The Heartbleed Bug

[TI-994A]

A public service announcement for those who may not be in the know...

- About Heartbleed...

- CNET video report...

[Danilo]

German TV news reported NSA used the OpenSSL bug for 2 years. USA are really crazy and out-of-control.

[Thorium]

USA are really crazy and out-of-control.

So are german TV news.
Serously i dont know if the NSA knew about this bug but i am sure the news dont know it as well.
I stopped listening to news from reporters because there are so much lies and crap.

[Bananenfreak]

Offtopic:
TI-994A, caused of your sentence I remembered a part of Bioshock...
Are you in the know?

[Danilo]

Serously i dont know if the NSA knew about this bug but i am sure the news dont know it as well.

Sure, they report about something they don't know.

I stopped listening to news from reporters because there are so much lies and crap.

Seems you didn't listen to news over the last month. Please research what Edward Joseph Snowden (German) revealed.
The US of A are the greatest enemy of the whole world. They will tell you they invented Democracy, but the opposite
is the truth. Even Stasi wasn't as bad and big as NSA. USA is the biggest thread to freedom as of today.
It is a war-making country, and their biggest employer is the war-making army. On the other side, many people there
are living under bridges, the sign for a 3rd world country. Way behind Europe...

[Lord]

...
Even Stasi wasn't as bad and big as NSA. USA is the biggest thread to freedom as of today.
It is a war-making country, and their biggest employer is the war-making army.

And to get the NSA out of focus they forced riots in Kiew/Ukraine
and accused Russia for forcing this and all this just to "bind" the EU
closer to the US again and to divert suspicion from the NSA.

[Thorium]

Serously i dont know if the NSA knew about this bug but i am sure the news dont know it as well.

Sure, they report about something they don't know.

Yes, they do this all the time.

I stopped listening to news from reporters because there are so much lies and crap.

Seems you didn't listen to news over the last month. Please research what Edward Joseph Snowden (German) revealed.
The US of A are the greatest enemy of the whole world. They will tell you they invented Democracy, but the opposite
is the truth. Even Stasi wasn't as bad and big as NSA. USA is the biggest thread to freedom as of today.
It is a war-making country, and their biggest employer is the war-making army. On the other side, many people there
are living under bridges, the sign for a 3rd world country. Way behind Europe...

I know about Snowden. The problem is you can't just assume something because someone told something else. There is no source telling NSA knew about this bug. They are accused of it, but there is no source at all and they deny it.

What the USA does is dangerous for all of us. Stop thinking and just assuming someone doing something without proof is dangerous as well.

[skywalk]

Haha, with an enormous budget and access to the best programmers in the world and the ability to contract "hackers" on a whim, it is only the narrowest of possibilities that NSA was not using it for years. Yes, let's also ask them if they authored Stuxnet?

[Danilo]

There is no source telling NSA knew about this bug. They are accused of it, but there is no source at all and they deny it.

What the USA does is dangerous for all of us. Stop thinking and just assuming someone doing something without proof is dangerous as well.

Of course you are right. Got a bit angry when I heard this, sorry.

[tj1010]

It should be noted UK, Germany and a few other European countries are the ones who did the spying on Americans at the request of the NSA, so the NSA could avoid legal issues and maintain plausible deniability; it worked till someone from inside the NSA revealed everything.. NSA did the same for them upon their requests.. There is no innocent NATO nation..

At least with Russia and it's allies you know what you get, and their is at least some tradition and loyalty and it's not autonomous self interest among hundreds of millions of greedy people..


Also it takes hundreds of thousands of requests just to have a chance at getting private data with this bug. The longer a machine runs the less likely it is because of how heap and stack memory are located, and how real memory is expanded. But don't take my word for it, take it from professional researchers and the person who found it..

[Olby]

At least with Russia and it's allies you know what you get, and their is at least some tradition and loyalty and it's not autonomous self interest among hundreds of millions of greedy people..

Haha that made my day! As someone born and raised in an ex-USSR country I can surely say, you, sir, are deeply wrong. Russia, especially in recent years has been cracking down on freedom of speech, self-expression on-line, pulling web sites down for etc. I wont even go down there. We are still living in a bi-polar world. US vs. Russia. Both are equally bad.

And as for the data protection. There is none. Just get over it. Like it or not but if you communicate over the internet your data is gone. Lost. Exposed. There is no point in arguing that every protection, no matter how good, eventually can be broken. So what's the fuss about?

[Zach]

I always get a a good laugh out of these kinds of threads.

[tj1010]

At least with Russia and it's allies you know what you get, and their is at least some tradition and loyalty and it's not autonomous self interest among hundreds of millions of greedy people..

Haha that made my day! As someone born and raised in an ex-USSR country I can surely say, you, sir, are deeply wrong. Russia, especially in recent years has been cracking down on freedom of speech, self-expression on-line, pulling web sites down for etc. I wont even go down there. We are still living in a bi-polar world. US vs. Russia. Both are equally bad.

And as for the data protection. There is none. Just get over it. Like it or not but if you communicate over the internet your data is gone. Lost. Exposed. There is no point in arguing that every protection, no matter how good, eventually can be broken. So what's the fuss about?

I agree with you, but I still say at least with Russia you know what you get.. The US forges GDP, education, and industry stats, and brags about democracy when in reality presidential offices are picked by the electoral college, and state+county+city government are picked by congressmen and local business leaders, on top of all the deception and policing.. The US also has a cartel economy, where Russia is just plain criminal and uses blunt strategy..

US war spending is also over 2x Russia and all it's allies combined.. But hey, what is math and statistics compared to convenient social trends mostly driven by propaganda..

Regarding cryptography and security: Prime numbers and elliptic curves have been mastered a while. The NSA is on to working on quantum computers and side channeling things like OTP through mass data harvesting.. It's pretty easy to protect yourself actually.. Sandbox everything and store credentials(since we HAVE to have easy usability) in typed-key OTP and use TOR except doing inter-intranet things.. Advanced buffer overflow attacks and ISP gateway interception even with skilled cryptographers and engineers become useless..

[Joakim Christiansen]

and use TOR except doing inter-intranet things..

However, you should think twice before running an exit relay, which is a place where Tor traffic comes out of the anonymous network and connects to the open Internet. If criminals use Tor for illegal things and the traffic comes out of your exit relay, that traffic will be traceable to your IP address and you may get a knock on your door and your computer equipment confiscated.

http://arstechnica.com/tech-policy/2012 ... s-servers/

I remember hearing that the TOR clients used to allow others (random requests distributed over the network) to reach the internet through your IP address whenever using their client. Meaning that what I linked about above could happen to anyone using TOR then. This has probably changed today, but I still think of that whenever I hear someone mentioning TOR. I must say that I dislike it.

[RichAlgeni]

Danillo, come on! Third world country? Many people living under bridges? This is the age of Obama, when all is right, or at least all is politically correct in the world!

Kudo's to Fred and Freak! AllocateMemory clears (initializes) the memory block allocated unless you specifically request that it doesn't. Use #PB_Memory_NoClear sparingly, and with caution.

The heartbleed bug used a custom version of malloc which did not clear the memory allocated. If a malicious TLS heartbeat packet was sent containing an oversized packet length word, anything in that allocated memory would be sent back to the attacker. If the memory contained keys, well, your site could be compromised.