[kwlug-disc] Heartbleed affected sites
kwlug.org at ciotog.net
Fri Apr 11 20:30:21 EDT 2014
I don't think the NSA would admit to _not_ having been aware of a bug
like this since it started.
On 11 April 2014 16:30, CrankyOldBugger <crankyoldbugger at gmail.com> wrote:
> Well, try not to be surprised, but apparently the NSA has been exploiting
> this bug for two years now:
> But yes, the media is doing a wonderful job of convincing people that this
> issue is far bigger than it really is.
> On 11 April 2014 16:24, unsolicited <unsolicited at swiz.ca> wrote:
>> The bug was introduced 2 years ago, but its not known to have been
>> exploited, from anything I've seen, which doesn't say much.
>> Nefarious activity in the wild is monitored by various organizations to
>> whatever extent it is, and the issue was not discovered / reported by them,
>> as far as I know.
>> From what I saw a 64k chunk of memory is potentially exposed in an ssh
>> server to someone if they were exploiting it, for which we don't know they
>> were. (Or even aware it was possible.)
>> Doesn't mean there was anything useful in that 64k chunk. Which they would
>> then have to decipher in the sense of figuring out if there is anything
>> useful, and that usefulness has to extend to being able to do something with
>> Without any knowledge one way or the other, I assume CRA is shut down not
>> because there's an issue going forward (problem easily patched, now), but
>> because they don't know what might have happened during or within. Short of
>> checksumming every system, I don't know how they might prove one way or
>> another. But someone higher up is probably requiring due diligence on
>> something that can't be proven.
>> I do wonder if 'change your password' isn't FUD, promoted for trying to
>> give users the sense that they're in control of their own security, and that
>> changing their password will let them be proactive and 'solve the problem'.
>> There's a lot if 'ifs' to the chain of events above before you have
>> certainty of impact. And a lot of other risks (especially human error) out
>> there that are quite probably more likely to happen and impact you than this
>> one. No, I don't know what they are, either. But I also haven't seen any
>> It's a lot of work to change all the passwords, let alone for some time
>> afterwards trying to remember what you changed them to.
>> Not sure it's worth the effort in the absence of any detected impact. Hard
>> to say its not just fear mongering. Certainly some media I've seen running
>> around with their heads cut off demonstrate a deep misunderstanding of
>> things, yet their heads are still talking.
>> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>>> Mashable has a list going of sites affected by Heartbleed:
>>> Don't forget to add Canada Revenue (and most other government sites) to
>>> your list of passwords to change!
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
More information about the kwlug-disc