Authorities Exploited Leaky Internet Heartbleed Bug For Years

by thunderbird

Posted: 10 years ago 19 replies

OFF TOPIC

Bloomberg: NSA Knew About, Exploited Open Source Heartbleed Bug for Years

Paul Myers

10 years ago

NSA Denies It Knew About Heartbleed Bug Before It Was Made Public : The Two-Way : NPR

[ 1 ] Thanks
2 replies

Signature

.
Stop by Paul's Pub - my little hangout on Facebook.

{{ DiscussionBoard.errors[9100620].message }}

HeySal

10 years ago

Originally Posted by Paul Myers

NSA Denies It Knew About Heartbleed Bug Before It Was Made Public : The Two-Way : NPR

Sure. And we are to expect them to just willingly admit violating us when caught? We have an IRS agent just charged with contempt of congress over this kind of thing.

Thanks
1 reply

Signature

Sal
When the Roads and Paths end, learn to guide yourself through the wilderness
Beyond the Path

{{ DiscussionBoard.errors[9100647].message }}

Paul Myers

10 years ago

Sal,

Sure. And we are to expect them to just willingly admit violating us when caught?

Do you assume that my posting a link to a counterclaim means I have formed an opinion on the subject?

Paul

[ 1 ] Thanks
2 replies

Signature

.
Stop by Paul's Pub - my little hangout on Facebook.

{{ DiscussionBoard.errors[9100917].message }}

kenmichaels

10 years ago

Originally Posted by Paul Myers

Sal,Do you assume that my posting a link to a counterclaim means I have formed an opinion on the subject?

Paul

I bet it does to anybody that doesn't know you ... or maybe I should
say, anybody that does not pay attention to what you post.

Thanks
1 reply

Signature

Selling Ain't for Sissies!

{{ DiscussionBoard.errors[9100925].message }}

Paul Myers

10 years ago

I bet it does to anybody that doesn't know you ... or maybe I should say, anybody that does not pay attention to what you post.

Sal isn't just "anyone."

I get your point, though. It's sad that the simple act of pointing out a counterclaim to an unproven allegation is seen as taking a position. Not surprising, certainly, but sad.

What's interesting is how readily people will believe "mainstream media" when the claims support their beliefs, and equally quick to denounce them on the basis that they're "mainstream media" when they don't.

I'm fairly confident most people would consider Bloomberg "mainstream media."

Paul

[ 2 ] Thanks
2 replies

Signature

.
Stop by Paul's Pub - my little hangout on Facebook.

{{ DiscussionBoard.errors[9100940].message }}

kenmichaels

10 years ago

Originally Posted by Paul Myers

Sal isn't just "anyone."

When I was a child my parents instilled in me that everything on tv is
nothing more then acting, that includes the news.

Being that they dealt heavily in the newspaper industry they also
taught me which parties controlled what papers and how all
"news" stories were slanted in the direction the paper leaned.

40 odd years later and its still the same ... maybe a little worse.

I guess my point is i don't believe "nuthin"

It is sad but true. I assume all outlets have an agenda.

and you might find this funny ...

Discussions about politics and religion are outlawed in my family.
It has been that way my entire life ... and enforced.

Thanks

Signature

Selling Ain't for Sissies!

{{ DiscussionBoard.errors[9100957].message }}

thunderbird

10 years ago

Originally Posted by Paul Myers

Sal isn't just "anyone."

The way you're so reasonable is highly controversial.

Thanks
1 reply

Signature

Project HERE.

{{ DiscussionBoard.errors[9100970].message }}

kenmichaels

10 years ago

Since this is the off topic forum ... i guess i can get away with this.

To answer your question about puzzles and my kid.

The basic answer is no, he does not. The long answer is
he has some but once he figures them out ... that's it.
He does not want anything to do with it.

He is doing that with everything for the last few months.

If he read it or had it read to him, he wont do it again,
same with games, looking at animals in the zoo ... cartoons
just about everything.

Hopefully it is just another one of his "phases"

His standard response is, "I don't want to, I already know that ... can we compromise?"

Compromise ... a word he learned and understood a year ago.

I hear it 50 times a day ... daddy .. lets compromise ...

It is one of the things I wish I never taught him ... that and speaking

Thanks
1 reply

Signature

Selling Ain't for Sissies!

{{ DiscussionBoard.errors[9101033].message }}

thunderbird

10 years ago

Originally Posted by kenmichaels

Sounds like he is good at negotiating. I've found that kids usually like doing the same thing over and over again, so that is unusual but maybe a good thing. My guess is he wants to learn new things and meet new challenges.

My son likes me to read certain books to him over and over again. He often reenacts scenes in story books, what he's on seen on video.

Thanks
1 reply

Signature

Project HERE.

{{ DiscussionBoard.errors[9101137].message }}

kenmichaels

10 years ago

Originally Posted by thunderbird

Sounds like he is good at negotiating. I've found that kids usually like doing the same thing over and over again, so that is unusual but maybe a good thing. My guess is he wants to learn new things and meet new challenges.

My son likes me to read certain books to him over and over again. He often reenacts scenes in story books, what he's on seen on video.

Good enough that I sometimes forget my name isn't Bob Barker.

I am guessing it is an independence thing.
I am sure you understand, i am guessing you are or will soon be dealing with
the same thing.

Thanks
1 reply

Signature

Selling Ain't for Sissies!

{{ DiscussionBoard.errors[9101169].message }}

Paul Myers

10 years ago

It is sad but true. I assume all outlets have an agenda.

I don't have any objections to that. It's been true for as long as I can remember, and I don't see any reasons media outlets should be forbidden from expressing positions on the issues.

I only object when news outlets present something as fact when it isn't, or deliberately slant things via contextual clues.

I guess my point is i don't believe "nuthin"

When it comes to news issues, I tend to have acting assumptions, rather than beliefs. Sort of "based on the best information I have at the moment, I'm going to act on the assumption that XYZ is the case." Those can always change if the information changes.

Much easier to adjust if you start with the notion that you don't have all the facts.

Paul

Thanks
1 reply

Signature

.
Stop by Paul's Pub - my little hangout on Facebook.

{{ DiscussionBoard.errors[9101664].message }}

whateverpedia

10 years ago

Originally Posted by Paul Myers

Much easier to adjust if you start with the notion that you don't have all the facts.

If everyone behaved like that, there'd be no need to shut down the threads which cover the "two topics".

Well, not as much as a need as there currently is.

Thanks
1 reply

Signature

Why do garden gnomes smell so bad?

So that blind people can hate them as well.

{{ DiscussionBoard.errors[9101694].message }}

Paul Myers

10 years ago

If everyone behaved like that, there'd be no need to shut down the threads which cover the "two topics".

I'm not sure it would make for much of a change. Those are areas where you're talking about differences in fundamental philosophical assumptions.

Whole other issue. That gets into the question of absolutism in social constructs. That's ego turf.

Paul

Thanks
1 reply

Signature

.
Stop by Paul's Pub - my little hangout on Facebook.

{{ DiscussionBoard.errors[9101711].message }}

PurpleFeathers

10 years ago

Bruce Schneier, who created the unbroken (as of yet to my knowledge) encryption cipher "blowfish", has published his commentary on 'HeartBleed' on his security blog: https://www.schneier.com/blog/archiv...eartbleed.html

quote... "-- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11. "...end quote

[ 1 ] Thanks
1 reply

{{ DiscussionBoard.errors[9108950].message }}

seasoned

10 years ago

Originally Posted by PurpleFeathers

He's RIGHT! Actually, there is probably only ONE way to fix this problem!

1. The world has to complain to all non compliant server hosts.
2. Any C/As affected must fix THEIR systems first.
3. The hosts must patch and fix their servers.
4. Those hosts have to regenerate the seeds for their systems, which WILL break them.
5. They need to recreate requests to C/As for new certs.
6. They need to get new certs. If a C/A needs to recreate a cert, it will invalidate it worldwide creating MORE issues!
7. They need to update their servers.
8. The world can THEN go in and change their passwords.

OBVIOUSLY, that could take a while. It could take days to get to step 6. The OFFICIAL story is for the hosts to do 3, and that the users can do 8 anytime they please.

First of all doing #8 before #3 is ITSELF a security risk. They could simply get THAT password. If you haven't accessed the account in 2 years, they didn't have your password, and NOW THEY COULD! If you merely PATCH the system, a person that stole the private salt and keys could decode a sniffed transmission.

If NON CAs got certs, without updating the salt, the new certs would be the same, etc....

Imagine if Verisign were affected, and ICANN were sold, and a country used ICANN to switch the name servers, and used the verisign info to create new certs. They could impersonate bank of america apparently PERFECTLY!

HOPEFULLY, this isn't an issue for many. This only affects systems where the opensls package was updated within the 2 years preceding the announcement. It IS possible that NONE of the larger systems you use have been so changed. As for smaller ones, like people use here, I don't THINK cpanel updates opensls. If it doesn't, it is possible that some of the older smaller sites aren't updated. ALSO, there IS a switch to disable this code, and people may have used it. Some companies REFUSE to make needless updates without a clear benefit.

Still, I would love to know how such a crazy bug got into the code.

Steve

Thanks

{{ DiscussionBoard.errors[9109198].message }}

HeySal 10 years ago

Originally Posted by Paul Myers

Sal,Do you assume that my posting a link to a counterclaim means I have formed an opinion on the subject?

Paul

I wasn't commenting on what you might or might not think. I was commenting on the fact that they refute knowledge of the bug. If I have to make a guess about what you think about it..........I'd guess that you're not impressed with their denial, either. Not saying I'm right.....just that's what my guess of your opinion would be.
- Thanks
Signature

Sal
When the Roads and Paths end, learn to guide yourself through the wilderness
Beyond the Path
{{ DiscussionBoard.errors[9109156].message }}

Dennis Gaskill 10 years ago

Originally Posted by thunderbird

Bloomberg: NSA Knew About, Exploited Open Source Heartbleed Bug for Years

Why am I not surprised by this?

Originally Posted by Paul Myers

NSA Denies It Knew About Heartbleed Bug Before It Was Made Public : The Two-Way : NPR

...or this?

Unless I missed it, the Bloomberg story fails to cite how they determined the NSA knew about this bug. That makes it less credible.

The denial comes from a government that has repeatedly lied to its citizens. That makes it less credible.

And as is often the case, it leaves us not knowing who to believe.
- [ 1 ] Thanks
Signature

Just when you think you've got it all figured out, someone changes the rules.
{{ DiscussionBoard.errors[9100711].message }}

yukon Banned 10 years ago

How the enormous open source vulnerability underscores madness of e-voting, Internet Voting...

Does this mean the dead people voting in Florida didn't know they were dead, or didn't know they were voting?

Abbott & Costello Who's On First - YouTube
- [ 1 ] Thanks
{{ DiscussionBoard.errors[9100982].message }}
seasoned 10 years ago

I was going to also say the NSA said it wasn't true, but I was going to add it didn't matter. Supposedly, they have been able to relatively easily decrypt it for years. I never bothered to go farther. I guess I just tired of looking into a lot of the minutia. I would NEVER have guessed SSL even had a heartbeat! *****WHY***** does it have a heartbeat? Heartbeats are generally used for long running protocols to validate connection, etc... Browsers, and many other things, apparently DON'T use the heartbeat. They simply timeout.

Anyway, I assumed that the NSA either had a way to look at such things, which could be an international security disaster, or didn't look at ssl data.

If they could decrypt it, I would hope it would be kept relatively quiet. But no matter how they decrypted it, all that matters to me is that it could be decrypted and they had it. The private key is certainly never to be transmitted, which is why they call it PRIVATE! Apparently, this heartbeat has a bug that allows it to transmit ALL of that and MORE! That is SUSPICIOUS! The NSA could have even ADDED the code, but they could be telling the truth. If you have the private keys and salts, everything pretty much breaks. You don't need any fancy code to decrypt things.

Steve
- Thanks
{{ DiscussionBoard.errors[9101026].message }}

Authorities Exploited Leaky Internet Heartbleed Bug For Years

Trending Topics

Been a while! Any of you Old Timers here?

How much does the rebranding affect CR ?

Are billboards still effective in driving customers?

Boat and Jet Ski Rentals...... Door Hangers Effective?

A Very Strange Internet Problem