Heartbleed bug OpenSSL

ActivePower

Joined Mar 15, 2012
155
Well, I was going to post about the Heartbleed bug on here myself and you beat me to it. There has been extensive discussion of this on Hacker News and Reddit. Apparently a missing bounds-check in an extension made up to 64k of data vulnerable on a connected server/client per transaction.

It has probably been fixed though. This offers up some more information and here's a xkcd comic on it.
 
Last edited:

joeyd999

Joined Jun 6, 2011
5,236
Sometimes, I think those damned bugs, viruses, trojans; are created by the software anti-malware companies.
OpenSSL is not a "company" -- nor would it be influenced by an anti-malware company. It is developed under the "bazaar" model like most free (as in freedom) software. The source code is downloadable for review and/or modifcation, under the theory that "many eyes make bugs shallow". Most times, bugs are caught and squashed quickly. This is one that got away. Nobody's perfect.
 

JoeJester

Joined Apr 26, 2005
4,390
The source code is downloadable for review and/or modifcation, under the theory that "many eyes make bugs shallow". Most times, bugs are caught and squashed quickly. This is one that got away. Nobody's perfect.
You make a great leap of faith that those that download it fully vetted the module prior to activation, including finding any malware.

Obviously, the application wasn't fully vetted.

This malware worked as fully intended by the author. How many "experts" used this "as is" without vetting? We will never know.

This incident "stained the soul" of OpenSource with respect to SSL.
 

joeyd999

Joined Jun 6, 2011
5,236
You make a great leap of faith that those that download it fully vetted the module prior to activation...
The process works more often than it doesn't. Free software has a far better record regarding vulnerabilities than proprietary software.

...including finding any malware. Obviously, the application wasn't fully vetted. This malware worked as fully intended by the author.
Who said anything about malware? This was a buffer overflow...a programming mistake. And it was caught, eventually. And the author of the "malware"? Had this been intentional, he could easily be tracked down from the code commits.

How many "experts" used this "as is" without vetting? We will never know.

This incident "stained the soul" of OpenSource with respect to SSL.
Me thinks thou doth protest too much.
 

nsaspook

Joined Aug 27, 2009
13,081
This incident "stained the soul" of OpenSource with respect to SSL.
As opposed to large closed-source companies and " " who actually protect our privacy. :cool:
http://www.heise.de/tp/artikel/5/5263/1.html
http://bits.blogs.nytimes.com/2013/...ryption-standards/?_php=true&_type=blogs&_r=0

http://security.stackexchange.com/q...ng-heartbeat-to-ssl-and-who-proposed-its-form

http://vimeo.com/91425662
A input validation bug and a buffer exploit, sounds like the same attack vector for thousands of Windows based malware. Taken at face value it's a dumb stupid bug inserted by a programming expert who should know better.
 
Last edited:

nsaspook

Joined Aug 27, 2009
13,081
How many stolen identities is required for you to acknowledge the scale of this screw up? More often or not is not a very good metric.
On a scale from 1 to 10 it's a 8 from the standpoint of a possible security leak but none of the closed-source vendors has a great track record either and the US government has not been helpful in the past when they find problems that they can use.
http://www.nytimes.com/2014/04/13/u...xploit-some-internet-flaws-officials-say.html
 

Brownout

Joined Jan 10, 2012
2,390
the US government has not been helpful in the past when they find problems that they can use.
http://www.nytimes.com/2014/04/13/u...xploit-some-internet-flaws-officials-say.html
Not to mention Russia, China, etc.

Cyber as an offensive weapon will become bigger and bigger,” said Michael DeCesare, who runs the McAfee computer security operations of Intel Corporation. “I don’t think any amount of policy alone will stop them” from doing what they are doing, he said of the Russians, the Chinese and others. “That’s why effective command and control strategies are absolutely imperative on our side.”
 

nsaspook

Joined Aug 27, 2009
13,081
Not to mention Russia, China, etc.
Which is why we need to know about and fix vulnerabilities that effect our countries users instead of just putting them in the quiver of arrows to shoot at other nations. Intentionally keeping holes open in software security functions is the reason large segments of users don't really trust big business/big government anymore with computer security and would rather trust some random 'guy' who does it for fun to keep their computer safe instead.
 

Brownout

Joined Jan 10, 2012
2,390
Intentionally keeping holes open in software security functions is the reason large segments of users don't really trust big business/big government anymore with computer security and would rather trust some random 'guy' who does it for fun to keep their computer safe instead.
Now it's the governments responsibility to keep holes out of software? Wow! That's a new one on me. Of course, as soon as gov does, it'll be seen as some sort of over-reach and government conspiracy. People well never be satisfied.
 

Metalmann

Joined Dec 8, 2012
703
Which is why we need to know about and fix vulnerabilities that effect our countries users instead of just putting them in the quiver of arrows to shoot at other nations. Intentionally keeping holes open in software security functions is the reason large segments of users don't really trust big business/big government anymore with computer security and would rather trust some random 'guy' who does it for fun to keep their computer safe instead.


Don't forget how well "Stuxnet" worked.
 

nsaspook

Joined Aug 27, 2009
13,081
Now it's the governments responsibility to keep holes out of software? Wow! That's a new one on me. Of course, as soon as gov does, it'll be seen as some sort of over-reach and government conspiracy. People well never be satisfied.
No, No, NO. It's not their responsibility to keep them out. But I think it should be their responsibility to inform us of known hazards so we can take proper action to fix them ourselves like we see in government testing reports on safety defects in cars.
 

Brownout

Joined Jan 10, 2012
2,390
I do hear you, nsaspook. However, it's also their responsibility to act in the best interest of public security. It's a tight-rope walk, and can't be all one way or the other.

That's my say, and I'll back out and just listen. Of course, not responding should not be construed as aggrement :)
 

nsaspook

Joined Aug 27, 2009
13,081
I do hear you, nsaspook. However, it's also their responsibility to act in the best interest of public security. It's a tight-rope walk, and can't be all one way or the other.
That's classic excuse for most things that turn out to be wrong headed in the long run. "The best interest of the public". ;)
 
Thread starter Similar threads Forum Replies Date
xox Off-Topic 0
M General Electronics Chat 3
Top