I don't think it was bugtraq. It was Full Disclosure.
On Fri, Apr 11, 2014 at 7:00 PM, Zak Elep <zak...@gmail.com> wrote: > Reminds me of that bugtraq shutdown and resurrection in the last few > weeks. Check it on lwn. > On Apr 11, 2014 6:18 PM, "Rogelio Serrano" <rogelio.serr...@gmail.com> > wrote: > >> >> On 11 Apr 2014 05:06, "fooler mail" <fooler.m...@gmail.com> wrote: >> > >> > there is no point between open and closed source when it comes to >> > security because of the premise there is no bullet proof system.. >> > >> > what im saying below that others claimed open source is much more >> > secure than closed source is a big lie.. my point neither the open >> >> Can the open source community harass the reporter of the bug? Can the >> open source community suppress the information? >> >> Have you ever been threatened with a lawsuit for finding a security hole? >> >> It's not nice at all. Usually they tell you you can't afford to say you >> are right. >> >> It is for that reason alone they I trust open source more. >> >> Is it really about which is more secure? What matters is that discovery >> and corrective action is transparent and possible. >> >> How can you fix a security hole when you don't have the code? Even a >> website has proprietary code in it and cannot be ordinarily patched by >> anyone willing to fix the html or whatever scripting language is used. >> >> > source nor closed source is more secure.. what ever security model you >> > have... still human is the weakest link in the security chain... >> > >> > fooler. >> > >> > On Thu, Apr 10, 2014 at 10:27 PM, Kelsey Hartigan Go >> > <kelsey.hartigan...@gmail.com> wrote: >> > > Exactly my point. Regardless whether open source or proprietary. >> > > >> > > On Apr 11, 2014 10:06 AM, "fooler mail" <fooler.m...@gmail.com> >> wrote: >> > >> >> > >> sql injection is not a bug on *any* sql server but on the application >> > >> side not properly handle the parameter(s) as well as forgot to >> > >> implement the principle of least privilege... adobe acrobat is >> another >> > >> story... that's the reason why steve jobs against adobe products >> > >> getting into ios because of the company closeness to malaking >> > >> brother...unfortunately a year after job died... masansas joins papa >> > >> rey in shouting match.. >> > >> >> > >> just keep in mind that there is no such thing as 100% bullet proof >> > >> security system... whatever technique you implemented either security >> > >> by obscurity or open security... >> > >> >> > >> fooler. >> > >> >> > >> On Thu, Apr 10, 2014 at 8:26 PM, Kelsey Hartigan Go >> > >> <kelsey.hartigan...@gmail.com> wrote: >> > >> > It might be believed that big companies have security teams but >> there >> > >> > are a >> > >> > number of security holes discoveries made by third parties instead >> of >> > >> > coming >> > >> > from the companies. In some cases it also took a significantly >> long >> > >> > time >> > >> > for some to patch these holes. >> > >> > Sql injection bug of sql server 2000 and Adobe acrobat pdf >> vulnerability >> > >> > comes to mind. >> > >> > It is nice that a lot of these big companies release patches to >> their >> > >> > products but the frequency of these happening is quite high, >> making me >> > >> > feel >> > >> > that they don't do sufficient security QA before product is >> released. >> > >> > >> > >> > On Apr 11, 2014 7:54 AM, "fooler mail" <fooler.m...@gmail.com> >> wrote: >> > >> >> >> > >> >> big companies have their own security team who assess and protect >> > >> >> their proprietary products... from the start of code development.. >> > >> >> they integrated code scanner to see any vulnerabilities in the >> code >> > >> >> and other security tools till it reach to a complete product... >> > >> >> >> > >> >> their reputation is based not only on the quality of the product >> but >> > >> >> on the security side as well... >> > >> >> >> > >> >> fooler. >> > >> >> >> > >> >> On Thu, Apr 10, 2014 at 7:16 AM, Kelsey Hartigan Go >> > >> >> <kelsey.hartigan...@gmail.com> wrote: >> > >> >> > On the other hand since this is open source someone is bound to >> find >> > >> >> > the >> > >> >> > hole. What about proprietary systems? >> > >> >> > >> > >> >> > On Apr 10, 2014 6:37 PM, "fooler mail" <fooler.m...@gmail.com> >> wrote: >> > >> >> >> >> > >> >> >> pluggers, >> > >> >> >> >> > >> >> >> another action needed from you... if those sites listed in >> the link >> > >> >> >> below that you use their service, then you need to change your >> > >> >> >> password... >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-main-link >> > >> >> >> >> > >> >> >> its time to realize why opensource is not secured as what >> others >> > >> >> >> claims to be... but of course... there are still plenty of >> > >> >> >> undiscovered security holes waiting to be discovered by >> security >> > >> >> >> engineers... when this heartbeat outbreak last Monday... I >> spoke to >> > >> >> >> my >> > >> >> >> colleague yesterday as this is one of the projects of malaking >> > >> >> >> brother >> > >> >> >> who paid opensource developer working with a specific >> application to >> > >> >> >> insert backdoor codes... ( I have to use other words para hindi >> > >> >> >> makita >> > >> >> >> ni malaking brother scanner)... to my surprise.. he mentioned >> to me >> > >> >> >> that he worked at noviembre sierra alfa previously and he can >> > >> >> >> confirmed on that but he wont go into the details... I also >> said to >> > >> >> >> him that I saw one backdoor in Linux kernel until now it is >> still in >> > >> >> >> there... you cant see by a normal cli command but it is there >> > >> >> >> sitting >> > >> >> >> innocently... >> > >> >> >> >> > >> >> >> I made a statement in ph-cyberview a year or so ago that we >> are not >> > >> >> >> safe anymore... much worse if you are inside china.... >> > >> >> >> >> > >> >> >> >> > >> >> >> fooler. >> > >> >> >> >> > >> >> >> On Wed, Apr 9, 2014 at 3:36 PM, fooler mail < >> fooler.m...@gmail.com> >> > >> >> >> wrote: >> > >> >> >> > hi drexx, >> > >> >> >> > >> > >> >> >> > google security guy is the one who found the bug and google >> fixed >> > >> >> >> > their sites before sending the info to the community... >> > >> >> >> > >> > >> >> >> > below is the site to test the bug vulnerability.. >> > >> >> >> > >> > >> >> >> > http://packetstormsecurity.com/files/author/11160/ >> > >> >> >> > >> > >> >> >> > fooler. >> > >> >> >> > >> > >> >> >> > On Wed, Apr 9, 2014 at 9:06 AM, Drexx Laggui [personal] >> > >> >> >> > <dre...@gmail.com> wrote: >> > >> >> >> >> 09Apr2014 (UTC +8) >> > >> >> >> >> >> > >> >> >> >> Here's a quick test on your localhost, & you don't even >> need to >> > >> >> >> >> be >> > >> >> >> >> root... >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> drexx@MACHINE:~$ echo -e "quit\n" | openssl s_client >> -connect >> > >> >> >> >> google.com:443 -tlsextdebug 2>&1 | grep 'TLS server >> extension >> > >> >> >> >> "heartbeat" (id=15), len=1' >> > >> >> >> >> >> > >> >> >> >> TLS server extension "heartbeat" (id=15), len=1 >> > >> >> >> >> >> > >> >> >> >> drexx@MACHINE:~$ date; >> > >> >> >> >> Wed Apr 9 21:02:58 PHT 2014 >> > >> >> >> >> >> > >> >> >> >> drexx@MACHINE:~$ uname -a >> > >> >> >> >> Linux MACHINE 3.11.0-19-generic #33~precise1-Ubuntu SMP Wed >> Mar >> > >> >> >> >> 12 >> > >> >> >> >> 21:16:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, >> CCSI, >> > >> >> >> >> CSA >> > >> >> >> >> http://www.laggui.com ( Manila & California ) >> > >> >> >> >> Computer forensics; Penetration testing; QMS & ISMS >> developers; >> > >> >> >> >> K-Transfer >> > >> >> >> >> PGP fingerprint = 0117 15C5 F3B1 6564 59EA 6013 1308 9A66 >> 41A2 >> > >> >> >> >> 3F9B >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> On Wed, Apr 9, 2014 at 10:42 AM, Rudel Saldivar >> > >> >> >> >> <rudelsaldi...@gmail.com> wrote: >> > >> >> >> >>> >> > >> >> >> >>> And I may add this link for the exact patch version since >> > >> >> >> >>> different >> > >> >> >> >>> package >> > >> >> >> >>> revision exist for different versions of Ubuntu - >> > >> >> >> >>> http://www.ubuntu.com/usn/usn-2165-1/ >> > >> >> >> >>> >> > >> >> >> >>> Ubuntu 13.10: >> > >> >> >> >>> libssl1.0.0 1.0.1e-3ubuntu1.2 >> > >> >> >> >>> Ubuntu 12.10: >> > >> >> >> >>> libssl1.0.0 1.0.1c-3ubuntu2.7 >> > >> >> >> >>> Ubuntu 12.04 LTS: >> > >> >> >> >>> libssl1.0.0 1.0.1-4ubuntu5.12 >> > >> >> >> >>> >> > >> >> >> >>> As for CentOS 6, they haven't release a patch version but >> the >> > >> >> >> >>> latest >> > >> >> >> >>> available in the update repo have the heartbeat feature >> disable, >> > >> >> >> >>> interim >> > >> >> >> >>> workaround so upgrade when you can: >> > >> >> >> >>> http://www.spinics.net/lists/centos-announce/msg04910.html >> > >> >> >> >>> http://www.spinics.net/lists/centos-announce/msg04910.html >> > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> ----- >> > >> >> >> >>> >> > >> >> >> >>> -[ OpenSource, Open Ideas ]- >> > >> >> >> >>> >> > >> >> >> >>> >> > >> >> >> >>> On Wed, Apr 9, 2014 at 8:42 AM, fooler mail >> > >> >> >> >>> <fooler.m...@gmail.com> >> > >> >> >> >>> wrote: >> > >> >> >> >>>> >> > >> >> >> >>>> pluggers, >> > >> >> >> >>>> >> > >> >> >> >>>> action needed from you if you are not aware with this >> serious >> > >> >> >> >>>> security >> > >> >> >> >>>> hole... >> > >> >> >> >>>> >> > >> >> >> >>>> http://www.openssl.org/news/secadv_20140407.txt >> > >> >> >> >>>> >> > >> >> >> >>>> update/patch your openssl package... create a new >> private key >> > >> >> >> >>>> using >> > >> >> >> >>>> updated/patched openssl... create a new CSR based on that >> new >> > >> >> >> >>>> private >> > >> >> >> >>>> key and update your https site(s) with a new signed >> certificate >> > >> >> >> >>>> (this >> > >> >> >> >>>> includes self-signed certificate as well) >> > >> >> >> >> _________________________________________________ >> > >> >> >> >> Philippine Linux Users' Group (PLUG) Mailing List >> > >> >> >> >> http://lists.linux.org.ph/mailman/listinfo/plug >> > >> >> >> >> Searchable Archives: http://archives.free.net.ph >> > >> >> >> _________________________________________________ >> > >> >> >> Philippine Linux Users' Group (PLUG) Mailing List >> > >> >> >> http://lists.linux.org.ph/mailman/listinfo/plug >> > >> >> >> Searchable Archives: http://archives.free.net.ph >> > >> >> > >> > >> >> > >> > >> >> > _________________________________________________ >> > >> >> > Philippine Linux Users' Group (PLUG) Mailing List >> > >> >> > http://lists.linux.org.ph/mailman/listinfo/plug >> > >> >> > Searchable Archives: http://archives.free.net.ph >> > >> >> _________________________________________________ >> > >> >> Philippine Linux Users' Group (PLUG) Mailing List >> > >> >> http://lists.linux.org.ph/mailman/listinfo/plug >> > >> >> Searchable Archives: http://archives.free.net.ph >> > >> > >> > >> > >> > >> > _________________________________________________ >> > >> > Philippine Linux Users' Group (PLUG) Mailing List >> > >> > http://lists.linux.org.ph/mailman/listinfo/plug >> > >> > Searchable Archives: http://archives.free.net.ph >> > >> _________________________________________________ >> > >> Philippine Linux Users' Group (PLUG) Mailing List >> > >> http://lists.linux.org.ph/mailman/listinfo/plug >> > >> Searchable Archives: http://archives.free.net.ph >> > > >> > > >> > > _________________________________________________ >> > > Philippine Linux Users' Group (PLUG) Mailing List >> > > http://lists.linux.org.ph/mailman/listinfo/plug >> > > Searchable Archives: http://archives.free.net.ph >> > _________________________________________________ >> > Philippine Linux Users' Group (PLUG) Mailing List >> > http://lists.linux.org.ph/mailman/listinfo/plug >> > Searchable Archives: http://archives.free.net.ph >> >> _________________________________________________ >> Philippine Linux Users' Group (PLUG) Mailing List >> http://lists.linux.org.ph/mailman/listinfo/plug >> Searchable Archives: http://archives.free.net.ph >> > > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph > -- -- Romar Micabalo (aka 'hardwyrd') SysAdmin / Consultant / Linux & FOSS Evangelist http://www.about.me/rmr.micabalo ------------------------------------------------------------- "Penguin, penguin, and more penguin !"
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
