Igor Delovski Board

[delovski]

Poul-Henning Kamp - OpenSSL must die, for it will never get any better

"The OpenSSL software package is around 300,000 lines of code, which
means there are probably around 299 bugs still there, now that the
Heartbleed bug — which allowed pretty much anybody to retrieve internal
state to which they should normally not have access — has been fixed."

[delovski]

vox.com - How does the heartbleed attack work?

"The Heartbleed attack takes advantage of the fact that the server can be
too trusting. When someone tells it that the message has 6 characters, the
server automatically sends back 6 characters in response. A malicious user
can take take advantage of the server's gullibility."

[delovski]

mashable.com - The Programmer Behind Heartbleed Speaks Out,
It Was an Accident

"Programmer Robin Seggelmann says he wrote the code for the part of
OpenSSL that led to Heartbleed. But it was an accident. He submitted the
code to the OpenSSL project and other members reviewed it. Seggelmann
later added another piece of code for a new feature, which the members
then added. It was this added feature that introduced the bug."

[delovski]

MIT TR - Many Devices Will Never Be Patched to Fix Heartbleed Bug

“Unlike servers being patched by armies of corporate IT staff, these
Internet-enabled devices with vulnerable OpenSSL parts aren’t going to
be getting the attention they may need,” says Jonathan Sander, strategy
and research officer for STEALTHbits Technologies, which helps companies
manage and track data access and leaks. “OpenSSL is like a faulty engine
part that’s been used in every make and model of car, golf cart, and
scooter.”

[delovski]

Health Report - Heartbleed Bug Health Report

"Most Popular Vulnerable Domains - Below, we list the top 1,000 most
popular domains that remain vulnerable to the heartbleed vulnerability as of
2:00 PM on April 10, 2014. A more comprehensive list is available here. The
raw data for the full Alexa Top 1 million can be downloaded at heartbleed-
alexa-health.csv.tar.gz."

[delovski]

macrumors.com - Apple Confirms 'Heartbleed' Security Issue Did
Not Affect Apple Software and 'Key Services'

"Apple today released a statement to Re/code confirming that iOS, OS X
and "key web services" were unaffected by the widely publicized security
flaw known as Heartbleed which was disclosed earlier this week."

[delovski]

esr - Does the Heartbleed bug refute Linus’s Law?

"The response to the Heartbleed bug illustrates another huge advantage of
open source: how rapidly we can push fixes. The repair for my Linux
systems was a push-one-button fix less than two days after the bug hit the
news. Proprietary-software customers will be lucky to see a fix within two
months, and all too many of them will never see a fix patch."

[delovski]

r - Hacker successfully uses Heartbleed to retrieve private security keys

"The original argument was that the keys should be loaded at a lower
address than any heartbeat packets so they can't be read by an overrun.
If that's true, attackers either have to force the keys to be reloaded or
copied in memory, or use data they can read to facilitate a different
attack."

[Ike]

nj - Google Knew About Heartbleed and Didn’t Tell the Government

"Neel Mehta, a Google engineer, first discovered "Heartbleed"—a bug that
undermines the widely used encryption technology OpenSSL—some time in
March. A team at the Finnish security firm Codenomicon discovered the flaw
around the same time. Google was able to patch most of its services—such
as email, search, and YouTube—before the companies publicized the bug on
April 7."

[Ike]

Steve Marquess - Of Money, Responsibility, and Pride

"Fate has made me the “money guy” for OpenSSL so I’m going to talk
about that for a bit. ... There should be at least a half dozen full time
OpenSSL team members, not just one, able to concentrate on the care
and feeding of OpenSSL without having to hustle commercial work. If
you’re a corporate or government decision maker in a position to do
something about it, give it some thought. Please. I’m getting old and
weary and I’d like to retire someday."

[delovski]

reddit - I am the author of the Heartbleed test site. AMA!

"I'm the 19yo guy that past Monday night set up the site to check if servers
are safe from Heartbleed. The site performed more than 60 millions tests last
week. AMA!"