[kwlug-disc] Heartbleed affected sites
unsolicited at swiz.ca
Sat Apr 12 04:30:22 EDT 2014
Except ... if they were aware ... and didn't report it up such that it
got fixed two years ago ...
No wonder there's a bad taste in people's mouths.
On 14-04-11 08:30 PM, Chris Craig wrote:
> I don't think the NSA would admit to _not_ having been aware of a bug
> like this since it started.
> On 11 April 2014 16:30, CrankyOldBugger <crankyoldbugger at gmail.com> wrote:
>> Well, try not to be surprised, but apparently the NSA has been exploiting
>> this bug for two years now:
>> But yes, the media is doing a wonderful job of convincing people that this
>> issue is far bigger than it really is.
>> On 11 April 2014 16:24, unsolicited <unsolicited at swiz.ca> wrote:
>>> The bug was introduced 2 years ago, but its not known to have been
>>> exploited, from anything I've seen, which doesn't say much.
>>> Nefarious activity in the wild is monitored by various organizations to
>>> whatever extent it is, and the issue was not discovered / reported by them,
>>> as far as I know.
>>> From what I saw a 64k chunk of memory is potentially exposed in an ssh
>>> server to someone if they were exploiting it, for which we don't know they
>>> were. (Or even aware it was possible.)
>>> Doesn't mean there was anything useful in that 64k chunk. Which they would
>>> then have to decipher in the sense of figuring out if there is anything
>>> useful, and that usefulness has to extend to being able to do something with
>>> Without any knowledge one way or the other, I assume CRA is shut down not
>>> because there's an issue going forward (problem easily patched, now), but
>>> because they don't know what might have happened during or within. Short of
>>> checksumming every system, I don't know how they might prove one way or
>>> another. But someone higher up is probably requiring due diligence on
>>> something that can't be proven.
>>> I do wonder if 'change your password' isn't FUD, promoted for trying to
>>> give users the sense that they're in control of their own security, and that
>>> changing their password will let them be proactive and 'solve the problem'.
>>> There's a lot if 'ifs' to the chain of events above before you have
>>> certainty of impact. And a lot of other risks (especially human error) out
>>> there that are quite probably more likely to happen and impact you than this
>>> one. No, I don't know what they are, either. But I also haven't seen any
>>> It's a lot of work to change all the passwords, let alone for some time
>>> afterwards trying to remember what you changed them to.
>>> Not sure it's worth the effort in the absence of any detected impact. Hard
>>> to say its not just fear mongering. Certainly some media I've seen running
>>> around with their heads cut off demonstrate a deep misunderstanding of
>>> things, yet their heads are still talking.
>>> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>>>> Mashable has a list going of sites affected by Heartbleed:
>>>> Don't forget to add Canada Revenue (and most other government sites) to
>>>> your list of passwords to change!
>>> kwlug-disc mailing list
>>> kwlug-disc at kwlug.org
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
More information about the kwlug-disc