[kwlug-disc] Heartbleed affected sites

Fri Apr 11 20:30:21 EDT 2014

I don't think the NSA would admit to _not_ having been aware of a bug
like this since it started.

On 11 April 2014 16:30, CrankyOldBugger <crankyoldbugger at gmail.com> wrote:
> Well, try not to be surprised, but apparently the NSA has been exploiting
> this bug for two years now:
>
> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
>
> But yes, the media is doing a wonderful job of convincing people that this
> issue is far bigger than it really is.
>
>
>
> On 11 April 2014 16:24, unsolicited <unsolicited at swiz.ca> wrote:
>>
>> Why?
>>
>> The bug was introduced 2 years ago, but its not known to have been
>> exploited, from anything I've seen, which doesn't say much.
>>
>> Nefarious activity in the wild is monitored by various organizations to
>> whatever extent it is, and the issue was not discovered / reported by them,
>> as far as I know.
>>
>> From what I saw a 64k chunk of memory is potentially exposed in an ssh
>> server to someone if they were exploiting it, for which we don't know they
>> were. (Or even aware it was possible.)
>>
>> Doesn't mean there was anything useful in that 64k chunk. Which they would
>> then have to decipher in the sense of figuring out if there is anything
>> useful, and that usefulness has to extend to being able to do something with
>> it.
>>
>> Without any knowledge one way or the other, I assume CRA is shut down not
>> because there's an issue going forward (problem easily patched, now), but
>> because they don't know what might have happened during or within. Short of
>> checksumming every system, I don't know how they might prove one way or
>> another. But someone higher up is probably requiring due diligence on
>> something that can't be proven.
>>
>> I do wonder if 'change your password' isn't FUD, promoted for trying to
>> give users the sense that they're in control of their own security, and that
>> changing their password will let them be proactive and 'solve the problem'.
>>
>> There's a lot if 'ifs' to the chain of events above before you have
>> certainty of impact. And a lot of other risks (especially human error) out
>> there that are quite probably more likely to happen and impact you than this
>> one. No, I don't know what they are, either. But I also haven't seen any
>> impact.
>>
>> It's a lot of work to change all the passwords, let alone for some time
>> afterwards trying to remember what you changed them to.
>>
>> Not sure it's worth the effort in the absence of any detected impact. Hard
>> to say its not just fear mongering. Certainly some media I've seen running
>> around with their heads cut off demonstrate a deep misunderstanding of
>> things, yet their heads are still talking.
>>
>>
>> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>>>
>>> Mashable has a list going of sites affected by Heartbleed:
>>>
>>> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
>>>
>>> Don't forget to add Canada Revenue (and most other government sites) to
>>> your list of passwords to change!
>>
>>
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>