If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Vice)   Why Heartbleed will bleed the Internet for years to come   (motherboard.vice.com) divider line 69
    More: Interesting, Heartbleed, MIT Technology Review, Googles, Digital Home, sufficiently large, OpenSSL, bugs, security certificates  
•       •       •

4080 clicks; posted to Geek » on 13 Apr 2014 at 4:01 PM (36 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



69 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | » | Last | Show all
 
ZAZ [TotalFark]
2014-04-13 03:16:29 PM  
We also get to learn if certificate revocation lists work.
 
2014-04-13 03:43:04 PM  
Am I the only one who feels that all this is just part of a bigger plan to give us some sort of security fatigue so we just stop caring that we're getting spied on?
 
2014-04-13 03:51:24 PM  
Yet another boogieman sky is falling article. Kind of funny how we hear how terrible this flaw is, how it's been out there basically forever, and yet, nobody can point to any actual security breaches because of it.
 
2014-04-13 03:59:01 PM  

Dinki: Yet another boogieman sky is falling article. Kind of funny how we hear how terrible this flaw is, how it's been out there basically forever, and yet, nobody can point to any actual security breaches because of it.


So:

1) This is fairly normal levels of "Oh, fark Meeeee*trails off into distance*".
2) The nature of the bug is that there's no actual logging that would let you catch it.  If someone used it, you don't know and have no way of finding out.
 
2014-04-13 04:04:49 PM  

meyerkev: Dinki: Yet another boogieman sky is falling article. Kind of funny how we hear how terrible this flaw is, how it's been out there basically forever, and yet, nobody can point to any actual security breaches because of it.

So:

1) This is fairly normal levels of "Oh, fark Meeeee*trails off into distance*".
2) The nature of the bug is that there's no actual logging that would let you catch it.  If someone used it, you don't know and have no way of finding out.


...or (as I understand it) what present they got from the server or when they got it.
 
2014-04-13 04:08:19 PM  
So for the totally ignorant among us...

Does heartbleed mean that my password-protected wireless router is completely compromised?
 
rpm
2014-04-13 04:11:02 PM  

Dinki: Yet another boogieman sky is falling article. Kind of funny how we hear how terrible this flaw is, how it's been out there basically forever, and yet, nobody can point to any actual security breaches because of it.


Really? Looks easy enough to exploit
 
2014-04-13 04:13:47 PM  

Corn_Fed: So for the totally ignorant among us...

Does heartbleed mean that my password-protected wireless router is completely compromised?


Only if your router used that SSL and someone then used the heartbleed exploit at the exact right moment in time, both of which is really unlikely.

So nope, it should be totally fine.
 
rpm
2014-04-13 04:14:35 PM  

Corn_Fed: So for the totally ignorant among us...

Does heartbleed mean that my password-protected wireless router is completely compromised?


That depends. What version of OpenSSL is it running? Do you have external admin set to use SSL and have it exposed?

It's unlikely that they'll be able to pull the wireless keys off, and it doesn't allow other changes to be made, it's basically an information leak. I'd worry more about other things on the router, not heartbleed.
 
2014-04-13 04:29:00 PM  
Yeah if you managed your infrastructure with ssh and command line interfaces like a REAL geek should, instead of that least-common-denominator HTTPS web interface, you wouldn't have this issue, would you.
 
2014-04-13 04:31:30 PM  
As an afterthought, I'm guessing there might be flavors of SNMP that use SSL, but still, "In the beginning was the command line"
 
2014-04-13 04:32:09 PM  

Vlad_the_Inaner: Yeah if you managed your infrastructure with ssh and command line interfaces like a REAL geek should, instead of that least-common-denominator HTTPS web interface, you wouldn't have this issue, would you.


Or if you used commercial products, you know, where people get paid to be sure it's right? Like. say Microsoft & azure?
 
2014-04-13 04:37:33 PM  
The hearbleed bug can be fixed in a couple of minutes with a simple patch. I doubt that this will be a problem for years.
 
rpm
2014-04-13 04:44:33 PM  

XMark: The hearbleed bug can be fixed in a couple of minutes with a simple patch. I doubt that this will be a problem for years.


Including in all the embedded systems it's in?
 
2014-04-13 04:54:08 PM  

ecmoRandomNumbers: Am I the only one who feels that all this is just part of a bigger plan to give us some sort of security fatigue so we just stop caring that we're getting spied on?


Arguably the internet had been getting a lot more secure this last year because people are finally worrying about this sorta thing.
 
jbc [TotalFark]
2014-04-13 05:01:34 PM  

rpm: XMark: The hearbleed bug can be fixed in a couple of minutes with a simple patch. I doubt that this will be a problem for years.

Including in all the embedded systems it's in?


Like the "connected toothbrush" given as an example? Is there really much of a market for the data from a delta bravo who uses one of those? They're more at risk from the Cavity Creeps.
 
2014-04-13 05:06:41 PM  

SomeoneDumb: meyerkev: Dinki: Yet another boogieman sky is falling article. Kind of funny how we hear how terrible this flaw is, how it's been out there basically forever, and yet, nobody can point to any actual security breaches because of it.

So:

1) This is fairly normal levels of "Oh, fark Meeeee*trails off into distance*".
2) The nature of the bug is that there's no actual logging that would let you catch it.  If someone used it, you don't know and have no way of finding out.

...or (as I understand it) what present they got from the server or when they got it.


And yet, nobody can point to any actual events. Target was hacked with a stolen vendor ID. TJ maxx was compromised by an unsecured wireless network, Heartland had malicious software installed on its network. If heartbleed was so prevalent, so easy, we would have heard about massive breaches. we haven't.

I'm not saying the heartbleed bug is phony. I'm saying that like all these 'sky is falling' stories (remember the DNS cache poisoning flaw from 2008?) are more about scaring the uninformed into believing the end of the internet is at hand rather than any real existential threat.
 
2014-04-13 05:10:37 PM  

ecmoRandomNumbers: Am I the only one who feels that all this is just part of a bigger plan to give us some sort of security fatigue so we just stop caring that we're getting spied on?


This is the most over-hyped non-event in recent memory...the fear mongering is incredible. I visited some relatives in the last few days and they--I am not joking--wanted to lynch the guy who caused the bug! I kept trying to explain to them that its no BFD but they wouldn't listen. The wanted drama and blood and this is as good excuse as any.
 
2014-04-13 05:16:25 PM  
This is why I don't do banking or anything important online.
 
2014-04-13 05:17:53 PM  

Dinki: I'm not saying the heartbleed bug is phony. I'm saying that like all these 'sky is falling' stories (remember the DNS cache poisoning flaw from 2008?) are more about scaring the uninformed into believing the end of the internet is at hand rather than any real existential threat.


Don't forget about giving IT people work. Every PHB IT Manager in the country has gone to their department pressing for solutions to Heartbleed.
 
2014-04-13 05:25:55 PM  

Dinki: And yet, nobody can point to any actual events. Target was hacked with a stolen vendor ID. TJ maxx was compromised by an unsecured wireless network, Heartland had malicious software installed on its network. If heartbleed was so prevalent, so easy, we would have heard about massive breaches. we haven't.

I'm not saying the heartbleed bug is phony. I'm saying that like all these 'sky is falling' stories (remember the DNS cache poisoning flaw from 2008?) are more about scaring the uninformed into believing the end of the internet is at hand rather than any real existential threat.


I think the big deal is the uncertainty of damage, and the fact that anything that had been done was pretty much untraceable.  How many sites out there have been hacked without anyone ever figuring out how they did it?  (Such as Gawker).

That all being said, the fact that it took two years to come to light means that even if it was known about, it wasn't very broadly distributed, if at all.

/not enjoying rebuilding ssl certs
 
2014-04-13 05:37:19 PM  

ecmoRandomNumbers: Am I the only one who feels that all this is just part of a bigger plan to give us some sort of security fatigue so we just stop caring that we're getting spied on?


Actually, I feel the opposite, I think all the spying and security flaws is going to improve security and reduce spying in the future.
 
2014-04-13 05:44:44 PM  

fang06554: I think the big deal is the uncertainty of damage, and the fact that anything that had been done was pretty much untraceable.


But it isn't untraceable. If massive numbers of passwords are hacked or credit card information is stolen, those are pretty quickly identified. As far as I know, no large or even midsized company or social media site has come forward saying they have experienced such an untraceable breach.
 
2014-04-13 05:50:18 PM  

worlddan: ecmoRandomNumbers: Am I the only one who feels that all this is just part of a bigger plan to give us some sort of security fatigue so we just stop caring that we're getting spied on?

This is the most over-hyped non-event in recent memory...the fear mongering is incredible. I visited some relatives in the last few days and they--I am not joking--wanted to lynch the guy who caused the bug! I kept trying to explain to them that its no BFD but they wouldn't listen. The wanted drama and blood and this is as good excuse as any.


I wasted an entire week on this stupid issue and we weren't even vulnerable to it.
 
2014-04-13 05:56:46 PM  

worlddan: ecmoRandomNumbers: Am I the only one who feels that all this is just part of a bigger plan to give us some sort of security fatigue so we just stop caring that we're getting spied on?

This is the most over-hyped non-event in recent memory...the fear mongering is incredible. I visited some relatives in the last few days and they--I am not joking--wanted to lynch the guy who caused the bug! I kept trying to explain to them that its no BFD but they wouldn't listen. The wanted drama and blood and this is as good excuse as any.


I don't condone lynching, but I'd like to see the chain of commits with each developer's name that allowed this flaw into the software without so much as a simple bounds check. It's inexcusable at that level and they should be publicly shamed.
 
2014-04-13 06:12:24 PM  

ghare: Vlad_the_Inaner: Yeah if you managed your infrastructure with ssh and command line interfaces like a REAL geek should, instead of that least-common-denominator HTTPS web interface, you wouldn't have this issue, would you.

Or if you used commercial products, you know, where people get paid to be sure it's right? Like. say Microsoft & azure?


You're either trolling, willfully ignorant, or a special kind of stupid.

What was Azure's uptime last year again? Oh, yea, about that....
 
2014-04-13 06:12:54 PM  

Dinki: fang06554: But it isn't untraceable. If massive numbers of passwords are hacked or credit card information is stolen, those are pretty quickly identified. As far as I know, no large or even midsized company or social media site has come forward saying they have experienced such an untraceable breach.


As far as social media companies, there have been.  The gawker one is an example (I can't seem to find any technical details of how the hack was pulled off other than "we got all the source code for the site, and then dumped the database".

If I was way more nefarious, and I had this information (secretly) right now, it'd be pretty easy to do evil stuff on the internet, on a large enough scale to be profitable, but small enough scale to stay under the major radar.  And since there isn't any logs of it, a few dozen cases are just going to get dismissed by the service providers when people complain of their accounts getting hacked.

Again, I very highly doubt that this has been exploited much, if at all, in the wild.  But the 'not knowing' is the reason I have to rekey all of my SSL certs, my VPNs, and change my password on a hundred websites.
 
2014-04-13 06:15:54 PM  

xaks: ghare: Vlad_the_Inaner: Yeah if you managed your infrastructure with ssh and command line interfaces like a REAL geek should, instead of that least-common-denominator HTTPS web interface, you wouldn't have this issue, would you.

Or if you used commercial products, you know, where people get paid to be sure it's right? Like. say Microsoft & azure?

You're either trolling, willfully ignorant, or a special kind of stupid.

What was Azure's uptime last year again? Oh, yea, about that....


You can't hack what's not running!
 
2014-04-13 06:33:41 PM  
From what I understand. Heartbleed has no way to direct its attack. So they are just pulling random memory, the probability of getting anything worthwhile is low.
 
2014-04-13 06:36:53 PM  
 
2014-04-13 07:02:13 PM  

flaminio: Dinki: I'm not saying the heartbleed bug is phony. I'm saying that like all these 'sky is falling' stories (remember the DNS cache poisoning flaw from 2008?) are more about scaring the uninformed into believing the end of the internet is at hand rather than any real existential threat.

Don't forget about giving IT people work. Every PHB IT Manager in the country has gone to their department pressing for solutions to Heartbleed.


PHB?  I'm not familiar with the acronym.

@Dinki, The DNS flaw was a much bigger issue.  Luckily the guy that found it gave notice to the people with the issues before he presented at Defcon.
 
2014-04-13 07:08:00 PM  

techgeek07: flaminio: Dinki: I'm not saying the heartbleed bug is phony. I'm saying that like all these 'sky is falling' stories (remember the DNS cache poisoning flaw from 2008?) are more about scaring the uninformed into believing the end of the internet is at hand rather than any real existential threat.

Don't forget about giving IT people work. Every PHB IT Manager in the country has gone to their department pressing for solutions to Heartbleed.

PHB?  I'm not familiar with the acronym.


Pointy-haired Boss.
 
2014-04-13 07:14:27 PM  

EvilEgg: From what I understand. Heartbleed has no way to direct its attack. So they are just pulling random memory, the probability of getting anything worthwhile is low.


But you can run the attack a lot of times. Each individual attack might not have a high chance of getting something, but run it enough, and there's a good chance of getting useful stuff.
 
2014-04-13 07:26:17 PM  

Joe USer: ecmoRandomNumbers: Am I the only one who feels that all this is just part of a bigger plan to give us some sort of security fatigue so we just stop caring that we're getting spied on?

Actually, I feel the opposite, I think all the spying and security flaws is going to improve security and reduce spying in the future.


You do realize most sysadmins are lazy, right?

Add in a little corporate officer cheapness and you've got a recipe for a security nightmare.
 
2014-04-13 07:28:11 PM  

flaminio: Dinki: I'm not saying the heartbleed bug is phony. I'm saying that like all these 'sky is falling' stories (remember the DNS cache poisoning flaw from 2008?) are more about scaring the uninformed into believing the end of the internet is at hand rather than any real existential threat.

Don't forget about giving IT people work. Every PHB IT Manager in the country has gone to their department pressing for solutions to Heartbleed.


Not every IT Manager. I talked to the IT Manager at my company and asked about the Heartbleed bug, since we use third party software for our payroll, which you have to log into through any standard browser. He rolled his eyes at me and said I could change my password if I wanted to, and that the payroll company wouldn't notify us if they patched their server, cause companies don't notify their customers about such things.

According to him.
 
2014-04-13 07:33:15 PM  

strangeluck: flaminio: Dinki: I'm not saying the heartbleed bug is phony. I'm saying that like all these 'sky is falling' stories (remember the DNS cache poisoning flaw from 2008?) are more about scaring the uninformed into believing the end of the internet is at hand rather than any real existential threat.

Don't forget about giving IT people work. Every PHB IT Manager in the country has gone to their department pressing for solutions to Heartbleed.

Not every IT Manager. I talked to the IT Manager at my company and asked about the Heartbleed bug, since we use third party software for our payroll, which you have to log into through any standard browser. He rolled his eyes at me and said I could change my password if I wanted to, and that the payroll company wouldn't notify us if they patched their server, cause companies don't notify their customers about such things.

According to him.


And that guy should not be an IT manager.  He should've just picked up the phone.
 
2014-04-13 07:46:35 PM  
Heartbleed sounds like the name of a HIM album.
 
2014-04-13 07:46:47 PM  
img.fark.net
 
2014-04-13 08:21:18 PM  
Required Reading:

http://xkcd.com/1354/
 
2014-04-13 09:13:38 PM  

inglixthemad: Joe USer: ecmoRandomNumbers: Am I the only one who feels that all this is just part of a bigger plan to give us some sort of security fatigue so we just stop caring that we're getting spied on?

Actually, I feel the opposite, I think all the spying and security flaws is going to improve security and reduce spying in the future.

You do realize most sysadmins are lazy, right?

Add in a little corporate officer cheapness and you've got a recipe for a security nightmare.


I've never met most, so I can't comment. I can only hope the guy that I trained knows remembers the 3 top requirements (Security, Stability, Speed). I know I ranted about them enough.
 
2014-04-13 09:23:47 PM  

ghare: Vlad_the_Inaner: Yeah if you managed your infrastructure with ssh and command line interfaces like a REAL geek should, instead of that least-common-denominator HTTPS web interface, you wouldn't have this issue, would you.

Or if you used commercial products, you know, where people get paid to be sure it's right? Like. say Microsoft & azure?


Because no one's ever found an exploit in Microsoft's code.
 
2014-04-13 09:29:33 PM  

Tyrone Slothrop: ghare: Vlad_the_Inaner: Yeah if you managed your infrastructure with ssh and command line interfaces like a REAL geek should, instead of that least-common-denominator HTTPS web interface, you wouldn't have this issue, would you.

Or if you used commercial products, you know, where people get paid to be sure it's right? Like. say Microsoft & azure?

Because no one's ever found an exploit in Microsoft's code.


Actually, if Microsoft were to have released this code, they'd end up paying out quite a bit due to the class action lawsuit that would inevitably occur.

But since it's some guys in their mom's basement there's no one to go after.
 
2014-04-13 09:40:22 PM  

ZAZ: We also get to learn if certificate revocation lists work.


I thought we knew the answer to that already.
 
2014-04-13 09:41:05 PM  
How many consumer firewalls and wireless access points are susceptible to this?

Cisco was using Open SSL, how many high end Cisco firewalls and routers in the wild can be scanned using heartbleed?  They'd have to be fairly recent probably just the very newest ones so at least there's a decent probability that they will be patched.
 
2014-04-13 09:41:55 PM  

Tyrone Slothrop: ghare: Vlad_the_Inaner: Yeah if you managed your infrastructure with ssh and command line interfaces like a REAL geek should, instead of that least-common-denominator HTTPS web interface, you wouldn't have this issue, would you.

Or if you used commercial products, you know, where people get paid to be sure it's right? Like. say Microsoft & azure?

Because no one's ever found an exploit in Microsoft's code.


i18.photobucket.com
 
2014-04-13 09:43:21 PM  

Mr. Eugenides: But since it's some guys in their mom's basement there's no one to go after.


Ahh, I guess it isn't "some guys" it's a very specific software developer in Germany named Robin Seggelmann who wrote the heartbleed flaw into Open SSL.
 
2014-04-13 09:44:52 PM  

Mr. Eugenides: Tyrone Slothrop: ghare: Vlad_the_Inaner: Yeah if you managed your infrastructure with ssh and command line interfaces like a REAL geek should, instead of that least-common-denominator HTTPS web interface, you wouldn't have this issue, would you.

Or if you used commercial products, you know, where people get paid to be sure it's right? Like. say Microsoft & azure?

Because no one's ever found an exploit in Microsoft's code.

Actually, if Microsoft were to have released this code, they'd end up paying out quite a bit due to the class action lawsuit that would inevitably occur.

i18.photobucket.com

That's precious.
 
2014-04-13 09:49:14 PM  

Dinki: Yet another boogieman sky is falling article. Kind of funny how we hear how terrible this flaw is, how it's been out there basically forever, and yet, nobody can point to any actual security breaches because of it.


That is because lots of production sites are still running older versions of openssl that don't have all the new shinny features and bugs added in yet.

The sites that are leaking the most data tend to be the ones who use a shared process to talk to lots of different hosts.  For sites that don't do that, most of the data that can found in the memory dump only has part of the main site key and that is it.  That key should be regenerated, resigned and the old key should go away unless someone was recording encrypted traffic which should be hard.  Of course the only reason that is in there is that they got sloppy with their memory reuse but that has been a problem since fortran added the redimension statement in the mid 1970s.
 
2014-04-13 10:05:59 PM  
Who wrote this crap?  Does the author realize that the vast majority of websites feature no encryption at all and the data is floating freely around the internet all the time?  Why is that not horribly terrifying?  Because not all data is equal. The only person who cares about the data your refrigerator is sending you is google.  And you were probably already giving them it for free. But hey, next time I need to send my toaster my ss or cc number over a public network, I'll be sure to check with the manufacture how they encrypt my toast data.
 
2014-04-13 10:25:30 PM  
article is pretty much spot on.

it's not difficult to make the argument that this is the most massive security issue in the intertubes history

considering every company affected
considering every individual affected
considering the total value of potential loss of every payment system and money repository affected (that includes email accounts used to access such things)

and, yes, we will have some stragglers -- and we will see someone seriously affected in the coming years

but, on the bright side, this won't be the worse thing that happens in the next 10 years.  There will be a more serious problem found by 2025 -- sweet dreams
 
Displayed 50 of 69 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »
On Twitter





In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report