<div dir="ltr">Well, try not to be surprised, but apparently the NSA has been exploiting this bug for two years now:<div><br></div><div><a href="http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html">http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html</a><br>
</div><div><br></div><div>But yes, the media is doing a wonderful job of convincing people that this issue is far bigger than it really is.</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On 11 April 2014 16:24, unsolicited <span dir="ltr"><<a href="mailto:unsolicited@swiz.ca" target="_blank">unsolicited@swiz.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Why?<br>
<br>
The bug was introduced 2 years ago, but its not known to have been exploited, from anything I've seen, which doesn't say much.<br>
<br>
Nefarious activity in the wild is monitored by various organizations to whatever extent it is, and the issue was not discovered / reported by them, as far as I know.<br>
<br>
>From what I saw a 64k chunk of memory is potentially exposed in an ssh server to someone if they were exploiting it, for which we don't know they were. (Or even aware it was possible.)<br>
<br>
Doesn't mean there was anything useful in that 64k chunk. Which they would then have to decipher in the sense of figuring out if there is anything useful, and that usefulness has to extend to being able to do something with it.<br>
<br>
Without any knowledge one way or the other, I assume CRA is shut down not because there's an issue going forward (problem easily patched, now), but because they don't know what might have happened during or within. Short of checksumming every system, I don't know how they might prove one way or another. But someone higher up is probably requiring due diligence on something that can't be proven.<br>
<br>
I do wonder if 'change your password' isn't FUD, promoted for trying to give users the sense that they're in control of their own security, and that changing their password will let them be proactive and 'solve the problem'.<br>
<br>
There's a lot if 'ifs' to the chain of events above before you have certainty of impact. And a lot of other risks (especially human error) out there that are quite probably more likely to happen and impact you than this one. No, I don't know what they are, either. But I also haven't seen any impact.<br>
<br>
It's a lot of work to change all the passwords, let alone for some time afterwards trying to remember what you changed them to.<br>
<br>
Not sure it's worth the effort in the absence of any detected impact. Hard to say its not just fear mongering. Certainly some media I've seen running around with their heads cut off demonstrate a deep misunderstanding of things, yet their heads are still talking.<br>
<br>
<br>
On 14-04-11 10:51 AM, CrankyOldBugger wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Mashable has a list going of sites affected by Heartbleed:<br>
<br>
<a href="http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/" target="_blank">http://mashable.com/2014/04/<u></u>09/heartbleed-bug-websites-<u></u>affected/</a><br>
<br>
Don't forget to add Canada Revenue (and most other government sites) to<br>
your list of passwords to change!<br>
</blockquote>
<br>
<br>
______________________________<u></u>_________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/<u></u>listinfo/kwlug-disc_kwlug.org</a><br>
</blockquote></div><br></div>