Jump to content

Massive Security Bug In OpenSSL

sunrat

By sunrat
in Bruno's All Things Linux

 Share

Recommended Posts

securitybreach

securitybreach

Posted
Posted

Remember to restart the server or reload modules after the update to load the new ones.

 

Exactly! :thumbup:

Link to comment
Share on other sites
securitybreach

securitybreach

Posted
Posted

Well if they run the updates, then they have the new package anyway.

 

If they subscribe to any tech stuff, they should know of this already. If not, their not doing their job.

Link to comment
Share on other sites
crp

crp

Posted
Posted

i hope all those web server admins know about this, but also do something about it - like apply the patch.

i've read comments in this thread batl about catastrophes resulting from unpatched machines.

we should realize that lots of admins didn't volunteer for the position and may be other than experienced.

well ..... actually we are waiting a couple of days. one of our servers has the vulnerability but it is not exposed

(see http://rehmann.co/projects/heartbeat , we happen to cut off the response for other reasons). going to see if others have any issues with the patches before installing them.

  • Like 1
Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

Well, he's right. He may have boogered up that line of code, but the checker missed it too. Poop happens. I feel sorry for Robin Seggelmann. He's being called "The Man Who Broke the Internet." :(

Link to comment
Share on other sites
amenditman

amenditman

Posted
Posted

Well, he's right. He may have boogered up that line of code, but the checker missed it too. Poop happens. I feel sorry for Robin Seggelmann. He's being called "The Man Who Broke the Internet." :(

Saying he broke the Internet is saying that all the people who used his code without any understanding of what it was had no responsibility in it whatsoever.

They had an obligation to check out anything they deployed on their servers. You'd think someone among those thousands might have noticed something, even if it was only in one line of code. Regardless, you can't blame someone else if something they wrote didn't work exactly as expected on your server.

 

Open source never implies any warranty. If it breaks you get to keep both pieces. :shifty:

  • Like 3
Link to comment
Share on other sites
ebrke

ebrke

Posted
Posted

Open source never implies any warranty. If it breaks you get to keep both pieces. :shifty:

Agreed. The really unfortunate thing about this OpenSSL issue is that we'll probably start hearing low-information and/or biased bloggers using it to undermine the open source model.
Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

...you can't blame someone else if something they wrote didn't work exactly as expected on your server.

 

 

Oh, yeah... I always review the thousands of lines of code in any open source app, library file, or kernel that I utilize on my systems. You just gotta' be pro-active when it comes to quality control. ;)

  • Like 1
Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

Agreed. The really unfortunate thing about this OpenSSL issue is that we'll probably start hearing low-information and/or biased bloggers using it to undermine the open source model.

 

Yeah... like closed source software doesn't have errors or vulnerabilities....

 

MS Windows 95, 98, 98SE, ME, XP, Vista, 7, 8, 8.1, Office XP, Office 2000, Office 2003, etc...

 

:hysterical:

  • Like 1
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

The problem is that some people still believe the myth ... the myth that they propagate about security through obscurity...worked real well for Windows, right?

Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

I prefer security through superior firepower and tactics. However, that doesn't always work that well against far away snot-nosed hackers and spammers. ;)

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

I prefer security through superior firepower and tactics. However, that doesn't always work that well against far away snot-nosed hackers and spammers. ;)

 

The funny part is, neither does Security by Obscurity. Like DRM, it stops legitimate users but not criminal hackers and spammers.

Link to comment
Share on other sites
crp

crp

Posted
Posted

I didn't update/upgrade the OpenSSL on one of our servers that was using it back when it was made available. I didn't see the point and the chance of disrupting seemed higher than any gain. Does this qualify as 'Obscurity'?

and i'm not sure, but i think our firewall was setup so that if multiple requests came in too short a time from an IP address, then the transmission got cut off. if so, that would be an interesting of stopping/slowing down DDOS attacks, sort of a mini honeypot. but it would have also served as "butter overrun" mistakes such as this Heartbleed.

 

As for the general internet, the fact that there have been no indications of anyone selling bunches of keys, credentials or in-the-middle programs related to the HeartBleed problem speaks volumes to me.

 

What does have me pondering are governments. I do find it hard to believe any government would have used OpenSSL for their own sites. But let me concede that point. So a government that used OpenSSL didn't have any of their programmers who would checked over the code find the problem??? And no intelligence agencies found this problem??? I believe that the NSA does have an algorithm that goes through the oodles of captured data stream looking for the situation and then gathering those pools of data so that the data could be gleaned in a meaningful way. ie: i believe that Clapper is once again lying.

Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

The more stuff like this happens and the more we find out about how, thanks to technology that was supposed to be to our benefit, we are being spied upon by every BIG GOV analyst and pimply-faced Russian kid, the more I really am considering cutting the cord... and the wifi completely. I've been wondering if I could return to my pre-computer/Internet days without too much pain. I think I could. However, I would miss you folks very much were I to actually revert to 1975. :(

  • Like 1
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...