Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Wired)   Is the NSA behind the Heartbleed bug?   (wired.com) divider line 81
    More: Interesting, NSA, Heartbleed, bugs, Heartbleed bug, SSL, private keys, web servers, cryptographic protocol  
•       •       •

3146 clicks; posted to Geek » on 10 Apr 2014 at 12:05 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



81 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | » | Last | Show all
 
ZAZ [TotalFark]
2014-04-10 11:12:58 AM  
You can't prove anything, but if you drop a nuke on Fort Meade and it doesn't happen again that would be a clue.
 
2014-04-10 11:50:32 AM  
MSG NR 001 CK 21 0410 1540 BT
05231 04118 97909 43150 27698
42238  54076 83764 52635 73939
3911433740 52049 81687 27210
3662511154 25195 92262 05590
05231 AR K
 
2014-04-10 11:53:03 AM  

dittybopper: MSG NR 001 CK 21 0410 1540 BT
05231 04118 97909 43150 27698
42238  54076 83764 52635 73939
3911433740 52049 81687 27210
3662511154 25195 92262 05590
05231 AR K


CORRECTION:

MSG NR 001 CK 21 0410 1550 BT
05231 04118 97909 43150 27698
42238 54076 83764 52635 73939
39114 33740 52049 81687 27210
36625 11154 25195 92262 05590
05231
 AR K
 
2014-04-10 11:54:26 AM  
It's not a bug, it's a feature (for them).
 
2014-04-10 12:15:12 PM  
If it's man-made, it can be cracked.

/I guess it's high time to develop an AI that creates encrypted codes?
 
2014-04-10 12:22:59 PM  
I wouldn't put it past them.  The NSA has become more hitlery than hitler could ever hitler
 
2014-04-10 12:23:13 PM  

CygnusDarius: If it's man-made, it can be cracked.

/I guess it's high time to develop an AI that creates encrypted codes?


That's true. But if it takes 200 years on a cluster of expensive computers to do it, it's effectively secure.
 
2014-04-10 12:32:37 PM  
"It would not at all surprise me if the NSA had discovered this long before the rest of us had," Blaze says. "It's certainly something that the NSA would find extremely useful in their arsenal."

Of course, with no proof or even a good suspicion, it's always prudent to just pull "OMG NSA" outta yer butt to start rumors with.  Good jorb.
 
2014-04-10 12:40:12 PM  
Regardless of whether the NSA was behind this or not it does reveal one of the significant weaknesses of the open software movement--plants. It can be difficult to determine what is a bug and what is intentional. And when open software gets complicated the result is that there might not be enough eyes to look at all the code so that it can be double and triple checked. The strength of open source is auditing--we know exactly who did the changes. But in a case like this it's much too late as the damage has already been done

So regardless of who actually did it, the end result is that many people are going to have to evaluate the closed vs open software paradigm. The fact is that NSA is so powerful it doesn't matter which way one goes on the question; they can compromise you.
 
2014-04-10 12:41:37 PM  

Satan's Bunny Slippers: "It would not at all surprise me if the NSA had discovered this long before the rest of us had," Blaze says. "It's certainly something that the NSA would find extremely useful in their arsenal."

Of course, with no proof or even a good suspicion, it's always prudent to just pull "OMG NSA" outta yer butt to start rumors with.  Good jorb.


Even if the NSA knew about it, the only "OOGAH BOOGAH" part of it would be them not telling anyone. It's not sinister for them to use exploits at their disposal, but it might be immoral for them to allow weaknesses to run rampant in the wild when actual, important data is on the line.

Of course, that assumes the NSA knew about it.
 
2014-04-10 12:43:52 PM  
Nope, it's Hydra.
 
2014-04-10 12:45:20 PM  

Satan's Bunny Slippers: "It would not at all surprise me if the NSA had discovered this long before the rest of us had," Blaze says. "It's certainly something that the NSA would find extremely useful in their arsenal."

Of course, with no proof or even a good suspicion, it's always prudent to just pull "OMG NSA" outta yer butt to start rumors with.  Good jorb.


Take this with a grain of salt, but there have been a number of reports that a few of the mass dumps floating around nefarious corners of the web have signs that they were created by malware using the heartbleed bug.  This is based on the types of information and format of the info in the dumps.  If malware writers have had access to this info for some time now, it's most likely probable that the NSA has at least known about the vulnerability, if not specifically exploited it or created it.
 
2014-04-10 12:49:34 PM  
img.fark.net
 
2014-04-10 12:51:36 PM  

worlddan: The fact is that NSA is so powerful it doesn't matter which way one goes on the question; they can compromise you.


Especially since Microsoft et al are all too happy to hand over the keys to their kingdom.

People want to tout this as a failure of open-source, but there's no reason to believe that such a thing wouldn't (and doesn't) happen all the time in closed ecosystems. This is a failure of whoever committed that code.

And in closed ecosystems, simple "lack of boundary checking" might NEVER get found/patched.
 
2014-04-10 12:53:11 PM  

Satan's Bunny Slippers: "It would not at all surprise me if the NSA had discovered this long before the rest of us had," Blaze says. "It's certainly something that the NSA would find extremely useful in their arsenal."

Of course, with no proof or even a good suspicion, it's always prudent to just pull "OMG NSA" outta yer butt to start rumors with.  Good jorb.


How is working for Uncle Sam these days?
/Throughout human history, and especially now, everyone on Earth should be suspicious of all government.
 
2014-04-10 12:59:39 PM  

CoonAce: How is working for Uncle Sam these days?
/Throughout human history, and especially now, everyone on Earth should be suspicious of all government.


At the same time, knowing how well most government agencies are run, I can't shake a sneaking suspicion that that their competence is being over estimated, and that even if they are able to tap into all of this information, most of it goes unused because of various bits of infighting and office politics.

Plus, I'm not sure if I can take their 37337 hax0r skills seriously when I see crappy PowerPoints like this being leaked:

i1.ytimg.com

I just makes me think that it is a bunch of balding middle managers pushing paper around and paying CYA all day.
 
2014-04-10 01:02:04 PM  

CygnusDarius: If it's man-made, it can be cracked.


That's actually not true.

There is one man-made cipher that when employed correctly can't be cracked either theoretically, or in practice.

And you can implement it with nothing more complicated than pencil, paper, and a handful of 10-sided dice.

/I guess it's high time to develop an AI that creates encrypted codes?

I'd be willing to bet such a program wouldn't lead to anything significantly better than can be derived by humans.
 
2014-04-10 01:10:25 PM  

dittybopper: CygnusDarius: If it's man-made, it can be cracked.

That's actually not true.

There is one man-made cipher that when employed correctly can't be cracked either theoretically, or in practice.

And you can implement it with nothing more complicated than pencil, paper, and a handful of 10-sided dice.

/I guess it's high time to develop an AI that creates encrypted codes?

I'd be willing to bet such a program wouldn't lead to anything significantly better than can be derived by humans.


Yeah, the problem with crypto is that the more secure it is, the harder it usually is to use. A one time pad made from those 10 sided dice and a legal pad will be very secure. It will just mean incredibly slow communication- too slow for most purposes that don't require absolute security. And if a copy of that pad gets compromised, out the window it goes.
 
2014-04-10 01:14:06 PM  

dittybopper: CygnusDarius: If it's man-made, it can be cracked.

That's actually not true.

There is one man-made cipher that when employed correctly can't be cracked either theoretically, or in practice.

And you can implement it with nothing more complicated than pencil, paper, and a handful of 10-sided dice.

/I guess it's high time to develop an AI that creates encrypted codes?

I'd be willing to bet such a program wouldn't lead to anything significantly better than can be derived by humans.


Yeah. Humans are fallible, math isn't. One-time pads are absolutely uncrackable, so long as you keep the pad secret and for the love of Christ NEVER RE-USE IT.

This wasn't a failure of the SSL protocols, just this implementation. SSL is still secure as far as we know.

/I know you know this ditty, just talking to hear myself talk
 
2014-04-10 01:14:54 PM  
NateAsbestos:

People want to tout this as a failure of open-source, but there's no reason to believe that such a thing wouldn't (and doesn't) happen all the time in closed ecosystems. This is a failure of whoever committed that code.

We know who that was, this guy.

https://github.com/openssl/openssl/commit/4817504d069b4c5082161b02a2 21 16ad75f822b1

And in closed ecosystems, simple "lack of boundary checking" might NEVER get found/patched.

That's true but it misses the point. The underlying problem in my view is not open source vs closed source. The underlying problem is the power of the NSA. It's not an issue of the playing field being unlevel; the playing field has switched from horizontal to vertical. The only people who win is the NSA and everyone else loses by default.
 
2014-04-10 01:17:46 PM  

akula: dittybopper: CygnusDarius: If it's man-made, it can be cracked.

That's actually not true.

There is one man-made cipher that when employed correctly can't be cracked either theoretically, or in practice.

And you can implement it with nothing more complicated than pencil, paper, and a handful of 10-sided dice.

/I guess it's high time to develop an AI that creates encrypted codes?

I'd be willing to bet such a program wouldn't lead to anything significantly better than can be derived by humans.

Yeah, the problem with crypto is that the more secure it is, the harder it usually is to use. A one time pad made from those 10 sided dice and a legal pad will be very secure. It will just mean incredibly slow communication- too slow for most purposes that don't require absolute security. And if a copy of that pad gets compromised, out the window it goes.


Are talking about encryption, or are talking about Vampire: The Masquerade character sheets?.
 
2014-04-10 01:23:15 PM  

NateAsbestos: Yeah. Humans are fallible, math isn't. One-time pads are absolutely uncrackable, so long as you keep the pad secret and for the love of Christ NEVER RE-USE IT.

This wasn't a failure of the SSL protocols, just this implementation. SSL is still secure as far as we know.

/I know you know this ditty, just talking to hear myself talk


That's OK, other people don't.
 
2014-04-10 01:24:43 PM  

dittybopper: dittybopper: MSG NR 001 CK 21 0410 1540 BT
05231 04118 97909 43150 27698
42238  54076 83764 52635 73939
3911433740 52049 81687 27210
3662511154 25195 92262 05590
05231 AR K

CORRECTION:

MSG NR 001 CK 21 0410 1550 BT
05231 04118 97909 43150 27698
42238 54076 83764 52635 73939
39114 33740 52049 81687 27210
36625 11154 25195 92262 05590
05231 AR K



ZTC1  ZTB10 K
 
2014-04-10 01:26:52 PM  

dittybopper: dittybopper: MSG NR 001 CK 21 0410 1540 BT
05231 04118 97909 43150 27698
42238  54076 83764 52635 73939
3911433740 52049 81687 27210
3662511154 25195 92262 05590
05231 AR K

CORRECTION:

MSG NR 001 CK 21 0410 1550 BT
05231 04118 97909 43150 27698
42238 54076 83764 52635 73939
39114 33740 52049 81687 27210
36625 11154 25195 92262 05590
05231 AR K


ZTC1  ZTB10 K
 
2014-04-10 01:29:17 PM  

akula: Yeah, the problem with crypto is that the more secure it is, the harder it usually is to use. A one time pad made from those 10 sided dice and a legal pad will be very secure. It will just mean incredibly slow communication- too slow for most purposes that don't require absolute security. And if a copy of that pad gets compromised, out the window it goes.


You know how long it took me to encrypt that message up above?

About 5 minutes.  And all it took was simple math.

Of course, that doesn't include the time it took for me to create the pad.  But creating the pads doesn't take that much time, really.  I've done it while watching TV.  You get into a rhythm, and you'll be surprised at home much key material you can generate.

Of course, if you're communicating every 5 minutes, there's no way you could possibly keep up with that.  But I find that the people who are communicating that much don't really have anything important to say anyway.
 
2014-04-10 01:32:56 PM  
No! A 15 year old in Eastern Europe or Russia
 
2014-04-10 01:39:03 PM  

Uriel: dittybopper: dittybopper: MSG NR 001 CK 21 0410 1540 BT
05231 04118 97909 43150 27698
42238  54076 83764 52635 73939
3911433740 52049 81687 27210
3662511154 25195 92262 05590
05231 AR K

CORRECTION:

MSG NR 001 CK 21 0410 1550 BT
05231 04118 97909 43150 27698
42238 54076 83764 52635 73939
39114 33740 52049 81687 27210
36625 11154 25195 92262 05590
05231 AR K

ZTC1  ZTB10 K


ZWF ZTC2 ZTB7 K
 
2014-04-10 01:43:29 PM  

Mad_Radhu: CoonAce: How is working for Uncle Sam these days?
/Throughout human history, and especially now, everyone on Earth should be suspicious of all government.

At the same time, knowing how well most government agencies are run, I can't shake a sneaking suspicion that that their competence is being over estimated, and that even if they are able to tap into all of this information, most of it goes unused because of various bits of infighting and office politics.

Plus, I'm not sure if I can take their 37337 hax0r skills seriously when I see crappy PowerPoints like this being leaked:

[i1.ytimg.com image 480x360]

I just makes me think that it is a bunch of balding middle managers pushing paper around and playing CYA disinfo & PSYOPS all day.


FTFY.  "Unclassified//For Official Use Only" LOL.  Your reaction is probably in the ballpark of what they were going for.  US Govt is highly, highly compartmentalized, and the source of that image may not specialize in "37337 hax0rz," exactly.
 
2014-04-10 01:44:30 PM  

Smeggy Smurf: I wouldn't put it past them.  The NSA has become more hitlery than hitler could ever hitler


When I was a kid in the 70's we heard about life in the Soviet Union where the government monitored everybody's every move, where people were encourage to report their neighbors for activities detrimental to the state, where any dissension was seen as subversive and dangerous. I always wondered what it would be like to live under that kind of oppression.
 
2014-04-10 01:47:28 PM  

dittybopper: Uriel: dittybopper: dittybopper: MSG NR 001 CK 21 0410 1540 BT
05231 04118 97909 43150 27698
42238  54076 83764 52635 73939
3911433740 52049 81687 27210
3662511154 25195 92262 05590
05231 AR K

CORRECTION:

MSG NR 001 CK 21 0410 1550 BT
05231 04118 97909 43150 27698
42238 54076 83764 52635 73939
39114 33740 52049 81687 27210
36625 11154 25195 92262 05590
05231 AR K

ZTC1  ZTB10 K

ZWF ZTC2 ZTB7 K


ZVF ZXD BT AR
 
2014-04-10 01:51:03 PM  
The article and the headline differ substantially.  The headline asks whether NSA is responsible for the bug.  (Almost certainly not.)  The article is about whether the NSA discovered the bug and has been exploiting it.  (Maybe.)
 
2014-04-10 01:51:35 PM  

Crewmannumber6: Smeggy Smurf: I wouldn't put it past them.  The NSA has become more hitlery than hitler could ever hitler

When I was a kid in the 70's we heard about life in the Soviet Union where the government monitored everybody's every move, where people were encourage to report their neighbors for activities detrimental to the state, where any dissension was seen as subversive and dangerous. I always wondered what it would be like to live under that kind of oppression.


Kind of a willing subordination, along the lines of Stockholm Syndrome.
 
2014-04-10 01:59:57 PM  

Smeggy Smurf: I wouldn't put it past them.  The NSA has become more hitlery than hitler could ever hitler


Funny you should bring that up!
http://en.wikipedia.org/wiki/Operation_Paperclip

It was much more than rocket scientists; Mind Kontrol Ultra (MKUltra) stemmed from the above:
http://en.wikipedia.org/wiki/Mkultra

Huh.  What do you know, "Since the 1950s, TV has been the main medium for molding public opinion [1] "
http://en.wikipedia.org/wiki/Television
 
2014-04-10 02:12:44 PM  

CoonAce: Smeggy Smurf: I wouldn't put it past them.  The NSA has become more hitlery than hitler could ever hitler

Funny you should bring that up!
http://en.wikipedia.org/wiki/Operation_Paperclip

It was much more than rocket scientists; Mind Kontrol Ultra (MKUltra) stemmed from the above:
http://en.wikipedia.org/wiki/Mkultra

Huh.  What do you know, "Since the 1950s, TV has been the main medium for molding public opinion [1] "
http://en.wikipedia.org/wiki/Television


Take that all into account and go watch videodrome again. It puts a really creepy spin on the whole movie. (Not that it wasn't creepy to begin with)
 
2014-04-10 02:20:49 PM  
I was told numerous times that it is impossible for a bug to last long in the Open Sores community because so many developers are looking at the code.
 
2014-04-10 02:34:29 PM  
We know who the guy is, what I haven't seen is interviews. Hell, I haven't seen or heard one report mention his name. Wtf??

And Snowden leaks shiat that the nsa does and news agencies are digging up everyone in his life. Asshat shiatily adds code to OpenSSL that screws with some basic security on the net and the news people are like.. . Who??
 
2014-04-10 02:35:39 PM  

viscountalpha: CoonAce: Smeggy Smurf: I wouldn't put it past them.  The NSA has become more hitlery than hitler could ever hitler

Funny you should bring that up!
http://en.wikipedia.org/wiki/Operation_Paperclip

It was much more than rocket scientists; Mind Kontrol Ultra (MKUltra) stemmed from the above:
http://en.wikipedia.org/wiki/Mkultra

Huh.  What do you know, "Since the 1950s, TV has been the main medium for molding public opinion [1] "
http://en.wikipedia.org/wiki/Television

Take that all into account and go watch videodrome again. It puts a really creepy spin on the whole movie. (Not that it wasn't creepy to begin with)


I haven't seen it, but Carpenter's "They Live" was dead on.
 
2014-04-10 02:45:53 PM  

Uriel: ZVF ZXD BT AR


You may find this a bit unbelievable, but I actually have a Lorenz high-speed Morse tape-punching keyboard, and a high speed Morse tape reader (used to read the tape and key the transmitter accordingly).

I haven't gotten around to checking to see if they work yet.
 
2014-04-10 02:46:41 PM  

CoonAce: I haven't seen it, but Carpenter's "They Live" was dead on.


So was "Druscilla Penny".
 
2014-04-10 02:50:42 PM  

Crewmannumber6: Smeggy Smurf: I wouldn't put it past them.  The NSA has become more hitlery than hitler could ever hitler

When I was a kid in the 70's we heard about life in the Soviet Union where the government monitored everybody's every move, where people were encourage to report their neighbors for activities detrimental to the state, where any dissension was seen as subversive and dangerous. I always wondered what it would be like to live under that kind of oppression.


We ain't there yet.

But consider this:  The surveillance tools available to the government now would have made Heinrich Himmler and Lavrenti Beria cream their jeans in blissful ecstasy.
 
2014-04-10 02:57:54 PM  

dittybopper: CoonAce: I haven't seen it, but Carpenter's "They Live" was dead on.

So was "Druscilla Penny".


Ba dum tss!  The Carpenters are a band that always sounded so damn suicidal.  For obvious good reason, but still.
 
2014-04-10 03:06:17 PM  

dittybopper: Crewmannumber6: Smeggy Smurf: I wouldn't put it past them.  The NSA has become more hitlery than hitler could ever hitler

When I was a kid in the 70's we heard about life in the Soviet Union where the government monitored everybody's every move, where people were encourage to report their neighbors for activities detrimental to the state, where any dissension was seen as subversive and dangerous. I always wondered what it would be like to live under that kind of oppression.

We ain't there yet.

But consider this:  The surveillance tools available to the government now would have made Heinrich Himmler and Lavrenti Beria cream their jeans in blissful ecstasy.


And for good reason!  The US scored a shiatload of Himmler's SS, and many other key NAZIs, with Paperclip.  Also consider this: 40 years ago, the US govt. could read a license plate or newspaper headline from space ... imagine how far the capabilities have come.
 
2014-04-10 03:13:56 PM  

Satan's Bunny Slippers: "It would not at all surprise me if the NSA had discovered this long before the rest of us had," Blaze says. "It's certainly something that the NSA would find extremely useful in their arsenal."

Of course, with no proof or even a good suspicion, it's always prudent to just pull "OMG NSA" outta yer butt to start rumors with.  Good jorb.


Er... I know the average farker is kind of a paste-eating imbecile, but all he said was that he wouldn't be surprised if the NSA had  discovered it earlier.  That's not "OMG NSA" that's, "Well, yeah, of course."

He didn't say the caused or contributed to it, he suggested that it would be unsurprised if an organization that is known to devote a large number of assets toward defeating cryptosystems had stumbled across a dead simple overrun bug before the rest of the world.
 
2014-04-10 03:15:30 PM  

CoonAce: Funny you should bring that up!
http://en.wikipedia.org/wiki/Operation_Paperclip



c2.staticflickr.com
 
2014-04-10 03:38:19 PM  
thelearnedfangirl.com
 
2014-04-10 03:54:36 PM  

CoonAce: I haven't seen it, but Carpenter's "They Live" was dead on.


tobefree.files.wordpress.com

Are you low on bubble gum too friend?
 
2014-04-10 03:59:09 PM  

CoonAce: Also consider this: 40 years ago, the US govt. could read a license plate or newspaper headline from space ... imagine how far the capabilities have come.


No, they couldn't.

I know, because I saw some of the best imagery available back in the late 1980's, and it wasn't anywhere near that good.

You end up running up against fundamental laws of physics (setting aside the problems of atmospheric distortion).

Given the known size of those spy satellites, and given the known height of their orbits, it's actually a relatively simple calculation to figure out how big of an object they could detect.  And it turns out that the answer is about 6 inches or so under optimum conditions.

At that resolution, a typical license plate is going to be a 2 or 3 pixel blob.
 
2014-04-10 04:02:30 PM  

CoonAce: dittybopper: CoonAce: I haven't seen it, but Carpenter's "They Live" was dead on.

So was "Druscilla Penny".

Ba dum tss!  The Carpenters are a band that always sounded so damn suicidal.  For obvious good reason, but still.


You should hie thee to whatever method you use to rent movies and go watch Videodrome.

No, seriously, do it.

You could *SO* remake that film using the intarwebs instead of TV.
 
2014-04-10 04:09:42 PM  

dittybopper: CoonAce: dittybopper: CoonAce: I haven't seen it, but Carpenter's "They Live" was dead on.

So was "Druscilla Penny".

Ba dum tss!  The Carpenters are a band that always sounded so damn suicidal.  For obvious good reason, but still.

You should hie thee to whatever method you use to rent movies and go watch Videodrome.

No, seriously, do it.

You could *SO* remake that film using the intarwebs instead of TV.


Think it's worth $25 or so to buy the criterion bluray? Trying to grow my collection and I do like supporting criterion, but I've never seen Videodrome
 
2014-04-10 04:15:06 PM  

Mad_Radhu: [img.fark.net image 480x283]


No Obama did that
 
Displayed 50 of 81 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter





In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report