Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(The Atlantic)   The five things you should do about the new Heartbleed bug. Number one: PANIC   (theatlantic.com) divider line 171
    More: Scary, Heartbleed, Heartbleed bug, Bruce Schneier, bugs, brute force  
•       •       •

10892 clicks; posted to Main » on 09 Apr 2014 at 3:19 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



171 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | 3 | 4 | » | Last | Show all
 
2014-04-09 02:42:24 PM  
If they want to know so badly, I'll just tell them. It's 12345.
 
2014-04-09 03:26:54 PM  
FTFA The only password I keep in my mind is the very long password for Last Pass itself.

I'm curious how quickly this person would plug in a USB token found on the street that would install a keyboard logger to steal that precious Last Pass password?  I'm betting within 5 minutes.

/articles like this annoy me
 
2014-04-09 03:27:44 PM  
The problem is password reuse among the plebs. I do reuse an unimportant password for unimportant sites. The sort of unimportant sites that might be using OpenSSL to maintain user databases for forums and whatnot.
 
2014-04-09 03:29:09 PM  
Who made that man a totalfarker?
 
2014-04-09 03:29:11 PM  

gingerjet: FTFA The only password I keep in my mind is the very long password for Last Pass itself.

I'm curious how quickly this person would plug in a USB token found on the street that would install a keyboard logger to steal that precious Last Pass password?  I'm betting within 5 minutes.

/articles like this annoy me


I too like to make up stupid shiat and then claim that someone would do it because they annoy me.
 
2014-04-09 03:31:52 PM  
Submitted link to actual authoritative source on the subject (not a news media article) with a better headline:
"All your online password and certificate are one heartbreed away from belong to us"
 
2014-04-09 03:32:43 PM  

Tourney3p0: gingerjet: FTFA The only password I keep in my mind is the very long password for Last Pass itself.

I'm curious how quickly this person would plug in a USB token found on the street that would install a keyboard logger to steal that precious Last Pass password?  I'm betting within 5 minutes.

/articles like this annoy me

I too like to make up stupid shiat and then claim that someone would do it because they annoy me.


I'm making up stupid shiat in my head both of you do right now.  It's really really stupid and embarrassing.
 
2014-04-09 03:39:24 PM  

imgs.xkcd.com
Well, that was fast!

 
2014-04-09 03:39:40 PM  

InterruptingQuirk: If they want to know so badly, I'll just tell them. It's 12345.


12345? That's amazing. That's the combination on my luggage.
 
2014-04-09 03:44:15 PM  
Here's the pull request that introduced the bug.

Aside from the questionable decision to write a security library in C, this really isn't an appropriate place to be doing tricks with pointers. Several people deserve public floggings over this.
 
2014-04-09 03:45:24 PM  

InterruptingQuirk: If they want to know so badly, I'll just tell them. It's 12345.


Senses working overtime.
 
2014-04-09 03:47:38 PM  

MrEricSir: Here's the pull request that introduced the bug.

Aside from the questionable decision to write a security library in C, this really isn't an appropriate place to be doing tricks with pointers. Several people deserve public floggings over this.


See in all this coverage I understand how the flaw works, how you get access to 64K of memory on the host computer.

I don't understand what the fark a heartbeat is or what they do in SSL.  Can someone smarter than me explain it?  (I'm a computer programmer btw and understand the broad strokes of SSL)
 
2014-04-09 03:48:21 PM  

gingerjet: FTFA The only password I keep in my mind is the very long password for Last Pass itself.

I'm curious how quickly this person would plug in a USB token found on the street that would install a keyboard logger to steal that precious Last Pass password?  I'm betting within 5 minutes.

/articles like this annoy me


Well, since he stated that he uses 2-step sign-in, he's not at risk, even if he put that password in his article.
 
2014-04-09 03:49:33 PM  
One big problem is that no matter how long your password is, no matter how many upper and lowercase letters and digits and punctuation characters you use, it's still only going to contain the characters you can type on a keyboard, which will all have an ASCII, ANSI, ISO, or UTF-7/8 code of 32 or greater (33 or greater if spaces aren;t allowed in the password) and less than 128.

You could
This means that even without a certificate, if someone gets ahold of the hashed (but not salted) passwords from a database, all they have to do is try hash keys until most of the password columns show all or nearly all bytes being greater than 31, and the vast majority also being less than 128.

Of course, Heartbleed makes all that moot.
 
2014-04-09 03:49:39 PM  
Speaking as  a Windows server admin, SUCK IT!!!

blog.seekdotnet.com

Suddenly the evil empire and its non-OpenSSL using Web Servers don't look so bad, huh?
 
2014-04-09 03:51:34 PM  

MrEricSir: Here's the pull request that introduced the bug.

Aside from the questionable decision to write a security library in C, this really isn't an appropriate place to be doing tricks with pointers. Several people deserve public floggings over this.


They didn't bounds check.  It's not a "trick with pointers".  The person that wrote it was lazy or stupid.  Probably both, because in C if you're going to use standard libraries then holy shiat you have to bounds check everything.
 
2014-04-09 03:52:34 PM  

wildcardjack: The problem is password reuse among the plebs.


Because having to create AND remember a long wordsalad of a password to EACH AND EVERY GODDAMN F*CKING SITE THAT I EVER VISIT is SOOOOO easy to manage.
 
2014-04-09 03:53:43 PM  
Don't know what happened with my second paragraph there. I guess I mistyped the closing emphasis tag.

Anyway, what I said was that you could include non-ASCII characters such as those that could only be accessed via [Alt] + numeric keypad codes on Windows, or [Option] + optional [Shift] + some character key or keys on Mac OS X, including basic Western Europe áçcëñtêd letters, ¢urren¢¥ $¥mb¤£$, and the like, but those would still not be less than 32 decimal.
 
2014-04-09 03:54:29 PM  
Canada's tax agency shut down their online services this morning in response to the bug.
 
2014-04-09 03:56:31 PM  
 
2014-04-09 03:57:28 PM  

Esc7: I don't understand what the fark a heartbeat is or what they do in SSL.  Can someone smarter than me explain it?  (I'm a computer programmer btw and understand the broad strokes of SSL)


A simple way to look at it is this:  Two computers are talking to each other -  IM, email, a shopping cart transaction - and have an encrypted connection.  Periodically, the computer will say, "Hey...I know we're talking, but are you actually still there?" and send out a so-called heartbeat to verify the encrypted connection.

These heartbeats can now be intercepted and give a third party access everything they need to side-step that encryption
 
2014-04-09 03:57:52 PM  

COMALite J: One big problem is that no matter how long your password is, no matter how many upper and lowercase letters and digits and punctuation characters you use, it's still only going to contain the characters you can type on a keyboard, which will all have an ASCII, ANSI, ISO, or UTF-7/8 code of 32 or greater (33 or greater if spaces aren;t allowed in the password) and less than 128.

You could
This means that even without a certificate, if someone gets ahold of the hashed (but not salted) passwords from a database, all they have to do is try hash keys until most of the password columns show all or nearly all bytes being greater than 31, and the vast majority also being less than 128.

Of course, Heartbleed makes all that moot.


What about?

imgs.xkcd.com
 
2014-04-09 03:57:59 PM  

TV's Vinnie: wildcardjack: The problem is password reuse among the plebs.

Because having to create AND remember a long wordsalad of a password to EACH AND EVERY GODDAMN F*CKING SITE THAT I EVER VISIT is SOOOOO easy to manage.


imgs.xkcd.com
 
2014-04-09 03:58:07 PM  

Shazam999: MrEricSir: Here's the pull request that introduced the bug.

Aside from the questionable decision to write a security library in C, this really isn't an appropriate place to be doing tricks with pointers. Several people deserve public floggings over this.

They didn't bounds check.  It's not a "trick with pointers".  The person that wrote it was lazy or stupid.  Probably both, because in C if you're going to use standard libraries then holy shiat you have to bounds check everything.
Especially

if writing something that by its very nature has security as its whole raison d'être! Whoever wrote that code was criminally incompetent, and frankly, this shoots down one of the much-vaunted advantages of open-source code. Thousands of eyeballs and it took two years and several actual releases to find something as simple as a non-bounds-checked pointer!?
 
2014-04-09 03:58:37 PM  

InterruptingQuirk: COMALite J: One big problem is that no matter how long your password is, no matter how many upper and lowercase letters and digits and punctuation characters you use, it's still only going to contain the characters you can type on a keyboard, which will all have an ASCII, ANSI, ISO, or UTF-7/8 code of 32 or greater (33 or greater if spaces aren;t allowed in the password) and less than 128.

You could
This means that even without a certificate, if someone gets ahold of the hashed (but not salted) passwords from a database, all they have to do is try hash keys until most of the password columns show all or nearly all bytes being greater than 31, and the vast majority also being less than 128.

Of course, Heartbleed makes all that moot.

What about?

[imgs.xkcd.com image 740x601]


**shakes tiny fist**
 
2014-04-09 04:00:38 PM  

TV's Vinnie: wildcardjack: The problem is password reuse among the plebs.

Because having to create AND remember a long wordsalad of a password to EACH AND EVERY GODDAMN F*CKING SITE THAT I EVER VISIT is SOOOOO easy to manage.


Sing it, sister! If only there were literally hundreds of cheap/free, easy to use, cross-platform password managers available to anyone willing to spend 5 seconds looking for them.
 
2014-04-09 04:00:42 PM  

Shazam999: The person that wrote it was lazy or stupid.


No, he was a PhD student. What you're looking at is "gradware" that unfortunately made it into the real world.

Esc7: See in all this coverage I understand how the flaw works, how you get access to 64K of memory on the host computer.

I don't understand what the fark a heartbeat is or what they do in SSL. Can someone smarter than me explain it? (I'm a computer programmer btw and understand the broad strokes of SSL)


"Heartbeat" is just a general term for sending keepalive pings to keep a connection open. The spec for this is explained pretty well in the RFC, and for details on the bug I'd recommend this blog post.
 
2014-04-09 04:02:46 PM  
This is another Y2K much ado about nothing scenario.

Nothing to see here people. Move along.
 
2014-04-09 04:03:00 PM  

MrEricSir: No, he was a PhD student. What you're looking at is "gradware" that unfortunately made it into the real world.


Whatever, I don't care if the person was Jesus, it was a stupid, stupid, lazy mistake.
 
2014-04-09 04:04:11 PM  

MrEricSir: Here's the pull request that introduced the bug.


Submitted by Robin Segglemann, and approved by Stephen Henson.  I wonder what this is going to do to their careers ...
 
2014-04-09 04:05:00 PM  

InterruptingQuirk: COMALite J: One big problem is that no matter how long your password is, no matter how many upper and lowercase letters and digits and punctuation characters you use, it's still only going to contain the characters you can type on a keyboard, which will all have an ASCII, ANSI, ISO, or UTF-7/8 code of 32 or greater (33 or greater if spaces aren;t allowed in the password) and less than 128.

You could
This means that even without a certificate, if someone gets ahold of the hashed (but not salted) passwords from a database, all they have to do is try hash keys until most of the password columns show all or nearly all bytes being greater than 31, and the vast majority also being less than 128.

Of course, Heartbleed makes all that moot.

What about?

[imgs.xkcd.com image 740x601]


Serious Black: TV's Vinnie: wildcardjack: The problem is password reuse among the plebs.

Because having to create AND remember a long wordsalad of a password to EACH AND EVERY GODDAMN F*CKING SITE THAT I EVER VISIT is SOOOOO easy to manage.

[imgs.xkcd.com image 740x601]

Wow! Seven seconds apart!

But no, even that doesn't work and in fact would be worse since the bytes in the resulting passwords, if hashed but not salted (or salted with something easy to figure out) would all not only be in the range of 32 through 127, but also mainly in the ranges of lower-case ASCII (96-122) with spaces an average of five characters apart, just like typical English text. That would be very easy to test for in a loop. Once they find the hash key, they have all the passwords.

The underlying problem is that passwords, as a concept, are inherently insecure, and there's no way to change that. Remember, it doesn't matter if you use super-secure passwords. All it takes is for anyone else to have used an insecure password stored in the same database table, and then the hackers can easily crack the hash key and then they have your "super secure" password as well. Proper salting does help mitigate this.
 
2014-04-09 04:05:03 PM  

MrEricSir: Shazam999: The person that wrote it was lazy or stupid.

No, he was a PhD student. What you're looking at is "gradware" that unfortunately made it into the real world.


Also, you do realize that someone on the project actually had to commit the change, yes?  Nice code checking.
 
2014-04-09 04:05:04 PM  

Esc7: MrEricSir: Here's the pull request that introduced the bug.

Aside from the questionable decision to write a security library in C, this really isn't an appropriate place to be doing tricks with pointers. Several people deserve public floggings over this.

See in all this coverage I understand how the flaw works, how you get access to 64K of memory on the host computer.

I don't understand what the fark a heartbeat is or what they do in SSL.  Can someone smarter than me explain it?  (I'm a computer programmer btw and understand the broad strokes of SSL)


Heartbeat just maintains an active session from timing out. Either way, from what I've heard, malloc has a "feature" that upon crash it dumps active memory. OpenSSL used malloc in such a way that when a heartbeat signal is received that errors out (basically bounds overloading), due to a programming error it outputs back a 64 byte chuck of the malloc dump, and restarts instantly.
 
2014-04-09 04:07:05 PM  

COMALite J: InterruptingQuirk: COMALite J: One big problem is that no matter how long your password is, no matter how many upper and lowercase letters and digits and punctuation characters you use, it's still only going to contain the characters you can type on a keyboard, which will all have an ASCII, ANSI, ISO, or UTF-7/8 code of 32 or greater (33 or greater if spaces aren;t allowed in the password) and less than 128.

You could
This means that even without a certificate, if someone gets ahold of the hashed (but not salted) passwords from a database, all they have to do is try hash keys until most of the password columns show all or nearly all bytes being greater than 31, and the vast majority also being less than 128.

Of course, Heartbleed makes all that moot.

What about?

[imgs.xkcd.com image 740x601]

Serious Black: TV's Vinnie: wildcardjack: The problem is password reuse among the plebs.

Because having to create AND remember a long wordsalad of a password to EACH AND EVERY GODDAMN F*CKING SITE THAT I EVER VISIT is SOOOOO easy to manage.

[imgs.xkcd.com image 740x601]
Wow! Seven seconds apart!

But no, even that doesn't work and in fact would be worse since the bytes in the resulting passwords, if hashed but not salted (or salted with something easy to figure out) would all not only be in the range of 32 through 127, but also mainly in the ranges of lower-case ASCII (96-122) with spaces an average of five characters apart, just like typical English text. That would be very easy to test for in a loop. Once they find the hash key, they have all the passwords.

The underlying problem is that passwords, as a concept, are inherently insecure, and there's no way to change that. Remember, it doesn't matter if you use super-secure passwords. All it takes is for anyone else to have used an insecure password stored in the same database table, and then the hackers can easily crack the hash key and then they have your "super secure" password as well. Proper salting does help mitiga ...


What's a rainbow table?  Looping?  Did you just discover the internet last week?
 
2014-04-09 04:08:13 PM  
Perhaps if the IT pukes wont' fix their security holes we should start hanging them and their bosses.  Aiding in the act of fraud by willful negligence should be a crime.  You can be guaranteed that their replacements will fix every security hole.
 
2014-04-09 04:08:14 PM  

Esc7: I don't understand what the fark a heartbeat is or what they do in SSL. Can someone smarter than me explain it? (I'm a computer programmer btw and understand the broad strokes of SSL)


It just gives TLS sessions that are being run on unreliable protocols like UDP a keep-alive type of functionality that the underlying transport protocol can't do.
 
2014-04-09 04:13:05 PM  
Nerds.  Nerds did this.
 
2014-04-09 04:21:43 PM  
has anyone checked to see if asianmanicuristsinbondage.com was compromised yet? i don't want to sign in again until the hackers have taken over, you see...
 
2014-04-09 04:22:39 PM  
I actually understand what all you folks are talking about, but what I'm really interested in is: should I change all my passwords just to be safe or should I pretend everything is going to be okay? I have a pretty good system of password recall and generation, but it's a pain to change everything in the universe.
 
2014-04-09 04:22:41 PM  
Actually I planned for this eventuality by only downloading midgets of legal age.
 
2014-04-09 04:25:54 PM  
I'm just going to do nothing and hope they find rich or powerful people to steal from.

But if they steal my bank account and all or it's tens of dollars, I guess I'm farked.
 
2014-04-09 04:27:25 PM  

minnesotaboy: Speaking as  a Windows server admin, SUCK IT!!!

[blog.seekdotnet.com image 480x345]

Suddenly the evil empire and its non-OpenSSL using Web Servers don't look so bad, huh?

static.flickr.com
 
2014-04-09 04:28:12 PM  

COMALite J: InterruptingQuirk: COMALite J: One big problem is that no matter how long your password is, no matter how many upper and lowercase letters and digits and punctuation characters you use, it's still only going to contain the characters you can type on a keyboard, which will all have an ASCII, ANSI, ISO, or UTF-7/8 code of 32 or greater (33 or greater if spaces aren;t allowed in the password) and less than 128.

You could
This means that even without a certificate, if someone gets ahold of the hashed (but not salted) passwords from a database, all they have to do is try hash keys until most of the password columns show all or nearly all bytes being greater than 31, and the vast majority also being less than 128.

Of course, Heartbleed makes all that moot.

What about?

[imgs.xkcd.com image 740x601]

Serious Black: TV's Vinnie: wildcardjack: The problem is password reuse among the plebs.

Because having to create AND remember a long wordsalad of a password to EACH AND EVERY GODDAMN F*CKING SITE THAT I EVER VISIT is SOOOOO easy to manage.

[imgs.xkcd.com image 740x601]
Wow! Seven seconds apart!

But no, even that doesn't work and in fact would be worse since the bytes in the resulting passwords, if hashed but not salted (or salted with something easy to figure out) would all not only be in the range of 32 through 127, but also mainly in the ranges of lower-case ASCII (96-122) with spaces an average of five characters apart, just like typical English text. That would be very easy to test for in a loop. Once they find the hash key, they have all the passwords.


You should stop talking now.  It is clear you don't understand how hashes work.  There is no "key" in a hash.
 
2014-04-09 04:35:17 PM  
I updated my five character Fark password. Added a 6 to the end.
 
2014-04-09 04:36:23 PM  

MadHatter500: COMALite J: InterruptingQuirk: COMALite J: One big problem is that no matter how long your password is, no matter how many upper and lowercase letters and digits and punctuation characters you use, it's still only going to contain the characters you can type on a keyboard, which will all have an ASCII, ANSI, ISO, or UTF-7/8 code of 32 or greater (33 or greater if spaces aren;t allowed in the password) and less than 128.

You could
This means that even without a certificate, if someone gets ahold of the hashed (but not salted) passwords from a database, all they have to do is try hash keys until most of the password columns show all or nearly all bytes being greater than 31, and the vast majority also being less than 128.

Of course, Heartbleed makes all that moot.

What about?

[imgs.xkcd.com image 740x601]

Serious Black: TV's Vinnie: wildcardjack: The problem is password reuse among the plebs.

Because having to create AND remember a long wordsalad of a password to EACH AND EVERY GODDAMN F*CKING SITE THAT I EVER VISIT is SOOOOO easy to manage.

[imgs.xkcd.com image 740x601]
Wow! Seven seconds apart!

But no, even that doesn't work and in fact would be worse since the bytes in the resulting passwords, if hashed but not salted (or salted with something easy to figure out) would all not only be in the range of 32 through 127, but also mainly in the ranges of lower-case ASCII (96-122) with spaces an average of five characters apart, just like typical English text. That would be very easy to test for in a loop. Once they find the hash key, they have all the passwords.

You should stop talking now.  It is clear you don't understand how hashes work.  There is no "key" in a hash.


I think he meant salt.
 
2014-04-09 04:37:50 PM  

Mikey1969: has anyone checked to see if asianmanicuristsinbondage.com was compromised yet? i don't want to sign in again until the hackers have taken over, you see...


I run the site, so it's fine.
 
2014-04-09 04:45:46 PM  

Esc7: MrEricSir: Here's the pull request that introduced the bug.

Aside from the questionable decision to write a security library in C, this really isn't an appropriate place to be doing tricks with pointers. Several people deserve public floggings over this.

See in all this coverage I understand how the flaw works, how you get access to 64K of memory on the host computer.

I don't understand what the fark a heartbeat is or what they do in SSL.  Can someone smarter than me explain it?  (I'm a computer programmer btw and understand the broad strokes of SSL)


As everyone pointed out it's just a garbage packet to verify that both ends of the communication are in fact still "talking". However, I don't know why a heartbeat needs a specific SSL/TLS implementation, and why they don't just send a 0-length packet and wait for an ACK. (Not a network programmer, so I'm probably stupid here.)

minnesotaboy: Speaking as  a Windows server admin, SUCK IT!!!

[blog.seekdotnet.com image 480x345]

Suddenly the evil empire and its non-OpenSSL using Web Servers don't look so bad, huh?


Truly, open-source insecurities are proof that closed-source solutions are superior. Security through obscurity is best security!
 
2014-04-09 04:50:08 PM  
There's no indication (from what I've read) that anyone has actually used this bug.
 
2014-04-09 04:51:05 PM  

gingerjet: FTFA The only password I keep in my mind is the very long password for Last Pass itself.

I'm curious how quickly this person would plug in a USB token found on the street that would install a keyboard logger to steal that precious Last Pass password?  I'm betting within 5 minutes.

/articles like this annoy me


Two-factor authentication, don't stay logged in to lastpass when browser is closed. Ba-da-bing, ba-da-boom.
 
2014-04-09 04:51:57 PM  

lake_huron: Mikey1969: has anyone checked to see if asianmanicuristsinbondage.com was compromised yet? i don't want to sign in again until the hackers have taken over, you see...

I run the site, so it's fine.


Thank God... I thought I might have to give up my membership... Thing costs me $100/month, it had better be safe. I even gave you all of my bank account info this morning when you sent your email out...
 
Displayed 50 of 171 comments

First | « | 1 | 2 | 3 | 4 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter





In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report