http://mashable.com/2014/04/06/boy-breaks-microsoft-security/
Has this ever happened to an open source app? Sorry, couldn't resist to jab.
Peace!
________________________________
From: Rogelio Serrano <rogelio.serr...@gmail.com>
To: Philippine Linux Users' Group (PLUG) Technical Discussion List
<plug@lists.linux.org.ph>
Sent: Friday, 11 April 2014, 18:17
Subject: Re: [plug] OpenSSL TLS Hearbeat read overrun
On 11 Apr 2014 05:06, "fooler mail" <fooler.m...@gmail.com> wrote:
>
> there is no point between open and closed source when it comes to
> security because of the premise there is no bullet proof system..
>
> what im saying below that others claimed open source is much more
> secure than closed source is a big lie.. my point neither the open
Can the open source community harass the reporter of the bug? Can the open
source community suppress the information?
Have you ever been threatened with a lawsuit for finding a security hole?
It's not nice at all. Usually they tell you you can't afford to say you are
right.
It is for that reason alone they I trust open source more.
Is it really about which is more secure? What matters is that discovery and
corrective action is transparent and possible.
How can you fix a security hole when you don't have the code? Even a website
has proprietary code in it and cannot be ordinarily patched by anyone willing
to fix the html or whatever scripting language is used.
> source nor closed source is more secure.. what ever security model you
> have... still human is the weakest link in the security chain...
>
> fooler.
>
> On Thu, Apr 10, 2014 at 10:27 PM, Kelsey Hartigan Go
> <kelsey.hartigan...@gmail.com> wrote:
> > Exactly my point. Regardless whether open source or proprietary.
> >
> > On Apr 11, 2014 10:06 AM, "fooler mail" <fooler.m...@gmail.com> wrote:
> >>
> >> sql injection is not a bug on *any* sql server but on the application
> >> side not properly handle the parameter(s) as well as forgot to
> >> implement the principle of least privilege... adobe acrobat is another
> >> story... that's the reason why steve jobs against adobe products
> >> getting into ios because of the company closeness to malaking
> >> brother...unfortunately a year after job died... masansas joins papa
> >> rey in shouting match..
> >>
> >> just keep in mind that there is no such thing as 100% bullet proof
> >> security system... whatever technique you implemented either security
> >> by obscurity or open security...
> >>
> >> fooler.
> >>
> >> On Thu, Apr 10, 2014 at 8:26 PM, Kelsey Hartigan Go
> >> <kelsey.hartigan...@gmail.com> wrote:
> >> > It might be believed that big companies have security teams but there
> >> > are a
> >> > number of security holes discoveries made by third parties instead of
> >> > coming
> >> > from the companies. In some cases it also took a significantly long
> >> > time
> >> > for some to patch these holes.
> >> > Sql injection bug of sql server 2000 and Adobe acrobat pdf vulnerability
> >> > comes to mind.
> >> > It is nice that a lot of these big companies release patches to their
> >> > products but the frequency of these happening is quite high, making me
> >> > feel
> >> > that they don't do sufficient security QA before product is released.
> >> >
> >> > On Apr 11, 2014 7:54 AM, "fooler mail" <fooler.m...@gmail.com> wrote:
> >> >>
> >> >> big companies have their own security team who assess and protect
> >> >> their proprietary products... from the start of code development..
> >> >> they integrated code scanner to see any vulnerabilities in the code
> >> >> and other security tools till it reach to a complete product...
> >> >>
> >> >> their reputation is based not only on the quality of the product but
> >> >> on the security side as well...
> >> >>
> >> >> fooler.
> >> >>
> >> >> On Thu, Apr 10, 2014 at 7:16 AM, Kelsey Hartigan Go
> >> >> <kelsey.hartigan...@gmail.com> wrote:
> >> >> > On the other hand since this is open source someone is bound to find
> >> >> > the
> >> >> > hole. What about proprietary systems?
> >> >> >
> >> >> > On Apr 10, 2014 6:37 PM, "fooler mail" <fooler.m...@gmail.com> wrote:
> >> >> >>
> >> >> >> pluggers,
> >> >> >>
> >> >> >> another action needed from you... if those sites listed in the link
> >> >> >> below that you use their service, then you need to change your
> >> >> >> password...
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-main-link
> >> >> >>
> >> >> >> its time to realize why opensource is not secured as what others
> >> >> >> claims to be... but of course... there are still plenty of
> >> >> >> undiscovered security holes waiting to be discovered by security
> >> >> >> engineers... when this heartbeat outbreak last Monday... I spoke to
> >> >> >> my
> >> >> >> colleague yesterday as this is one of the projects of malaking
> >> >> >> brother
> >> >> >> who paid opensource developer working with a specific application to
> >> >> >> insert backdoor codes... ( I have to use other words para hindi
> >> >> >> makita
> >> >> >> ni malaking brother scanner)... to my surprise.. he mentioned to me
> >> >> >> that he worked at noviembre sierra alfa previously and he can
> >> >> >> confirmed on that but he wont go into the details... I also said to
> >> >> >> him that I saw one backdoor in Linux kernel until now it is still in
> >> >> >> there... you cant see by a normal cli command but it is there
> >> >> >> sitting
> >> >> >> innocently...
> >> >> >>
> >> >> >> I made a statement in ph-cyberview a year or so ago that we are not
> >> >> >> safe anymore... much worse if you are inside china....
> >> >> >>
> >> >> >>
> >> >> >> fooler.
> >> >> >>
> >> >> >> On Wed, Apr 9, 2014 at 3:36 PM, fooler mail <fooler.m...@gmail.com>
> >> >> >> wrote:
> >> >> >> > hi drexx,
> >> >> >> >
> >> >> >> > google security guy is the one who found the bug and google fixed
> >> >> >> > their sites before sending the info to the community...
> >> >> >> >
> >> >> >> > below is the site to test the bug vulnerability..
> >> >> >> >
> >> >> >> > http://packetstormsecurity.com/files/author/11160/
> >> >> >> >
> >> >> >> > fooler.
> >> >> >> >
> >> >> >> > On Wed, Apr 9, 2014 at 9:06 AM, Drexx Laggui [personal]
> >> >> >> > <dre...@gmail.com> wrote:
> >> >> >> >> 09Apr2014 (UTC +8)
> >> >> >> >>
> >> >> >> >> Here's a quick test on your localhost, & you don't even need to
> >> >> >> >> be
> >> >> >> >> root...
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> drexx@MACHINE:~$ echo -e "quit\n" | openssl s_client -connect
> >> >> >> >> google.com:443 -tlsextdebug 2>&1 | grep 'TLS server extension
> >> >> >> >> "heartbeat" (id=15), len=1'
> >> >> >> >>
> >> >> >> >> TLS server extension "heartbeat" (id=15), len=1
> >> >> >> >>
> >> >> >> >> drexx@MACHINE:~$ date;
> >> >> >> >> Wed Apr 9 21:02:58 PHT 2014
> >> >> >> >>
> >> >> >> >> drexx@MACHINE:~$ uname -a
> >> >> >> >> Linux MACHINE 3.11.0-19-generic #33~precise1-Ubuntu SMP Wed Mar
> >> >> >> >> 12
> >> >> >> >> 21:16:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI,
> >> >> >> >> CSA
> >> >> >> >> http://www.laggui.com ( Manila & California )
> >> >> >> >> Computer forensics; Penetration testing; QMS & ISMS developers;
> >> >> >> >> K-Transfer
> >> >> >> >> PGP fingerprint = 0117 15C5 F3B1 6564 59EA 6013 1308 9A66 41A2
> >> >> >> >> 3F9B
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> On Wed, Apr 9, 2014 at 10:42 AM, Rudel Saldivar
> >> >> >> >> <rudelsaldi...@gmail.com> wrote:
> >> >> >> >>>
> >> >> >> >>> And I may add this link for the exact patch version since
> >> >> >> >>> different
> >> >> >> >>> package
> >> >> >> >>> revision exist for different versions of Ubuntu -
> >> >> >> >>> http://www.ubuntu.com/usn/usn-2165-1/
> >> >> >> >>>
> >> >> >> >>> Ubuntu 13.10:
> >> >> >> >>> libssl1.0.0 1.0.1e-3ubuntu1.2
> >> >> >> >>> Ubuntu 12.10:
> >> >> >> >>> libssl1.0.0 1.0.1c-3ubuntu2.7
> >> >> >> >>> Ubuntu 12.04 LTS:
> >> >> >> >>> libssl1.0.0 1.0.1-4ubuntu5.12
> >> >> >> >>>
> >> >> >> >>> As for CentOS 6, they haven't release a patch version but the
> >> >> >> >>> latest
> >> >> >> >>> available in the update repo have the heartbeat feature disable,
> >> >> >> >>> interim
> >> >> >> >>> workaround so upgrade when you can:
> >> >> >> >>> http://www.spinics.net/lists/centos-announce/msg04910.html
> >> >> >> >>> http://www.spinics.net/lists/centos-announce/msg04910.html
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>> -----
> >> >> >> >>>
> >> >> >> >>> -[ OpenSource, Open Ideas ]-
> >> >> >> >>>
> >> >> >> >>>
> >> >> >> >>> On Wed, Apr 9, 2014 at 8:42 AM, fooler mail
> >> >> >> >>> <fooler.m...@gmail.com>
> >> >> >> >>> wrote:
> >> >> >> >>>>
> >> >> >> >>>> pluggers,
> >> >> >> >>>>
> >> >> >> >>>> action needed from you if you are not aware with this serious
> >> >> >> >>>> security
> >> >> >> >>>> hole...
> >> >> >> >>>>
> >> >> >> >>>> http://www.openssl.org/news/secadv_20140407.txt
> >> >> >> >>>>
> >> >> >> >>>> update/patch your openssl package... create a new private key
> >> >> >> >>>> using
> >> >> >> >>>> updated/patched openssl... create a new CSR based on that new
> >> >> >> >>>> private
> >> >> >> >>>> key and update your https site(s) with a new signed certificate
> >> >> >> >>>> (this
> >> >> >> >>>> includes self-signed certificate as well)
> >> >> >> >> _________________________________________________
> >> >> >> >> Philippine Linux Users' Group (PLUG) Mailing List
> >> >> >> >> http://lists.linux.org.ph/mailman/listinfo/plug
> >> >> >> >> Searchable Archives: http://archives.free.net.ph
> >> >> >> _________________________________________________
> >> >> >> Philippine Linux Users' Group (PLUG) Mailing List
> >> >> >> http://lists.linux.org.ph/mailman/listinfo/plug
> >> >> >> Searchable Archives: http://archives.free.net.ph
> >> >> >
> >> >> >
> >> >> > _________________________________________________
> >> >> > Philippine Linux Users' Group (PLUG) Mailing List
> >> >> > http://lists.linux.org.ph/mailman/listinfo/plug
> >> >> > Searchable Archives: http://archives.free.net.ph
> >> >> _________________________________________________
> >> >> Philippine Linux Users' Group (PLUG) Mailing List
> >> >> http://lists.linux.org.ph/mailman/listinfo/plug
> >> >> Searchable Archives: http://archives.free.net.ph
> >> >
> >> >
> >> > _________________________________________________
> >> > Philippine Linux Users' Group (PLUG) Mailing List
> >> > http://lists.linux.org.ph/mailman/listinfo/plug
> >> > Searchable Archives: http://archives.free.net.ph
> >> _________________________________________________
> >> Philippine Linux Users' Group (PLUG) Mailing List
> >> http://lists.linux.org.ph/mailman/listinfo/plug
> >> Searchable Archives: http://archives.free.net.ph
> >
> >
> > _________________________________________________
> > Philippine Linux Users' Group (PLUG) Mailing List
> > http://lists.linux.org.ph/mailman/listinfo/plug
> > Searchable Archives: http://archives.free.net.ph
> _________________________________________________
> Philippine Linux Users' Group (PLUG) Mailing List
> http://lists.linux.org.ph/mailman/listinfo/plug
> Searchable Archives: http://archives.free.net.ph
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
http://lists.linux.org.ph/mailman/listinfo/plug
Searchable Archives: http://archives.free.net.ph
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
http://lists.linux.org.ph/mailman/listinfo/plug
Searchable Archives: http://archives.free.net.ph
