|
Eyrie Productions, Unlimited
|
MuninsFire
Member since Mar-27-07
457 posts |
Apr-11-14, 11:28 PM (EDT) |
|
2. "RE: Heartbleeed?"
In response to message #1
|
Infosec guy here. Basically, no problem here. This site: http://possible.lv/tools/hb/?domain=www.eyrie-productions.com provides a test for the heartbleed issue, and has proven reliable enough over the past week for me to recommend it. There's a pretty good explanation for heartbleed and what it means for you here: http://r000t.com/what-heartbleed-means-to-you/ Basically, the advice I've been giving my clients and other people whom I'm responsible for is to be careful, make sure your browser checks for certificate revocation, and change all your passwords--because you should be changing them on a regular basis anyway. Do NOT click on any email links to reset passwords; log into the site manually and change it there. There will be hundreds of phishing emails from this event. If you have any questions, feel free to ask me; you can email me at my username at the gmails if you wish. In Xanadu did Kubla Khan A stately pleasure-dome decree Where Alph, the sacred river, ran Through caverns measureless to man Down to a sunless sea |
|
Alert | IP |
Printer-friendly page | Edit |
Reply |
Reply With Quote | Top |
|
|
|
|
|
|
|
|
|
|
|
|
MuninsFire
Member since Mar-27-07
457 posts |
Apr-12-14, 02:08 PM (EDT) |
|
7. "RE: Heartbleeed?"
In response to message #6
|
Pretty much, after you strip away some protocol bits, yeah. It's usually not a word like "potato" or "hat" or what have you, but some random numbers your computer generates. This particular type of problem is nothing new; it's been an issue in programming for decades, but the people (staff of four, total, of which one is full-time) who develop OpenSSL are -extremely- underfunded and don't get a whole lot of time to audit for that kind of bug. There's a LOT of software that's in extremely widespread use that has the potential to contain bugs this severe due to very similar circumstances. For instance, for a number of years, THE database of time zone info was maintained almost entirely by one guy. Things like browsers and word processors--the stuff people use--is sexy. Things like crypto libraries and the other stuff "under the hood" that people don't directly use? Not a lot of attention there. In Xanadu did Kubla Khan A stately pleasure-dome decree Where Alph, the sacred river, ran Through caverns measureless to man Down to a sunless sea |
|
Alert | IP |
Printer-friendly page | Edit |
Reply |
Reply With Quote | Top |
|
|
|
|
|
|
Senji
Member since Apr-27-07
260 posts |
Apr-13-14, 10:01 PM (EDT) |
|
9. "RE: Heartbleeed?"
In response to message #7
|
>There's a LOT of software that's in extremely widespread use that has >the potential to contain bugs this severe due to very similar >circumstances. It's not just open/free software either, you see a lot of similar bugs in commercial software; where you don't realise there aren't many devs working on stuff. >Things like browsers and word processors--the stuff people use--is >sexy. Things like crypto libraries and the other stuff "under the >hood" that people don't directly use? Not a lot of attention there. Sadly being sexy doesn't really help them, because most of the sexy-attention goes into new features and bling, and tends to leave the important core code looking like a pile of spaghetti left by ADHD monkeys as people poke it to put their new thing in. In general software maintanence and checking is not interesting to most people. S. (who loves breaking software) |
|
Alert | IP |
Printer-friendly page | Edit |
Reply |
Reply With Quote | Top |
|
|
|
|
|
|
MuninsFire
Member since Mar-27-07
457 posts |
Apr-14-14, 09:14 AM (EDT) |
|
11. "RE: Heartbleeed?"
In response to message #9
|
Yes, you're entirely correct--nonfree, nonopen software will have just as many bugs, but users will be at the mercy of a single entity to get it fixed, which entity may or may not prioritize security-related bugfixes (and, in some cases, will send the cops after people who report those kind of bugs) and who may demand you upgrade to the 'new version' after paying 'em. And you are correct also about the nature of the non-fun-parts code, though that's less a concern in non-security-critical infrastructure and may occasionally benefit from professional-quality rewrites and audits. And this would be why I have, up until very recently, stayed as far from dev work as possible: ops for life! ;-P In Xanadu did Kubla Khan A stately pleasure-dome decree Where Alph, the sacred river, ran Through caverns measureless to man Down to a sunless sea |
|
Alert | IP |
Printer-friendly page | Edit |
Reply |
Reply With Quote | Top |
|
|
|
version 3.3 © 2001
Eyrie Productions,
Unlimited
Benjamin
D. Hutchins
E P U (Colour)
|