Igor Delovski Board Forum Index Igor Delovski Board
My Own Personal Slashdot!
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Heartbleed, OpenSSL & All That Jazz

 
Post new topic   Reply to topic    Igor Delovski Board Forum Index -> Dev Links
Dev Links  
Author Message
delovski



Joined: 14 Jun 2006
Posts: 3524
Location: Zagreb

PostPosted: Mon Apr 14, 2014 10:23 pm    Post subject: Heartbleed, OpenSSL & All That Jazz Reply with quote

Poul-Henning Kamp - OpenSSL must die, for it will never get any better

"The OpenSSL software package is around 300,000 lines of code, which
means there are probably around 299 bugs still there, now that the
Heartbleed bug — which allowed pretty much anybody to retrieve internal
state to which they should normally not have access — has been fixed."
Back to top
View user's profile Send private message Visit poster's website
delovski



Joined: 14 Jun 2006
Posts: 3524
Location: Zagreb

PostPosted: Mon Apr 14, 2014 10:24 pm    Post subject: Reply with quote

vox.com - How does the heartbleed attack work?

"The Heartbleed attack takes advantage of the fact that the server can be
too trusting. When someone tells it that the message has 6 characters, the
server automatically sends back 6 characters in response. A malicious user
can take take advantage of the server's gullibility."
Back to top
View user's profile Send private message Visit poster's website
delovski



Joined: 14 Jun 2006
Posts: 3524
Location: Zagreb

PostPosted: Mon Apr 14, 2014 10:24 pm    Post subject: Reply with quote

mashable.com - The Programmer Behind Heartbleed Speaks Out,
It Was an Accident


"Programmer Robin Seggelmann says he wrote the code for the part of
OpenSSL that led to Heartbleed. But it was an accident. He submitted the
code to the OpenSSL project and other members reviewed it. Seggelmann
later added another piece of code for a new feature, which the members
then added. It was this added feature that introduced the bug."
Back to top
View user's profile Send private message Visit poster's website
delovski



Joined: 14 Jun 2006
Posts: 3524
Location: Zagreb

PostPosted: Mon Apr 14, 2014 10:25 pm    Post subject: Reply with quote

MIT TR - Many Devices Will Never Be Patched to Fix Heartbleed Bug

“Unlike servers being patched by armies of corporate IT staff, these
Internet-enabled devices with vulnerable OpenSSL parts aren’t going to
be getting the attention they may need,” says Jonathan Sander, strategy
and research officer for STEALTHbits Technologies, which helps companies
manage and track data access and leaks. “OpenSSL is like a faulty engine
part that’s been used in every make and model of car, golf cart, and
scooter.”
Back to top
View user's profile Send private message Visit poster's website
delovski



Joined: 14 Jun 2006
Posts: 3524
Location: Zagreb

PostPosted: Mon Apr 14, 2014 10:25 pm    Post subject: Reply with quote

Health Report - Heartbleed Bug Health Report

"Most Popular Vulnerable Domains - Below, we list the top 1,000 most
popular domains that remain vulnerable to the heartbleed vulnerability as of
2:00 PM on April 10, 2014. A more comprehensive list is available here. The
raw data for the full Alexa Top 1 million can be downloaded at heartbleed-
alexa-health.csv.tar.gz."
Back to top
View user's profile Send private message Visit poster's website
delovski



Joined: 14 Jun 2006
Posts: 3524
Location: Zagreb

PostPosted: Mon Apr 14, 2014 10:25 pm    Post subject: Reply with quote

macrumors.com - Apple Confirms 'Heartbleed' Security Issue Did
Not Affect Apple Software and 'Key Services'


"Apple today released a statement to Re/code confirming that iOS, OS X
and "key web services" were unaffected by the widely publicized security
flaw known as Heartbleed which was disclosed earlier this week."
Back to top
View user's profile Send private message Visit poster's website
delovski



Joined: 14 Jun 2006
Posts: 3524
Location: Zagreb

PostPosted: Mon Apr 14, 2014 10:26 pm    Post subject: Reply with quote

esr - Does the Heartbleed bug refute Linus’s Law?

"The response to the Heartbleed bug illustrates another huge advantage of
open source: how rapidly we can push fixes. The repair for my Linux
systems was a push-one-button fix less than two days after the bug hit the
news. Proprietary-software customers will be lucky to see a fix within two
months, and all too many of them will never see a fix patch."
Back to top
View user's profile Send private message Visit poster's website
delovski



Joined: 14 Jun 2006
Posts: 3524
Location: Zagreb

PostPosted: Mon Apr 14, 2014 10:27 pm    Post subject: Reply with quote

r - Hacker successfully uses Heartbleed to retrieve private security keys

"The original argument was that the keys should be loaded at a lower
address than any heartbeat packets so they can't be read by an overrun.
If that's true, attackers either have to force the keys to be reloaded or
copied in memory, or use data they can read to facilitate a different
attack."
Back to top
View user's profile Send private message Visit poster's website
Ike
Kapetan


Joined: 17 Jun 2006
Posts: 3146
Location: Europe

PostPosted: Mon Apr 14, 2014 11:10 pm    Post subject: Reply with quote

nj - Google Knew About Heartbleed and Didn’t Tell the Government

"Neel Mehta, a Google engineer, first discovered "Heartbleed"—a bug that
undermines the widely used encryption technology OpenSSL—some time in
March. A team at the Finnish security firm Codenomicon discovered the flaw
around the same time. Google was able to patch most of its services—such
as email, search, and YouTube—before the companies publicized the bug on
April 7."
Back to top
View user's profile Send private message
Ike
Kapetan


Joined: 17 Jun 2006
Posts: 3146
Location: Europe

PostPosted: Mon Apr 14, 2014 11:15 pm    Post subject: Reply with quote

Steve Marquess - Of Money, Responsibility, and Pride

"Fate has made me the “money guy” for OpenSSL so I’m going to talk
about that for a bit. ... There should be at least a half dozen full time
OpenSSL team members, not just one, able to concentrate on the care
and feeding of OpenSSL without having to hustle commercial work. If
you’re a corporate or government decision maker in a position to do
something about it, give it some thought. Please. I’m getting old and
weary and I’d like to retire someday."
Back to top
View user's profile Send private message
delovski



Joined: 14 Jun 2006
Posts: 3524
Location: Zagreb

PostPosted: Tue Apr 15, 2014 7:12 pm    Post subject: Reply with quote

reddit - I am the author of the Heartbleed test site. AMA!

"I'm the 19yo guy that past Monday night set up the site to check if servers
are safe from Heartbleed. The site performed more than 60 millions tests last
week. AMA!"
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Igor Delovski Board Forum Index -> Dev Links All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Delovski.hr
Powered by php-B.B. © 2001, 2005 php-B.B. Group