value it's a dumb stupid bug inserted by a programming expert who should know better.
     
    Last edited: Apr 13, 2014
  9. JoeJester

    AAC Fanatic!

    Apr 26, 2005
    3,373
    1,159
    How many stolen identities is required for you to acknowledge the scale of this screw up? More often or not is not a very good metric.
     
  10. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    2,908
    2,169
    On a scale from 1 to 10 it's a 8 from the standpoint of a possible security leak but none of the closed-source vendors has a great track record either and the US government has not been helpful in the past when they find problems that they can use.
    http://www.nytimes.com/2014/04/13/u...xploit-some-internet-flaws-officials-say.html
     
  11. GopherT

    AAC Fanatic!

    Nov 23, 2012
    6,049
    3,813
    heartbleed is not really a virus, it is a flaw in software / variable return values. See comic below to see how it works...
    from http://xkcd.com/1354/

    EDIT:sorry ActivePower - I see now that you posted this link earlier...

    [​IMG]
     
    MrChips likes this.
  12. Brownout

    Well-Known Member

    Jan 10, 2012
    2,375
    998
    Not to mention Russia, China, etc.

     
  13. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    2,908
    2,169
    Which is why we need to know about and fix vulnerabilities that effect our countries users instead of just putting them in the quiver of arrows to shoot at other nations. Intentionally keeping holes open in software security functions is the reason large segments of users don't really trust big business/big government anymore with computer security and would rather trust some random 'guy' who does it for fun to keep their computer safe instead.
     
  14. Brownout

    Well-Known Member

    Jan 10, 2012
    2,375
    998
    Now it's the governments responsibility to keep holes out of software? Wow! That's a new one on me. Of course, as soon as gov does, it'll be seen as some sort of over-reach and government conspiracy. People well never be satisfied.
     
  15. Metalmann

    Active Member

    Dec 8, 2012
    700
    223


    Don't forget how well "Stuxnet" worked.
     
  16. MrChips

    Moderator

    Oct 2, 2009
    12,442
    3,361
    I like that "How the Heartbleed bug works" graphical explanation.

    Makes perfect sense which I did not know before.
     
    djsfantasi likes this.
  17. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    2,908
    2,169
    No, No, NO. It's not their responsibility to keep them out. But I think it should be their responsibility to inform us of known hazards so we can take proper action to fix them ourselves like we see in government testing reports on safety defects in cars.
     
  18. Brownout

    Well-Known Member

    Jan 10, 2012
    2,375
    998
    I do hear you, nsaspook. However, it's also their responsibility to act in the best interest of public security. It's a tight-rope walk, and can't be all one way or the other.

    That's my say, and I'll back out and just listen. Of course, not responding should not be construed as aggrement :)
     
  19. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    2,908
    2,169
  20. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    2,908
    2,169
    That's classic excuse for most things that turn out to be wrong headed in the long run. "The best interest of the public". ;)
     
Loading...