Jeffrey Walton shares: | https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013 | | ... | The second log seems much more troubling. We have spoken to Ars | Technica's second source, Terrence Koeman, who reports finding some | inbound packets, immediately following the setup and termination of a | normal handshake, containing another Client Hello message followed by | the TCP payload bytes 18 03 02 00 03 01 40 00 in ingress packet logs | from November 2013. These bytes are a TLS Heartbeat with contradictory | length fields, and are the same as those in the widely circulated | proof-of-concept exploit. | ...
First, one must assume that one is never the first discoverer. Second, the article continues with | ... | To reach a firmer conclusion about Heartbleed's history, it would | be best for the networking community to try to replicate Koeman's | findings. | ... and one should remember that the installed base of such firms as NetWitness (bought by, and brought into, EMC after the RSA APT attack) do exactly what is being asked for above, as do other such products that have not appeared in commercial offerings. (For timely reasons, one wonders how all the tax preparation sites plus irs.gov are waltzing with Heartbleed just now. April 15 is Tuesday...) . Combining points one and two inside any entity where competent data analysis at scale is routine, a novel attack using an extant flaw may well become available to such entities by *observation* rather than by synthesis and/or invention. Like organisms that borrow genes across species barriers, the best on the offense side would have no qualms about capturing what can be observed. There are neither patents nor false modesty in that space. EFF, or someone here, would do well to devise a nomogram whereby one laid one's straight-edge on the page and read off "If this attack occured against a target of this value, then detection implies first use was N months ago." For diseases with guessable intervals between infection and clinical signs, this is how you look for Patient Zero. --dan _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
