sunrat Posted April 9, 2014 Share Posted April 9, 2014 Updated in Wheezy. Do your security updates now. More: Debian Updates - http://forums.scotsnewsletter.com/index.php?showtopic=22937&st=700#entry394130 Security - Massive Security Bug In OpenSSL 1 Link to comment Share on other sites More sharing options...
securitybreach Posted April 9, 2014 Share Posted April 9, 2014 This was fixed on Arch the day it was announced although most distros have fixed this since the announcement: Heartbleed, a serious OpenSSL bug; patched by all Linux distros Also, you can test your server here: http://rehmann.co/projects/heartbeat/ Link to comment Share on other sites More sharing options...
amenditman Posted April 9, 2014 Share Posted April 9, 2014 Remember to restart the server or reload modules after the update to load the new ones. 1 Link to comment Share on other sites More sharing options...
securitybreach Posted April 9, 2014 Share Posted April 9, 2014 Remember to restart the server or reload modules after the update to load the new ones. Exactly! Link to comment Share on other sites More sharing options...
securitybreach Posted April 9, 2014 Share Posted April 9, 2014 Well if they run the updates, then they have the new package anyway. If they subscribe to any tech stuff, they should know of this already. If not, their not doing their job. Link to comment Share on other sites More sharing options...
crp Posted April 9, 2014 Share Posted April 9, 2014 i hope all those web server admins know about this, but also do something about it - like apply the patch. i've read comments in this thread batl about catastrophes resulting from unpatched machines. we should realize that lots of admins didn't volunteer for the position and may be other than experienced. well ..... actually we are waiting a couple of days. one of our servers has the vulnerability but it is not exposed(see http://rehmann.co/projects/heartbeat , we happen to cut off the response for other reasons). going to see if others have any issues with the patches before installing them. 1 Link to comment Share on other sites More sharing options...
Corrine Posted April 9, 2014 Share Posted April 9, 2014 Also change your password after the site is updated. 1 Link to comment Share on other sites More sharing options...
sunrat Posted April 12, 2014 Author Share Posted April 12, 2014 Posted here because it's a comment on the open source aspect: OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts Bloke behind the cockup says not enough people are helping crucial crypto project 1 Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 12, 2014 Share Posted April 12, 2014 Well, he's right. He may have boogered up that line of code, but the checker missed it too. Poop happens. I feel sorry for Robin Seggelmann. He's being called "The Man Who Broke the Internet." Link to comment Share on other sites More sharing options...
amenditman Posted April 12, 2014 Share Posted April 12, 2014 Well, he's right. He may have boogered up that line of code, but the checker missed it too. Poop happens. I feel sorry for Robin Seggelmann. He's being called "The Man Who Broke the Internet." Saying he broke the Internet is saying that all the people who used his code without any understanding of what it was had no responsibility in it whatsoever. They had an obligation to check out anything they deployed on their servers. You'd think someone among those thousands might have noticed something, even if it was only in one line of code. Regardless, you can't blame someone else if something they wrote didn't work exactly as expected on your server. Open source never implies any warranty. If it breaks you get to keep both pieces. 3 Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 12, 2014 Share Posted April 12, 2014 Might want to check the topic in Security and Networking here: http://forums.scotsnewsletter.com/index.php?showtopic=69051&view=getlastpost Link to comment Share on other sites More sharing options...
ebrke Posted April 12, 2014 Share Posted April 12, 2014 Open source never implies any warranty. If it breaks you get to keep both pieces. Agreed. The really unfortunate thing about this OpenSSL issue is that we'll probably start hearing low-information and/or biased bloggers using it to undermine the open source model. Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 12, 2014 Share Posted April 12, 2014 ...you can't blame someone else if something they wrote didn't work exactly as expected on your server. Oh, yeah... I always review the thousands of lines of code in any open source app, library file, or kernel that I utilize on my systems. You just gotta' be pro-active when it comes to quality control. 1 Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 12, 2014 Share Posted April 12, 2014 Agreed. The really unfortunate thing about this OpenSSL issue is that we'll probably start hearing low-information and/or biased bloggers using it to undermine the open source model. Yeah... like closed source software doesn't have errors or vulnerabilities.... MS Windows 95, 98, 98SE, ME, XP, Vista, 7, 8, 8.1, Office XP, Office 2000, Office 2003, etc... 1 Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 12, 2014 Share Posted April 12, 2014 The problem is that some people still believe the myth ... the myth that they propagate about security through obscurity...worked real well for Windows, right? Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 13, 2014 Share Posted April 13, 2014 I prefer security through superior firepower and tactics. However, that doesn't always work that well against far away snot-nosed hackers and spammers. Link to comment Share on other sites More sharing options...
crp Posted April 13, 2014 Share Posted April 13, 2014 Aside from a clean room, has anyone been able to exploit the trick and obtain meaningful data? Link to comment Share on other sites More sharing options...
raymac46 Posted April 13, 2014 Share Posted April 13, 2014 http://www.theverge.com/us-world/2014/4/11/5606524/hacker-successfully-uses-heartbleed-to-retrieve-private-security-keys Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 13, 2014 Share Posted April 13, 2014 I prefer security through superior firepower and tactics. However, that doesn't always work that well against far away snot-nosed hackers and spammers. The funny part is, neither does Security by Obscurity. Like DRM, it stops legitimate users but not criminal hackers and spammers. Link to comment Share on other sites More sharing options...
crp Posted April 13, 2014 Share Posted April 13, 2014 I didn't update/upgrade the OpenSSL on one of our servers that was using it back when it was made available. I didn't see the point and the chance of disrupting seemed higher than any gain. Does this qualify as 'Obscurity'? and i'm not sure, but i think our firewall was setup so that if multiple requests came in too short a time from an IP address, then the transmission got cut off. if so, that would be an interesting of stopping/slowing down DDOS attacks, sort of a mini honeypot. but it would have also served as "butter overrun" mistakes such as this Heartbleed. As for the general internet, the fact that there have been no indications of anyone selling bunches of keys, credentials or in-the-middle programs related to the HeartBleed problem speaks volumes to me. What does have me pondering are governments. I do find it hard to believe any government would have used OpenSSL for their own sites. But let me concede that point. So a government that used OpenSSL didn't have any of their programmers who would checked over the code find the problem??? And no intelligence agencies found this problem??? I believe that the NSA does have an algorithm that goes through the oodles of captured data stream looking for the situation and then gathering those pools of data so that the data could be gleaned in a meaningful way. ie: i believe that Clapper is once again lying. Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 13, 2014 Share Posted April 13, 2014 NSA Said to Exploit Heartbleed Bug for Intelligence for Years - Bloomberg Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 13, 2014 Share Posted April 13, 2014 The more stuff like this happens and the more we find out about how, thanks to technology that was supposed to be to our benefit, we are being spied upon by every BIG GOV analyst and pimply-faced Russian kid, the more I really am considering cutting the cord... and the wifi completely. I've been wondering if I could return to my pre-computer/Internet days without too much pain. I think I could. However, I would miss you folks very much were I to actually revert to 1975. 1 Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 13, 2014 Share Posted April 13, 2014 NSA denies Report that Agency knew and exploited Heartbleed Vulnerability - HackerNews Link to comment Share on other sites More sharing options...
crp Posted April 13, 2014 Share Posted April 13, 2014 Can we please get the 2 topics merged or one of them closed? there is too much duplication and cross-talk on this. 1 Link to comment Share on other sites More sharing options...
sunrat Posted April 14, 2014 Author Share Posted April 14, 2014 Please refer further discussion to the thread in Security And Networking - http://forums.scotsnewsletter.com/index.php?showtopic=69051&st=0 1 Link to comment Share on other sites More sharing options...
Recommended Posts