On 12 Apr 2014 16:23, "Paolo Falcone" <[email protected]> wrote: > > In practice there's truth to what fooler has said. > > Crypto and security, particularly in the context of Heartbleed, is not the sexy stuff that many people in the open source community will pour resources just to do code reviews over (and instead would devote more time and energies to the cooler aspects of things). And unfortunately, most open source code will not get any more peer code review compared to closed-source systems (unless, of course, there are people who will foot the bill). >
Big companies spend a lot of money to collaborate in open source nowadays. Lessons were learned and the boring stuff is not so boring anymore. The community now realizes that Even unimportant software now will become security critical in the future. Openssl is security critical and more eyes are needed to make sure it's secure. The whole episode only made people aware of where the problem is. Openssl lives on and will get even more scrutiny than ever before. The problem will be fixed. Think about it. Openssl is now more secure than ever. > > On Fri, Apr 11, 2014 at 6:06 PM, Rogelio Serrano < [email protected]> wrote: >> >> >> On 11 Apr 2014 00:54, "fooler mail" <[email protected]> wrote: >> > >> > big companies have their own security team who assess and protect >> >> Doesn't always work, does it? >> >> And when some outsider does find a security hole they threaten to sue the outsider. >> >> Most security certifications like iso xxxxx are almost a scam. I bet most people in this list don't trust them at all. All it's useful for is marketing. >> >> And we all know how marketing trumps engineering every time. >> >> > their proprietary products... from the start of code development.. >> > they integrated code scanner to see any vulnerabilities in the code >> > and other security tools till it reach to a complete product... >> > >> > their reputation is based not only on the quality of the product but >> > on the security side as well... >> > >> >> Even do 178 the FAA standard is so tedious and paperwork heavy thru most companies waive the damn process. >> >> > fooler. >> > >> > On Thu, Apr 10, 2014 at 7:16 AM, Kelsey Hartigan Go >> > <[email protected]> wrote: >> > > On the other hand since this is open source someone is bound to find the >> > > hole. What about proprietary systems? >> > > >> > > On Apr 10, 2014 6:37 PM, "fooler mail" <[email protected]> wrote: >> > >> >> > >> pluggers, >> > >> >> > >> another action needed from you... if those sites listed in the link >> > >> below that you use their service, then you need to change your >> > >> password... >> > >> >> > >> >> > >> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-main-link >> > >> >> > >> its time to realize why opensource is not secured as what others >> > >> claims to be... but of course... there are still plenty of >> > >> undiscovered security holes waiting to be discovered by security >> > >> engineers... when this heartbeat outbreak last Monday... I spoke to my >> > >> colleague yesterday as this is one of the projects of malaking brother >> > >> who paid opensource developer working with a specific application to >> > >> insert backdoor codes... ( I have to use other words para hindi makita >> > >> ni malaking brother scanner)... to my surprise.. he mentioned to me >> > >> that he worked at noviembre sierra alfa previously and he can >> > >> confirmed on that but he wont go into the details... I also said to >> > >> him that I saw one backdoor in Linux kernel until now it is still in >> > >> there... you cant see by a normal cli command but it is there sitting >> > >> innocently... >> > >> >> > >> I made a statement in ph-cyberview a year or so ago that we are not >> > >> safe anymore... much worse if you are inside china.... >> > >> >> > >> >> > >> fooler. >> > >> >> > >> On Wed, Apr 9, 2014 at 3:36 PM, fooler mail <[email protected]> wrote: >> > >> > hi drexx, >> > >> > >> > >> > google security guy is the one who found the bug and google fixed >> > >> > their sites before sending the info to the community... >> > >> > >> > >> > below is the site to test the bug vulnerability.. >> > >> > >> > >> > http://packetstormsecurity.com/files/author/11160/ >> > >> > >> > >> > fooler. >> > >> > >> > >> > On Wed, Apr 9, 2014 at 9:06 AM, Drexx Laggui [personal] >> > >> > <[email protected]> wrote: >> > >> >> 09Apr2014 (UTC +8) >> > >> >> >> > >> >> Here's a quick test on your localhost, & you don't even need to be >> > >> >> root... >> > >> >> >> > >> >> >> > >> >> drexx@MACHINE:~$ echo -e "quit\n" | openssl s_client -connect >> > >> >> google.com:443 -tlsextdebug 2>&1 | grep 'TLS server extension >> > >> >> "heartbeat" (id=15), len=1' >> > >> >> >> > >> >> TLS server extension "heartbeat" (id=15), len=1 >> > >> >> >> > >> >> drexx@MACHINE:~$ date; >> > >> >> Wed Apr 9 21:02:58 PHT 2014 >> > >> >> >> > >> >> drexx@MACHINE:~$ uname -a >> > >> >> Linux MACHINE 3.11.0-19-generic #33~precise1-Ubuntu SMP Wed Mar 12 >> > >> >> 21:16:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >> > >> >> >> > >> >> >> > >> >> Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA >> > >> >> http://www.laggui.com ( Manila & California ) >> > >> >> Computer forensics; Penetration testing; QMS & ISMS developers; >> > >> >> K-Transfer >> > >> >> PGP fingerprint = 0117 15C5 F3B1 6564 59EA 6013 1308 9A66 41A2 3F9B >> > >> >> >> > >> >> >> > >> >> On Wed, Apr 9, 2014 at 10:42 AM, Rudel Saldivar >> > >> >> <[email protected]> wrote: >> > >> >>> >> > >> >>> And I may add this link for the exact patch version since different >> > >> >>> package >> > >> >>> revision exist for different versions of Ubuntu - >> > >> >>> http://www.ubuntu.com/usn/usn-2165-1/ >> > >> >>> >> > >> >>> Ubuntu 13.10: >> > >> >>> libssl1.0.0 1.0.1e-3ubuntu1.2 >> > >> >>> Ubuntu 12.10: >> > >> >>> libssl1.0.0 1.0.1c-3ubuntu2.7 >> > >> >>> Ubuntu 12.04 LTS: >> > >> >>> libssl1.0.0 1.0.1-4ubuntu5.12 >> > >> >>> >> > >> >>> As for CentOS 6, they haven't release a patch version but the latest >> > >> >>> available in the update repo have the heartbeat feature disable, >> > >> >>> interim >> > >> >>> workaround so upgrade when you can: >> > >> >>> http://www.spinics.net/lists/centos-announce/msg04910.html >> > >> >>> http://www.spinics.net/lists/centos-announce/msg04910.html >> > >> >>> >> > >> >>> >> > >> >>> ----- >> > >> >>> >> > >> >>> -[ OpenSource, Open Ideas ]- >> > >> >>> >> > >> >>> >> > >> >>> On Wed, Apr 9, 2014 at 8:42 AM, fooler mail < [email protected]> >> > >> >>> wrote: >> > >> >>>> >> > >> >>>> pluggers, >> > >> >>>> >> > >> >>>> action needed from you if you are not aware with this serious >> > >> >>>> security >> > >> >>>> hole... >> > >> >>>> >> > >> >>>> http://www.openssl.org/news/secadv_20140407.txt >> > >> >>>> >> > >> >>>> update/patch your openssl package... create a new private key using >> > >> >>>> updated/patched openssl... create a new CSR based on that new private >> > >> >>>> key and update your https site(s) with a new signed certificate (this >> > >> >>>> includes self-signed certificate as well) >> > >> >> _________________________________________________ >> > >> >> Philippine Linux Users' Group (PLUG) Mailing List >> > >> >> http://lists.linux.org.ph/mailman/listinfo/plug >> > >> >> Searchable Archives: http://archives.free.net.ph >> > >> _________________________________________________ >> > >> Philippine Linux Users' Group (PLUG) Mailing List >> > >> http://lists.linux.org.ph/mailman/listinfo/plug >> > >> Searchable Archives: http://archives.free.net.ph >> > > >> > > >> > > _________________________________________________ >> > > Philippine Linux Users' Group (PLUG) Mailing List >> > > http://lists.linux.org.ph/mailman/listinfo/plug >> > > Searchable Archives: http://archives.free.net.ph >> > _________________________________________________ >> > Philippine Linux Users' Group (PLUG) Mailing List >> > http://lists.linux.org.ph/mailman/listinfo/plug >> > Searchable Archives: http://archives.free.net.ph >> >> >> _________________________________________________ >> Philippine Linux Users' Group (PLUG) Mailing List >> http://lists.linux.org.ph/mailman/listinfo/plug >> Searchable Archives: http://archives.free.net.ph > > > > > -- > Paolo Alexis Falcone > [email protected] > Mobile: +639253005321 > Mobile: +639178054702 > > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
