[kwlug-disc] Heartbleed affected sites

unsolicited unsolicited at swiz.ca
Fri Apr 11 17:24:44 EDT 2014



You'd think that would be making the top of the headlines everywhere, 
and stay there.

But ... never mind ... they're from the government, and they're here to 
help us ...

On 14-04-11 04:30 PM, CrankyOldBugger wrote:
> Well, try not to be surprised, but apparently the NSA has been
> exploiting this bug for two years now:
> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
> But yes, the media is doing a wonderful job of convincing people that
> this issue is far bigger than it really is.
> On 11 April 2014 16:24, unsolicited <unsolicited at swiz.ca
> <mailto:unsolicited at swiz.ca>> wrote:
>     Why?
>     The bug was introduced 2 years ago, but its not known to have been
>     exploited, from anything I've seen, which doesn't say much.
>     Nefarious activity in the wild is monitored by various organizations
>     to whatever extent it is, and the issue was not discovered /
>     reported by them, as far as I know.
>      From what I saw a 64k chunk of memory is potentially exposed in an
>     ssh server to someone if they were exploiting it, for which we don't
>     know they were. (Or even aware it was possible.)
>     Doesn't mean there was anything useful in that 64k chunk. Which they
>     would then have to decipher in the sense of figuring out if there is
>     anything useful, and that usefulness has to extend to being able to
>     do something with it.
>     Without any knowledge one way or the other, I assume CRA is shut
>     down not because there's an issue going forward (problem easily
>     patched, now), but because they don't know what might have happened
>     during or within. Short of checksumming every system, I don't know
>     how they might prove one way or another. But someone higher up is
>     probably requiring due diligence on something that can't be proven.
>     I do wonder if 'change your password' isn't FUD, promoted for trying
>     to give users the sense that they're in control of their own
>     security, and that changing their password will let them be
>     proactive and 'solve the problem'.
>     There's a lot if 'ifs' to the chain of events above before you have
>     certainty of impact. And a lot of other risks (especially human
>     error) out there that are quite probably more likely to happen and
>     impact you than this one. No, I don't know what they are, either.
>     But I also haven't seen any impact.
>     It's a lot of work to change all the passwords, let alone for some
>     time afterwards trying to remember what you changed them to.
>     Not sure it's worth the effort in the absence of any detected
>     impact. Hard to say its not just fear mongering. Certainly some
>     media I've seen running around with their heads cut off demonstrate
>     a deep misunderstanding of things, yet their heads are still talking.
>     On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>         Mashable has a list going of sites affected by Heartbleed:
>         http://mashable.com/2014/04/__09/heartbleed-bug-websites-__affected/
>         <http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/>
>         Don't forget to add Canada Revenue (and most other government
>         sites) to
>         your list of passwords to change!
>     _________________________________________________
>     kwlug-disc mailing list
>     kwlug-disc at kwlug.org <mailto:kwlug-disc at kwlug.org>
>     http://kwlug.org/mailman/__listinfo/kwlug-disc_kwlug.org
>     <http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

More information about the kwlug-disc mailing list