OpenSSL vulnerability zero-day exploit alert!

Status
Not open for further replies.
Well bubbajoe_2112 it took them all of over two years to discover the OpenSSL mistake. That sure is encouraging now isn't it?

And if you think I had one source of information about all of this you are very much mistaken. Go to the Kaspersky Threatpost website. There are British websites discussing this. Go to Lastpass (the password manager software) and see what they say about it. The Lastpass website was one of the ones affected but the passwords are encrypted on a person's computers so apparently there is no major problem there. This is being discussed all over the internet. The Bloomberg article you mention I have not even seen. I don't know what is in that article. I even checked this out at The Safe Mac. Apparently Apple servers (running Mac OS X) and Apple desktop computers are not affected by this.

Right now until this problem is totally taken care of, any hacker can obtain some information from an affected server. That information could be passwords. Or it could be trash. One security expert was easily able to obtain passwords from a major email provider. That security expert said that it was 'trivial.'
 
Last edited:
Originally Posted By: Mystic
We have been told repeatedly here by the Open Source and Linux fans that Open Source software is much safer than closed source software because Open Source software code can be examined by anybody.


And it seems, Mystic, as though you have confused that (correct) statement with "open source software is entirely immune to malicious interference and error". It is not.

Open source software is orders of magnitude more secure, safe and respectful of freedom and innovation than it's closed-source counterpart(s); but it is not perfect, and not immune to interference or error.
 
And those wonderful volunteers need to catch the major mistakes and security holes faster than two years.
 
Originally Posted By: Mystic
I know you might not like FOX News but I am going to tell you this anyway. A woman who is a security expert was interviewed by FOX News. She said that if you rate a security issue from one to ten, with ten being the most severe, she would rate this OpenSSL security issue an eleven. Her interview is available at the FOX News website right now.


Faux News tried to frame something as PANIC PANIC PANIC?! Noooooooo.

Mystic, understand this carefully, please: The Heartbleed bug allowed someone who knew of it's existence to get *random* date from a server's *RAM*. That is not an "11" by any means.

You have an excellent point, however: OpenSSL is NOT a trivial piece of software. It is used by a huge majority of servers all over the world and *any* bug that allowed the leak of sensitive data needed to be patched IMMEDIATELY. *WHICH IT WAS*.
 
Originally Posted By: Mystic
And those wonderful volunteers need to catch the major mistakes and security holes faster than two years.


You have such bitterness towards open source software, Mystic. Such contempt! It is people developing software to meet NEEDS and not to generate self-serving profit. You hate this with such unrelenting passion why, again? Volunteers? You think friendless neckbeards are coding this stuff in their mother's basements, man?

Closed-source software makers will let you bleed to death if there is not profit in them patching a bug. And being closed-source, it is only a small team of people (you know, the ones who MADE the bug?!) who are responsible for fixing it IF their superiors instruct them to. Perhaps it is the absolutely superior quality of OpenSSL over it's closed-source counterparts that led darn near everyone NOT overlorded by M$ to use it?

*Do you believe Microsoft's security encryption stack to have been always free of errors?????* I can't wait for a response to this one.

*Those wonderful volunteers* are skilled, driven, dedicated people GIVING their work to the greater good.
 
Originally Posted By: Mystic
...I know you might not like FOX News but I am going to tell you this anyway. A woman who is a security expert was interviewed by FOX News. She said that if you rate a security issue from one to ten, with ten being the most severe, she would rate this OpenSSL security issue an eleven....


I love Fox News (I saw the interview, poor job by the interviewer by not pinning her down), but she's an idiot to make an unsubstantiated statement like that.

Edit: Actually, she's a marketing genius. Did you hear who she works for? Identity Theft 911 and IDT 911 consulting.. Hmmm, those two companies would not benefit from the panic she created by calling Heartbleed an "11". No, not at all...

1. No one has proven that any substantially useful information can be gleamed from Heartbleed vulnerability.

2. No one has reported any evidence that that Heartbleed has led to actual harvesting of user data.

Again, I'm not the least bit concerned that any useful data has been compromised in the last 2 years. And now that the patch has been implemented, there is no issue anymore.

Obviously, since revelation of the exploit is now in the open, I wouldn't log in to any site that has yet to recompile or patch OpenSSL.
 
Last edited:
Originally Posted By: bubbajoe_2112
1. No one has proven that any substantially useful information can be gleamed from Heartbleed vulnerability.


Because it can't. No one can deliberately get any information. It is random, which is both comforting and creepy. ;^)

Originally Posted By: bubbajoe_2112
Obviously, since revelation of the exploit is now in the open, I wouldn't log in to any site that has yet to recompile or patch OpenSSL.


Every major distro was patched the next day. What system admins do with that patch is up to them but that is not an OpenSSL issue nor a distro issue at that point but a laziness and respect for security issue. All major web sites, I must imagine, got on top of this ASAP.
 
I am not going to fight with the Open Source or Linux fans here. They can believe whatever they want. And I do not engage in personal attacks to defend my position. I deal in facts.

As a public service to whoever might be interested here are a few websites they might want to check out:

Threatpost (go to search and type in 'Heartbleed')

Bruce Schneier's definitive warning

The Heartbleed Hit List: The Passwords You Need to Change Right Now

The Register (UK) (Search for Heartbleed)

The Safe Mac

I have visited some 40 additional security websites and other websites for information about 'Heartbleed' but I can't remember all of them now.

In addition a huge amount of other information is available just by typing 'Heartbleed' into your web browser. I can defend my positions and get my points across without engaging in personal attacks on anybody else. If anybody does attack somebody else personally apparently they do not have a strong defense of their position.

Anybody who does not think this 'Heartbleed' is a serious security issue can argue with the professional security experts.


Anybody who checks out this post can see that I am not lowering myself to attack anybody personally.
 
Originally Posted By: Mystic
I am not going to fight with the Open Source or Linux fans here. They can believe whatever they want. And I do not engage in personal attacks to defend my position. I deal in facts.



Respectfully, friend, I observe:

1) You post almost exclusively hyperbole and panic-inducing conjecture.

2) The sarcasm and acrimony with which you refer to the open-source community is by anyone's account both personal and an attack.

This is a message forum, Mystic. It's entire purpose is to debate, argue and exchange information. Please don't stop posting your opinions (not to be confused with facts) as your input is valuable; if only to further entrench people into their previously-held positions. And please don't see "personal attacks" where there are none: No one on this board even knows who you are.

Here, let's share a virtual cold one:
cheers3.gif
 
This Heartbleed vulnerability has already affected me personally. I was using the DuckDuckGo Search Engine because they don't track people. As far as I know they are not associated with Microsoft in any way and apparently they were using Linux servers. DuckDuckGo was affected by this Heartbleed vulnerability according to I think the Resister in Britain. I was also using Gmail and I had to change my password there. Google I think uses Linux computers. So I don't exactly discriminate against organizations that use Linux servers, right? I have already changed several passwords.

And I am not engaging in panic-inducing conjecture. I did research. I went to several security websites and I checked to see what the PROFESSIONAL SECURITY EXPERTS were saying. This Heartbleed vulnerability does not seem minor to them. They are talking about websites having to get new security certificates. If you do not believe me, go check yourself.

I did research mostly for myself. I wanted to make sure my Windows computer and my iMac were secure. Pretty easy for anybody to do research. Go type 'Heartbleed' into your web browser.

I think it is inexcusable for a major problem like this to not be detected for over two years. And I would say the same thing if Microsoft had a major hole that had not been corrected for over two years. We can't afford these kinds of problems on the internet. There are too many bad guys out there today. People are put at risk with their online banking, their credit cards, etc. I really do not care what kind of servers are being used by a website. I care about the security of those servers.

We are hearing about more and more major security issues all the time. Target was one example. We are talking about security for millions of people right there. This Heartbleed vulnerability is another example, affecting maybe two thirds of all the servers on the internet. The Apple security issue a while back is another example. We can't afford this kind of stuff. And that is a fact. Not panic-inducing conjecture.
 
Originally Posted By: Mystic
This Heartbleed vulnerability has already affected me personally. I was using the DuckDuckGo Search Engine because they don't track people. As far as I know they are not associated with Microsoft in any way and apparently they were using Linux servers. DuckDuckGo was affected by this Heartbleed vulnerability according to I think the Resister in Britain. I was also using Gmail and I had to change my password there. Google I think uses Linux computers. So I don't exactly discriminate against organizations that use Linux servers, right? I have already changed several passwords.


All servers running OpenSSL were *affected*, Mystic, because it is not a virus but a bug. This bug is/ was present in all servers running OpenSSL.

Now, DuckDuckGo does not keep any information on YOU because you do not have an account with them.

And again, there have been *NOOOOOOOO* documented instances of a malicious party getting any actual, real data on anyone about anything. **NONE**. I will say it for the third time in this very thread: the bug enabled someone to get *random* data from the server's *RAM* in small chunks. Nothing deliberate, and nothing from a database to a hard drive. No one on this earth now has any information on Mystic due to this bug, I assure you.

The NSA has arrangements with several (closed-source) software makers to get information they WANT, when they want it. This should outrage and frighten you. Random data from RAM should not. The open-source community, by it's very intrinsic nature gives full transparency on all of their bugs to the world (because the bug-tracking systems are open-access and open-source); closed source shares none. This is frightening as well, no?
 
According to information that is available at the Threatpost website (go to Threatpost and type 'Heartbleed' into search) hackers may have been utilizing this 'Heartbleed' vulnerability since at least last November. The bad guys are very motivated to check for security issues in software. Any software.

In any case, nobody has to believe what I say. They can do their own research. Type 'Heartbleed' into your web browser. I am done here at this post.
 
Originally Posted By: Mystic
According to information that is available at the Threatpost website (go to Threatpost and type 'Heartbleed' into search) hackers may have been utilizing this 'Heartbleed' vulnerability since at least last November. The bad guys are very motivated to check for security issues in software. Any software.

In any case, nobody has to believe what I say. They can do their own research. Type 'Heartbleed' into your web browser. I am done here at this post.


Hackers are motivated to make money or gain prestige. How does one make money getting random data from RAM, I wonder? If they tried to blackmail someone with data they'd collected, the OpenSSL team could have been clandestinely made aware of that (most companies do not want to disclose when they've been hacked and have paid a ransom) and we would have heard about it because a patch would have been issued then, not now.

Again, no documented instances of anything actually ever happening with this bug. Lots of documented panic, however. So when you provide us with the, uh, "fact" that hackers **may** have been using this exploit for years... Using for WHAT? Against WHOM?

Originally Posted By: Mystic
I deal in facts....
 
Quote:

I think it is inexcusable for a major problem like this to not be detected for over two years. And I would say the same thing if Microsoft had a major hole that had not been corrected for over two years


How do you know they don't?

Thanks for proving our point so easily.
 
Last edited:
Originally Posted By: Mystic
They missed this OpenSSL vulnerability for over two years. A German programmer made the mistake in December of 2011. Where were all the volunteers who supposedly check Open Source software?

It's a small community and mistakes do happen. As for security "experts," many simply don't know a lot.
wink.gif
 
Originally Posted By: The_Eric
NEVER TRUST A SALESMAN!!!

That's the sad thing. We have all the security experts talking about the sky falling, yet they never saw the flaw or offered a fix for the flaw.

All the while, someone in the open source community fixed it and fixed it for free. The fellow who wrote in the error in the first place took public responsibility for it, too. The for-profit software companies are loathe to admit a bug exists in the first place, let alone have a programmer take responsibility for it.
 
Status
Not open for further replies.

Similar threads

OVERKILL
Ivanti VPN appliance breach hits critical mass
Replies
5
Views
610
PandaBear
dave1251
  • Locked
Exxon Mobil
Replies
19
Views
14K
MolaKule
sw99
  • Locked
ZDDP Questions?
Replies
10
Views
4K
sw99
Back
Top