[kwlug-disc] Heartbleed affected sites

unsolicited unsolicited at swiz.ca
Sat Apr 12 04:30:22 EDT 2014


Except ... if they were aware ... and didn't report it up such that it 
got fixed two years ago ...

No wonder there's a bad taste in people's mouths.

On 14-04-11 08:30 PM, Chris Craig wrote:
> I don't think the NSA would admit to _not_ having been aware of a bug
> like this since it started.
>
> On 11 April 2014 16:30, CrankyOldBugger <crankyoldbugger at gmail.com> wrote:
>> Well, try not to be surprised, but apparently the NSA has been exploiting
>> this bug for two years now:
>>
>> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
>>
>> But yes, the media is doing a wonderful job of convincing people that this
>> issue is far bigger than it really is.
>>
>>
>>
>> On 11 April 2014 16:24, unsolicited <unsolicited at swiz.ca> wrote:
>>>
>>> Why?
>>>
>>> The bug was introduced 2 years ago, but its not known to have been
>>> exploited, from anything I've seen, which doesn't say much.
>>>
>>> Nefarious activity in the wild is monitored by various organizations to
>>> whatever extent it is, and the issue was not discovered / reported by them,
>>> as far as I know.
>>>
>>>  From what I saw a 64k chunk of memory is potentially exposed in an ssh
>>> server to someone if they were exploiting it, for which we don't know they
>>> were. (Or even aware it was possible.)
>>>
>>> Doesn't mean there was anything useful in that 64k chunk. Which they would
>>> then have to decipher in the sense of figuring out if there is anything
>>> useful, and that usefulness has to extend to being able to do something with
>>> it.
>>>
>>> Without any knowledge one way or the other, I assume CRA is shut down not
>>> because there's an issue going forward (problem easily patched, now), but
>>> because they don't know what might have happened during or within. Short of
>>> checksumming every system, I don't know how they might prove one way or
>>> another. But someone higher up is probably requiring due diligence on
>>> something that can't be proven.
>>>
>>> I do wonder if 'change your password' isn't FUD, promoted for trying to
>>> give users the sense that they're in control of their own security, and that
>>> changing their password will let them be proactive and 'solve the problem'.
>>>
>>> There's a lot if 'ifs' to the chain of events above before you have
>>> certainty of impact. And a lot of other risks (especially human error) out
>>> there that are quite probably more likely to happen and impact you than this
>>> one. No, I don't know what they are, either. But I also haven't seen any
>>> impact.
>>>
>>> It's a lot of work to change all the passwords, let alone for some time
>>> afterwards trying to remember what you changed them to.
>>>
>>> Not sure it's worth the effort in the absence of any detected impact. Hard
>>> to say its not just fear mongering. Certainly some media I've seen running
>>> around with their heads cut off demonstrate a deep misunderstanding of
>>> things, yet their heads are still talking.
>>>
>>>
>>> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>>>>
>>>> Mashable has a list going of sites affected by Heartbleed:
>>>>
>>>> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
>>>>
>>>> Don't forget to add Canada Revenue (and most other government sites) to
>>>> your list of passwords to change!
>>>
>>>
>>>
>>> _______________________________________________
>>> kwlug-disc mailing list
>>> kwlug-disc at kwlug.org
>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>>
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>




More information about the kwlug-disc mailing list