On 12 Apr 2014 18:52, "fooler mail" <[email protected]> wrote: > > On Sat, Apr 12, 2014 at 12:57 PM, Rogelio Serrano > <[email protected]> wrote: > > > > The problem will be fixed. Think about it. Openssl is now more secure than > > ever. > > yeah as what oracle said.. we have oracle Linux which is unbreakable > and unhackable... > > fooler. >
And you think im an oracle fan... Haha Nevertheless I use some of their patches... It's good stuff really. > > > > > >> > >> On Fri, Apr 11, 2014 at 6:06 PM, Rogelio Serrano > >> <[email protected]> wrote: > >>> > >>> > >>> On 11 Apr 2014 00:54, "fooler mail" <[email protected]> wrote: > >>> > > >>> > big companies have their own security team who assess and protect > >>> > >>> Doesn't always work, does it? > >>> > >>> And when some outsider does find a security hole they threaten to sue the > >>> outsider. > >>> > >>> Most security certifications like iso xxxxx are almost a scam. I bet most > >>> people in this list don't trust them at all. All it's useful for is > >>> marketing. > >>> > >>> And we all know how marketing trumps engineering every time. > >>> > >>> > their proprietary products... from the start of code development.. > >>> > they integrated code scanner to see any vulnerabilities in the code > >>> > and other security tools till it reach to a complete product... > >>> > > >>> > their reputation is based not only on the quality of the product but > >>> > on the security side as well... > >>> > > >>> > >>> Even do 178 the FAA standard is so tedious and paperwork heavy thru most > >>> companies waive the damn process. > >>> > >>> > fooler. > >>> > > >>> > On Thu, Apr 10, 2014 at 7:16 AM, Kelsey Hartigan Go > >>> > <[email protected]> wrote: > >>> > > On the other hand since this is open source someone is bound to find > >>> > > the > >>> > > hole. What about proprietary systems? > >>> > > > >>> > > On Apr 10, 2014 6:37 PM, "fooler mail" <[email protected]> wrote: > >>> > >> > >>> > >> pluggers, > >>> > >> > >>> > >> another action needed from you... if those sites listed in the link > >>> > >> below that you use their service, then you need to change your > >>> > >> password... > >>> > >> > >>> > >> > >>> > >> > >>> > >> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-main-link > >>> > >> > >>> > >> its time to realize why opensource is not secured as what others > >>> > >> claims to be... but of course... there are still plenty of > >>> > >> undiscovered security holes waiting to be discovered by security > >>> > >> engineers... when this heartbeat outbreak last Monday... I spoke to > >>> > >> my > >>> > >> colleague yesterday as this is one of the projects of malaking > >>> > >> brother > >>> > >> who paid opensource developer working with a specific application to > >>> > >> insert backdoor codes... ( I have to use other words para hindi > >>> > >> makita > >>> > >> ni malaking brother scanner)... to my surprise.. he mentioned to me > >>> > >> that he worked at noviembre sierra alfa previously and he can > >>> > >> confirmed on that but he wont go into the details... I also said to > >>> > >> him that I saw one backdoor in Linux kernel until now it is still in > >>> > >> there... you cant see by a normal cli command but it is there > >>> > >> sitting > >>> > >> innocently... > >>> > >> > >>> > >> I made a statement in ph-cyberview a year or so ago that we are not > >>> > >> safe anymore... much worse if you are inside china.... > >>> > >> > >>> > >> > >>> > >> fooler. > >>> > >> > >>> > >> On Wed, Apr 9, 2014 at 3:36 PM, fooler mail < [email protected]> > >>> > >> wrote: > >>> > >> > hi drexx, > >>> > >> > > >>> > >> > google security guy is the one who found the bug and google fixed > >>> > >> > their sites before sending the info to the community... > >>> > >> > > >>> > >> > below is the site to test the bug vulnerability.. > >>> > >> > > >>> > >> > http://packetstormsecurity.com/files/author/11160/ > >>> > >> > > >>> > >> > fooler. > >>> > >> > > >>> > >> > On Wed, Apr 9, 2014 at 9:06 AM, Drexx Laggui [personal] > >>> > >> > <[email protected]> wrote: > >>> > >> >> 09Apr2014 (UTC +8) > >>> > >> >> > >>> > >> >> Here's a quick test on your localhost, & you don't even need to > >>> > >> >> be > >>> > >> >> root... > >>> > >> >> > >>> > >> >> > >>> > >> >> drexx@MACHINE:~$ echo -e "quit\n" | openssl s_client -connect > >>> > >> >> google.com:443 -tlsextdebug 2>&1 | grep 'TLS server extension > >>> > >> >> "heartbeat" (id=15), len=1' > >>> > >> >> > >>> > >> >> TLS server extension "heartbeat" (id=15), len=1 > >>> > >> >> > >>> > >> >> drexx@MACHINE:~$ date; > >>> > >> >> Wed Apr 9 21:02:58 PHT 2014 > >>> > >> >> > >>> > >> >> drexx@MACHINE:~$ uname -a > >>> > >> >> Linux MACHINE 3.11.0-19-generic #33~precise1-Ubuntu SMP Wed Mar > >>> > >> >> 12 > >>> > >> >> 21:16:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > >>> > >> >> > >>> > >> >> > >>> > >> >> Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, > >>> > >> >> CSA > >>> > >> >> http://www.laggui.com ( Manila & California ) > >>> > >> >> Computer forensics; Penetration testing; QMS & ISMS developers; > >>> > >> >> K-Transfer > >>> > >> >> PGP fingerprint = 0117 15C5 F3B1 6564 59EA 6013 1308 9A66 41A2 > >>> > >> >> 3F9B > >>> > >> >> > >>> > >> >> > >>> > >> >> On Wed, Apr 9, 2014 at 10:42 AM, Rudel Saldivar > >>> > >> >> <[email protected]> wrote: > >>> > >> >>> > >>> > >> >>> And I may add this link for the exact patch version since > >>> > >> >>> different > >>> > >> >>> package > >>> > >> >>> revision exist for different versions of Ubuntu - > >>> > >> >>> http://www.ubuntu.com/usn/usn-2165-1/ > >>> > >> >>> > >>> > >> >>> Ubuntu 13.10: > >>> > >> >>> libssl1.0.0 1.0.1e-3ubuntu1.2 > >>> > >> >>> Ubuntu 12.10: > >>> > >> >>> libssl1.0.0 1.0.1c-3ubuntu2.7 > >>> > >> >>> Ubuntu 12.04 LTS: > >>> > >> >>> libssl1.0.0 1.0.1-4ubuntu5.12 > >>> > >> >>> > >>> > >> >>> As for CentOS 6, they haven't release a patch version but the > >>> > >> >>> latest > >>> > >> >>> available in the update repo have the heartbeat feature disable, > >>> > >> >>> interim > >>> > >> >>> workaround so upgrade when you can: > >>> > >> >>> http://www.spinics.net/lists/centos-announce/msg04910.html > >>> > >> >>> http://www.spinics.net/lists/centos-announce/msg04910.html > >>> > >> >>> > >>> > >> >>> > >>> > >> >>> ----- > >>> > >> >>> > >>> > >> >>> -[ OpenSource, Open Ideas ]- > >>> > >> >>> > >>> > >> >>> > >>> > >> >>> On Wed, Apr 9, 2014 at 8:42 AM, fooler mail > >>> > >> >>> <[email protected]> > >>> > >> >>> wrote: > >>> > >> >>>> > >>> > >> >>>> pluggers, > >>> > >> >>>> > >>> > >> >>>> action needed from you if you are not aware with this serious > >>> > >> >>>> security > >>> > >> >>>> hole... > >>> > >> >>>> > >>> > >> >>>> http://www.openssl.org/news/secadv_20140407.txt > >>> > >> >>>> > >>> > >> >>>> update/patch your openssl package... create a new private key > >>> > >> >>>> using > >>> > >> >>>> updated/patched openssl... create a new CSR based on that new > >>> > >> >>>> private > >>> > >> >>>> key and update your https site(s) with a new signed certificate > >>> > >> >>>> (this > >>> > >> >>>> includes self-signed certificate as well) > >>> > >> >> _________________________________________________ > >>> > >> >> Philippine Linux Users' Group (PLUG) Mailing List > >>> > >> >> http://lists.linux.org.ph/mailman/listinfo/plug > >>> > >> >> Searchable Archives: http://archives.free.net.ph > >>> > >> _________________________________________________ > >>> > >> Philippine Linux Users' Group (PLUG) Mailing List > >>> > >> http://lists.linux.org.ph/mailman/listinfo/plug > >>> > >> Searchable Archives: http://archives.free.net.ph > >>> > > > >>> > > > >>> > > _________________________________________________ > >>> > > Philippine Linux Users' Group (PLUG) Mailing List > >>> > > http://lists.linux.org.ph/mailman/listinfo/plug > >>> > > Searchable Archives: http://archives.free.net.ph > >>> > _________________________________________________ > >>> > Philippine Linux Users' Group (PLUG) Mailing List > >>> > http://lists.linux.org.ph/mailman/listinfo/plug > >>> > Searchable Archives: http://archives.free.net.ph > >>> > >>> > >>> _________________________________________________ > >>> Philippine Linux Users' Group (PLUG) Mailing List > >>> http://lists.linux.org.ph/mailman/listinfo/plug > >>> Searchable Archives: http://archives.free.net.ph > >> > >> > >> > >> > >> -- > >> Paolo Alexis Falcone > >> [email protected] > >> Mobile: +639253005321 > >> Mobile: +639178054702 > >> > >> _________________________________________________ > >> Philippine Linux Users' Group (PLUG) Mailing List > >> http://lists.linux.org.ph/mailman/listinfo/plug > >> Searchable Archives: http://archives.free.net.ph > > > > > > _________________________________________________ > > Philippine Linux Users' Group (PLUG) Mailing List > > http://lists.linux.org.ph/mailman/listinfo/plug > > Searchable Archives: http://archives.free.net.ph > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
